Add support for Kubernetes by deploying code-server, Contour for ingress

controller, and Cert Manager for Let's Encrypt certificates, with
persistent storage with AWS EBS volumes.

Signed-off-by: Steve Sloka <[email protected]>

Author: stevesloka

deployment/Dockerfile

@@ -0,0 +1,13 @@
+FROM golang:stretch
+WORKDIR /app
+RUN  apt-get update \
+  && apt-get install -y wget net-tools vim rsync \
+  && rm -rf /var/lib/apt/lists/*
+RUN wget https://github.com/$(wget https://github.com/codercom/code-server/releases/latest -O - | egrep '/.*/.*-linux.tar.gz' -o) \
+  && tar -xvzf * \
+  && cd * \
+  && chmod +x code-server \
+  && mv ./code-server /
+
+EXPOSE 8443
+CMD /code-server -p 8443

deployment/certmanager.yaml

@@ -0,0 +1,191 @@
+---
+# Source: cert-manager/templates/00-namespace.yaml
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "cert-manager"
+
+---
+# Source: cert-manager/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.4.1
+    release: cert-manager
+    heritage: Tiller
+---
+# Source: cert-manager/templates/certificate-crd.yaml
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: certificates.certmanager.k8s.io
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.4.1
+    release: cert-manager
+    heritage: Tiller
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  scope: Namespaced
+  names:
+    kind: Certificate
+    plural: certificates
+    shortNames:
+      - cert
+      - certs
+      
+---
+# Source: cert-manager/templates/clusterissuer-crd.yaml
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterissuers.certmanager.k8s.io
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.4.1
+    release: cert-manager
+    heritage: Tiller
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  names:
+    kind: ClusterIssuer
+    plural: clusterissuers
+  scope: Cluster
+---
+# Source: cert-manager/templates/issuer-crd.yaml
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: issuers.certmanager.k8s.io
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.4.1
+    release: cert-manager
+    heritage: Tiller
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  names:
+    kind: Issuer
+    plural: issuers
+  scope: Namespaced
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.4.1
+    release: cert-manager
+    heritage: Tiller
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates", "issuers", "clusterissuers"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    # TODO: remove endpoints once 0.4 is released. We include it here in case
+    # users use the 'master' version of the Helm chart with a 0.2.x release of
+    # cert-manager that still performs leader election with Endpoint resources.
+    # We advise users don't do this, but some will anyway and this will reduce
+    # friction.
+    resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
+    verbs: ["*"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.4.1
+    release: cert-manager
+    heritage: Tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/deployment.yaml
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: cert-manager
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.4.1
+    release: cert-manager
+    heritage: Tiller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cert-manager
+      release: cert-manager
+  template:
+    metadata:
+      labels:
+        app: cert-manager
+        release: cert-manager
+      annotations:
+    spec:
+      serviceAccountName: cert-manager
+      containers:
+        - name: cert-manager
+          image: "quay.io/jetstack/cert-manager-controller:v0.4.1"
+          imagePullPolicy: IfNotPresent
+          args:
+          - --cluster-resource-namespace=$(POD_NAMESPACE)
+          - --leader-election-namespace=$(POD_NAMESPACE)
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: cert-manager
+spec:
+  acme:
+    email: <emailAddress>
+    http01: {}
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    server: https://acme-v02.api.letsencrypt.org/directory
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: cert-manager
+spec:
+  acme:
+    email: <emailAddress>
+    http01: {}
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+---

deployment/contour.yaml

@@ -0,0 +1,344 @@
+# This file is generated from the individual yaml files by deployment/render.sh.
+# Do not edit this file directly but instead edit the source files and
+# re-render.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: heptio-contour
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: contour
+  namespace: heptio-contour
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.contour.heptio.com
+  labels:
+    component: ingressroute
+spec:
+  group: contour.heptio.com
+  version: v1beta1
+  scope: Namespaced
+  names:
+    plural: ingressroutes
+    kind: IngressRoute
+  additionalPrinterColumns:
+    - name: FQDN
+      type: string
+      description: Fully qualified domain name
+      JSONPath: .spec.virtualhost.fqdn
+    - name: TLS Secret
+      type: string
+      description: Secret with TLS credentials
+      JSONPath: .spec.virtualhost.tls.secretName
+    - name: First route
+      type: string
+      description: First routes defined
+      JSONPath: .spec.routes[0].match
+    - name: Status
+      type: string
+      description: The current status of the IngressRoute
+      JSONPath: .status.currentStatus
+    - name: Status Description
+      type: string
+      description: Description of the current status
+      JSONPath: .status.description
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          properties:
+            virtualhost:
+              properties:
+                fqdn:
+                  type: string
+                  pattern: ^([a-zA-Z0-9]+(-[a-zA-Z0-9]+)*\.)+[a-z0-9]{2,}$
+                tls:
+                  properties:
+                    secretName:
+                      type: string
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
+                    minimumProtocolVersion:
+                      type: string
+                      enum:
+                        - "1.3"
+                        - "1.2"
+                        - "1.1"
+            strategy:
+              type: string
+              enum:
+                - RoundRobin
+                - WeightedLeastRequest
+                - Random
+                - RingHash
+                - Maglev
+            healthCheck:
+              type: object
+              required:
+                - path
+              properties:
+                path:
+                  type: string
+                  pattern: ^\/.*$
+                intervalSeconds:
+                  type: integer
+                timeoutSeconds:
+                  type: integer
+                unhealthyThresholdCount:
+                  type: integer
+                healthyThresholdCount:
+                  type: integer
+            routes:
+              type: array
+              items:
+                required:
+                  - match
+                properties:
+                  match:
+                    type: string
+                    pattern: ^\/.*$
+                  delegate:
+                    type: object
+                    required:
+                      - name
+                    properties:
+                      name:
+                        type: string
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
+                      namespace:
+                        type: string
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ # DNS-1123 label
+                  services:
+                    type: array
+                    items:
+                      type: object
+                      required:
+                        - name
+                        - port
+                      properties:
+                        name:
+                          type: string
+                          pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ # DNS-1035 label
+                        port:
+                          type: integer
+                        weight:
+                          type: integer
+                        strategy:
+                          type: string
+                          enum:
+                            - RoundRobin
+                            - WeightedLeastRequest
+                            - Random
+                            - RingHash
+                            - Maglev
+                        healthCheck:
+                          type: object
+                          required:
+                            - path
+                          properties:
+                            path:
+                              type: string
+                              pattern: ^\/.*$
+                            intervalSeconds:
+                              type: integer
+                            timeoutSeconds:
+                              type: integer
+                            unhealthyThresholdCount:
+                              type: integer
+                            healthyThresholdCount:
+                              type: integer
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlscertificatedelegations.contour.heptio.com
+  labels:
+    component: tlscertificatedelegation
+spec:
+  group: contour.heptio.com
+  version: v1beta1
+  scope: Namespaced
+  names:
+    plural: tlscertificatedelegations
+    kind: TLSCertificateDelegation
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: contour
+  name: contour
+  namespace: heptio-contour
+spec:
+  selector:
+    matchLabels:
+      app: contour
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: contour
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8002"
+        prometheus.io/path: "/stats"
+        prometheus.io/format: "prometheus"
+    spec:
+      containers:
+      - image: gcr.io/heptio-images/contour:v0.10.0
+        imagePullPolicy: Always
+        name: contour
+        command: ["contour"]
+        args: ["serve", "--incluster"]
+      - image: docker.io/envoyproxy/envoy-alpine:v1.9.0
+        name: envoy
+        ports:
+        - containerPort: 8080
+          name: http
+        - containerPort: 8443
+          name: https
+        command: ["envoy"]
+        args:
+        - --config-path /config/contour.json
+        - --service-cluster cluster0
+        - --service-node node0
+        - --log-level info
+        - --v2-config-only
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8002
+          initialDelaySeconds: 3
+          periodSeconds: 3
+        volumeMounts:
+        - name: contour-config
+          mountPath: /config
+        lifecycle:
+          preStop:
+            exec:
+              command: ["wget", "-qO-", "http://localhost:9001/healthcheck/fail"] 
+      initContainers:
+      - image: gcr.io/heptio-images/contour:master
+        imagePullPolicy: Always
+        name: envoy-initconfig
+        command: ["contour"]
+        args:
+        - bootstrap
+        # Uncomment the statsd-enable to enable statsd metrics
+        #- --statsd-enable
+        # Uncomment to set a custom stats emission address and port
+        #- --stats-address=0.0.0.0
+        #- --stats-port=8002
+        - /config/contour.json
+        volumeMounts:
+        - name: contour-config
+          mountPath: /config
+      volumes:
+      - name: contour-config
+        emptyDir: {}
+      dnsPolicy: ClusterFirst
+      serviceAccountName: contour
+      terminationGracePeriodSeconds: 30
+      # The affinity stanza below tells Kubernetes to try hard not to place 2 of
+      # these pods on the same node.
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app: contour
+              topologyKey: kubernetes.io/hostname
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: contour
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: contour
+subjects:
+- kind: ServiceAccount
+  name: contour
+  namespace: heptio-contour
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: contour
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["contour.heptio.com"]
+  resources: ["ingressroutes", "tlscertificatedelegations"]
+  verbs:
+  - get
+  - list
+  - watch
+  - put
+  - post
+  - patch
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: contour
+ namespace: heptio-contour
+ annotations:
+  # This annotation puts the AWS ELB into "TCP" mode so that it does not
+  # do HTTP negotiation for HTTPS connections at the ELB edge.
+  # The downside of this is the remote IP address of all connections will
+  # appear to be the internal address of the ELB. See docs/proxy-proto.md
+  # for information about enabling the PROXY protocol on the ELB to recover
+  # the original remote IP address.
+  service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+spec:
+ ports:
+ - port: 80
+   name: http
+   protocol: TCP
+   targetPort: 8080
+ - port: 443
+   name: https
+   protocol: TCP
+   targetPort: 8443
+ selector:
+   app: contour
+ type: LoadBalancer
+---

deployment/deployment.yaml

@@ -0,0 +1,85 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: code-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: code-server
+ namespace: code-server
+spec:
+ ports:
+ - port: 80
+   name: https
+   protocol: TCP
+ selector:
+   app: code-server
+ type: ClusterIP
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: gp2
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: kubernetes.io/aws-ebs
+parameters:
+  type: gp2
+  fsType: ext4 
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: steves-code
+  namespace: code-server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 60Gi
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: code-server
+  name: code-server
+  namespace: code-server
+spec:
+  selector:
+    matchLabels:
+      app: code-server
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: code-server
+    spec:
+      containers:
+      - image: stevesloka/code-server
+        imagePullPolicy: Always
+        name: code-server
+        command: ["/code-server"]
+        args:
+        - /go/src
+        - --allow-http
+        - -p=80
+        - --cert=/certs/tls.crt
+        - --cert-key=/certs/tls.key
+        ports:
+        - containerPort: 80
+          name: http
+        volumeMounts:
+        - name: code-server-storage
+          mountPath: /go/src
+        - name: code-server-certs
+          mountPath: "/certs"
+      volumes:
+      - name: code-server-storage
+        persistentVolumeClaim:
+          claimName: steves-code
+      - name: code-server-certs
+        secret:
+          secretName: code-server

deployment/ingress.yaml

@@ -0,0 +1,39 @@
+
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: code-server
+  namespace: code-server
+spec:
+  secretName: code-server
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  commonName: code.example.com
+  dnsNames:
+  - code.example.com
+  acme:
+    config:
+    - http01:
+        ingressClass: contour
+      domains:
+      - code.example.com
+---
+apiVersion: contour.heptio.com/v1beta1
+kind: IngressRoute
+metadata: 
+  labels:
+    app: code-server
+  name: code-server
+  namespace: code-server
+spec: 
+  virtualhost:
+    fqdn: code.example.com
+    tls:
+      secretName: code-server
+  routes: 
+    - match: /
+      enableWebsockets: true
+      services: 
+        - name: code-server 
+          port: 80