From f82e0aaa6c63b24c30b722557db0e216dbb71783 Mon Sep 17 00:00:00 2001 From: James Carppe Date: Wed, 9 Feb 2022 09:22:59 +1300 Subject: [PATCH] Add pre-prepared YAML files that enable encryption --- .../portainer/portainer-encryption.yaml | 159 ++++++++++++++++++ .../portainer/portainer-lb-encryption.yaml | 155 +++++++++++++++++ 2 files changed, 314 insertions(+) create mode 100644 deploy/manifests/portainer/portainer-encryption.yaml create mode 100644 deploy/manifests/portainer/portainer-lb-encryption.yaml diff --git a/deploy/manifests/portainer/portainer-encryption.yaml b/deploy/manifests/portainer/portainer-encryption.yaml new file mode 100644 index 0000000..ecf378c --- /dev/null +++ b/deploy/manifests/portainer/portainer-encryption.yaml @@ -0,0 +1,159 @@ +--- +# Source: portainer/templates/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: portainer +--- +# Source: portainer/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: portainer-sa-clusteradmin + namespace: portainer + labels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +--- +# Source: portainer/templates/pvc.yaml +kind: "PersistentVolumeClaim" +apiVersion: "v1" +metadata: + name: portainer + namespace: portainer + annotations: + volume.alpha.kubernetes.io/storage-class: "generic" + labels: + io.portainer.kubernetes.application.stack: portainer + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "10Gi" +--- +# Source: portainer/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: portainer + labels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + namespace: portainer + name: portainer-sa-clusteradmin +--- +# Source: portainer/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: portainer + namespace: portainer + labels: + io.portainer.kubernetes.application.stack: portainer + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +spec: + type: NodePort + ports: + - port: 9000 + targetPort: 9000 + protocol: TCP + name: http + nodePort: 30777 + - port: 9443 + targetPort: 9443 + protocol: TCP + name: https + nodePort: 30779 + - port: 30776 + targetPort: 30776 + protocol: TCP + name: edge + nodePort: 30776 + selector: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer +--- +# Source: portainer/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: portainer + namespace: portainer + labels: + io.portainer.kubernetes.application.stack: portainer + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +spec: + replicas: 1 + strategy: + type: "Recreate" + selector: + matchLabels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + template: + metadata: + labels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + spec: + nodeSelector: + {} + serviceAccountName: portainer-sa-clusteradmin + volumes: + - name: "data" + persistentVolumeClaim: + claimName: portainer + - name: "secrets" + secret: + secretName: portainer-key + containers: + - name: portainer + image: "portainer/portainer-ce:latest" + imagePullPolicy: Always + args: + - '--tunnel-port=30776' + volumeMounts: + - name: data + mountPath: /data + - name: secrets + mountPath: "/run/secrets/portainer" + subPath: portainer + ports: + - name: http + containerPort: 9000 + protocol: TCP + - name: https + containerPort: 9443 + protocol: TCP + - name: tcp-edge + containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: 9443 + scheme: HTTPS + readinessProbe: + httpGet: + path: / + port: 9443 + scheme: HTTPS + resources: + {} + diff --git a/deploy/manifests/portainer/portainer-lb-encryption.yaml b/deploy/manifests/portainer/portainer-lb-encryption.yaml new file mode 100644 index 0000000..9f300c2 --- /dev/null +++ b/deploy/manifests/portainer/portainer-lb-encryption.yaml @@ -0,0 +1,155 @@ +--- +# Source: portainer/templates/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: portainer +--- +# Source: portainer/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: portainer-sa-clusteradmin + namespace: portainer + labels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +--- +# Source: portainer/templates/pvc.yaml +kind: "PersistentVolumeClaim" +apiVersion: "v1" +metadata: + name: portainer + namespace: portainer + annotations: + volume.alpha.kubernetes.io/storage-class: "generic" + labels: + io.portainer.kubernetes.application.stack: portainer + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "10Gi" +--- +# Source: portainer/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: portainer + labels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + namespace: portainer + name: portainer-sa-clusteradmin +--- +# Source: portainer/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: portainer + namespace: portainer + labels: + io.portainer.kubernetes.application.stack: portainer + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +spec: + type: LoadBalancer + ports: + - port: 9000 + targetPort: 9000 + protocol: TCP + name: http + - port: 9443 + targetPort: 9443 + protocol: TCP + name: https + - port: 8000 + targetPort: 8000 + protocol: TCP + name: edge + selector: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer +--- +# Source: portainer/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: portainer + namespace: portainer + labels: + io.portainer.kubernetes.application.stack: portainer + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + app.kubernetes.io/version: "ce-latest-ee-2.10.0" +spec: + replicas: 1 + strategy: + type: "Recreate" + selector: + matchLabels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + template: + metadata: + labels: + app.kubernetes.io/name: portainer + app.kubernetes.io/instance: portainer + spec: + nodeSelector: + {} + serviceAccountName: portainer-sa-clusteradmin + volumes: + - name: "data" + persistentVolumeClaim: + claimName: portainer + - name: "secrets" + secret: + secretName: portainer-key + containers: + - name: portainer + image: "portainer/portainer-ce:latest" + imagePullPolicy: Always + args: + volumeMounts: + - name: data + mountPath: /data + - name: secrets + mountPath: "/run/secrets/portainer" + subPath: portainer + ports: + - name: http + containerPort: 9000 + protocol: TCP + - name: https + containerPort: 9443 + protocol: TCP + - name: tcp-edge + containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: 9443 + scheme: HTTPS + readinessProbe: + httpGet: + path: / + port: 9443 + scheme: HTTPS + resources: + {} +