From 62519629e1ca3c66ab9226da256383ecf8e1c5da Mon Sep 17 00:00:00 2001 From: Kenny Blanckaert Date: Sat, 11 Feb 2023 12:01:12 +0100 Subject: [PATCH] Chisel Server in Kubernetes with horizontal pod scaling using Prometheus metrics endpoint --- .gitignore | 34 -- kubernetes/README.md | 226 +++++++++ kubernetes/chisel/deployment.yml | 43 ++ .../chisel/horizontal-pod-autoscaler.yml | 23 + kubernetes/chisel/persistant-volume-claim.yml | 12 + kubernetes/chisel/persistant-volume.yml | 22 + kubernetes/chisel/service.yml | 23 + kubernetes/chisel/storage-class.yml | 6 + kubernetes/dashboard/cluster-role-binding.yml | 12 + .../dashboard/kubernetes-dashboard-v2.6.1.yml | 477 ++++++++++++++++++ kubernetes/dashboard/secret.yml | 8 + kubernetes/dashboard/service-account.yml | 5 + kubernetes/ingress/helm/values.yml | 7 + kubernetes/ingress/ingress.yml | 24 + kubernetes/prometheus/adapter/helm/values.yml | 4 + {.github => src/.github}/dependabot.yml | 0 {.github => src/.github}/goreleaser.yml | 0 {.github => src/.github}/workflows/ci.yml | 0 Dockerfile => src/Dockerfile | 0 LICENSE => src/LICENSE | 0 Makefile => src/Makefile | 0 README.md => src/README.md | 2 + {client => src/client}/client.go | 0 {client => src/client}/client_connect.go | 0 {client => src/client}/client_test.go | 0 {example => src/example}/Flyfile | 0 {example => src/example}/fly.toml | 0 .../reverse-tunneling-authenticated.md | 0 {example => src/example}/users.json | 0 go.mod => src/go.mod | 0 go.sum => src/go.sum | 0 main.go => src/main.go | 3 + {server => src/server}/server.go | 5 + {server => src/server}/server_handler.go | 2 + {server => src/server}/server_listen.go | 0 src/server/server_metrics.go | 32 ++ {share => src/share}/ccrypto/determ_rand.go | 0 {share => src/share}/ccrypto/keys.go | 0 {share => src/share}/cio/logger.go | 0 {share => src/share}/cio/pipe.go | 0 {share => src/share}/cio/stdio.go | 0 {share => src/share}/cnet/conn_rwc.go | 0 {share => src/share}/cnet/conn_ws.go | 0 {share => src/share}/cnet/connstats.go | 0 {share => src/share}/cnet/http_server.go | 0 {share => src/share}/cnet/meter.go | 0 {share => src/share}/compat.go | 0 {share => src/share}/cos/common.go | 0 {share => src/share}/cos/pprof.go | 0 {share => src/share}/cos/signal.go | 0 {share => src/share}/cos/signal_windows.go | 0 {share => src/share}/settings/config.go | 0 {share => src/share}/settings/env.go | 0 {share => src/share}/settings/remote.go | 0 {share => src/share}/settings/remote_test.go | 0 {share => src/share}/settings/user.go | 0 {share => src/share}/settings/users.go | 0 {share => src/share}/tunnel/tunnel.go | 0 .../share}/tunnel/tunnel_in_proxy.go | 0 .../share}/tunnel/tunnel_in_proxy_udp.go | 0 {share => src/share}/tunnel/tunnel_out_ssh.go | 0 .../share}/tunnel/tunnel_out_ssh_udp.go | 0 {share => src/share}/tunnel/udp.go | 0 {share => src/share}/tunnel/wg.go | 0 {share => src/share}/version.go | 0 {test => src/test}/bench/main.go | 0 {test => src/test}/bench/perf.md | 0 {test => src/test}/bench/userfile | 0 {test => src/test}/e2e/auth_test.go | 0 {test => src/test}/e2e/base_test.go | 0 {test => src/test}/e2e/cert_utils_test.go | 0 {test => src/test}/e2e/proxy_test.go | 0 {test => src/test}/e2e/setup_test.go | 0 {test => src/test}/e2e/socks_test.go | 0 {test => src/test}/e2e/tls_test.go | 0 {test => src/test}/e2e/udp_test.go | 0 76 files changed, 936 insertions(+), 34 deletions(-) delete mode 100644 .gitignore create mode 100644 kubernetes/README.md create mode 100644 kubernetes/chisel/deployment.yml create mode 100644 kubernetes/chisel/horizontal-pod-autoscaler.yml create mode 100644 kubernetes/chisel/persistant-volume-claim.yml create mode 100644 kubernetes/chisel/persistant-volume.yml create mode 100644 kubernetes/chisel/service.yml create mode 100644 kubernetes/chisel/storage-class.yml create mode 100644 kubernetes/dashboard/cluster-role-binding.yml create mode 100644 kubernetes/dashboard/kubernetes-dashboard-v2.6.1.yml create mode 100644 kubernetes/dashboard/secret.yml create mode 100644 kubernetes/dashboard/service-account.yml create mode 100644 kubernetes/ingress/helm/values.yml create mode 100644 kubernetes/ingress/ingress.yml create mode 100644 kubernetes/prometheus/adapter/helm/values.yml rename {.github => src/.github}/dependabot.yml (100%) rename {.github => src/.github}/goreleaser.yml (100%) rename {.github => src/.github}/workflows/ci.yml (100%) rename Dockerfile => src/Dockerfile (100%) rename LICENSE => src/LICENSE (100%) rename Makefile => src/Makefile (100%) rename README.md => src/README.md (99%) rename {client => src/client}/client.go (100%) rename {client => src/client}/client_connect.go (100%) rename {client => src/client}/client_test.go (100%) rename {example => src/example}/Flyfile (100%) rename {example => src/example}/fly.toml (100%) rename {example => src/example}/reverse-tunneling-authenticated.md (100%) rename {example => src/example}/users.json (100%) rename go.mod => src/go.mod (100%) rename go.sum => src/go.sum (100%) rename main.go => src/main.go (99%) rename {server => src/server}/server.go (98%) rename {server => src/server}/server_handler.go (99%) rename {server => src/server}/server_listen.go (100%) create mode 100644 src/server/server_metrics.go rename {share => src/share}/ccrypto/determ_rand.go (100%) rename {share => src/share}/ccrypto/keys.go (100%) rename {share => src/share}/cio/logger.go (100%) rename {share => src/share}/cio/pipe.go (100%) rename {share => src/share}/cio/stdio.go (100%) rename {share => src/share}/cnet/conn_rwc.go (100%) rename {share => src/share}/cnet/conn_ws.go (100%) rename {share => src/share}/cnet/connstats.go (100%) rename {share => src/share}/cnet/http_server.go (100%) rename {share => src/share}/cnet/meter.go (100%) rename {share => src/share}/compat.go (100%) rename {share => src/share}/cos/common.go (100%) rename {share => src/share}/cos/pprof.go (100%) rename {share => src/share}/cos/signal.go (100%) rename {share => src/share}/cos/signal_windows.go (100%) rename {share => src/share}/settings/config.go (100%) rename {share => src/share}/settings/env.go (100%) rename {share => src/share}/settings/remote.go (100%) rename {share => src/share}/settings/remote_test.go (100%) rename {share => src/share}/settings/user.go (100%) rename {share => src/share}/settings/users.go (100%) rename {share => src/share}/tunnel/tunnel.go (100%) rename {share => src/share}/tunnel/tunnel_in_proxy.go (100%) rename {share => src/share}/tunnel/tunnel_in_proxy_udp.go (100%) rename {share => src/share}/tunnel/tunnel_out_ssh.go (100%) rename {share => src/share}/tunnel/tunnel_out_ssh_udp.go (100%) rename {share => src/share}/tunnel/udp.go (100%) rename {share => src/share}/tunnel/wg.go (100%) rename {share => src/share}/version.go (100%) rename {test => src/test}/bench/main.go (100%) rename {test => src/test}/bench/perf.md (100%) rename {test => src/test}/bench/userfile (100%) rename {test => src/test}/e2e/auth_test.go (100%) rename {test => src/test}/e2e/base_test.go (100%) rename {test => src/test}/e2e/cert_utils_test.go (100%) rename {test => src/test}/e2e/proxy_test.go (100%) rename {test => src/test}/e2e/setup_test.go (100%) rename {test => src/test}/e2e/socks_test.go (100%) rename {test => src/test}/e2e/tls_test.go (100%) rename {test => src/test}/e2e/udp_test.go (100%) diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 6a4d3f15..00000000 --- a/.gitignore +++ /dev/null @@ -1,34 +0,0 @@ -dist/ -*.swp -.idea/ -chisel -bin/ -release/ -tmp/ -*.orig -debug - -# Compiled Object files, Static and Dynamic libs (Shared Objects) -*.o -*.a -*.so - -# Folders -_obj -_test - -# Architecture specific extensions/prefixes -*.[568vq] -[568vq].out - -*.cgo1.go -*.cgo2.c -_cgo_defun.c -_cgo_gotypes.go -_cgo_export.* - -_testmain.go - -*.exe -*.test -*.prof diff --git a/kubernetes/README.md b/kubernetes/README.md new file mode 100644 index 00000000..3651fbce --- /dev/null +++ b/kubernetes/README.md @@ -0,0 +1,226 @@ +# Kubernetes + +  +## Installation + +### kubectl + +Use the following (Ubuntu) repository to install kubectl +``` +sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg +echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list +sudo apt update +sudo apt install kubectl +``` + +### minikube +Use the following (Ubuntu) repository to install minikube + +``` +wget https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 +sudo cp minikube-linux-amd64 /usr/local/bin/minikube +sudo chmod 755 /usr/local/bin/minikube +``` + +### helm +Use the following (Ubuntu) repository to install helm + +``` +curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null +sudo apt-get install apt-transport-https --yes +echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list +sudo apt-get update +sudo apt-get install helm +``` + +  +## Other requirements + +Minikube won't be able to use docker as sudo. +Therefor, your user should be able to use docker without sudo permissions. +Run the following command to allow this: + +``` +sudo usermod -aG docker $USER && newgrp docker +``` + +Build the docker image inside the minikube environment + +``` +eval $(minikube docker-env) +cd chisel/src +sudo docker build -t jpillora/chisel . +``` + +  +## Usage + +### The cluster + +We'll use Kubernetes (minikube) with the docker driver. This will deploy a minikube docker container. +A directory, here "/kubernetes" (with all required Kubernetes data), on the host will be mounted to the minikube container, for example: + +``` +$tree /kubernetes/ + +/kubernetes/ # Permissions rwxrwxrwx (755) +└── chisel + ├── certs + │   ├── chisel.crt + │   ├── chisel.csr + │   ├── chisel.key + │   ├── root.crt + │   ├── root.key + │   └── root.srl + └── config + └── users.json # Make sure user configuration is complete. +``` + +This allows to further mount this directory as persistent volume across pods. +See it as volumes in docker but shared across containers. + +``` +minikube start --driver=docker --mount-string=/kubernetes:/kubernetes --mount + +# Cluster status +minikube status + +# Stop the minikube container +minikube stop + +# Delete the minikube container (including all kubernetes objects) +minikube delete +``` + +  +### The environment + + +The Kubernetes deployment consist of the following objects: + +![Chisel environment](https://www.weave.works/assets/images/blt0ac8a1e3751df7e9/k8s-hpa.png) + +* Ingress (aka Nginx) exposing a part of the setup to the outside world +* Chisel environment + * Kubernetes Service Loadbalancer in IPVS mode (least connections) + * Deployment + * ReplicaSet + * HorizontalPodAutoScaler + * Pods + * PersistentVolume +* Prometheus + * Prometheus Server + * Prometheus Adapter +* Kubernetes Dashboard + +  +To deploy everything, use the following commands: + +``` +# Deploy Chisel environment +kubectl apply -f kubernetes/chisel/ + +# Deploy Ingress Controller +minikube addons enable ingress +helm repo add nginx-stable https://helm.nginx.com/stable +helm repo update +helm install ingress nginx-stable/nginx-ingress -n ingress-nginx --create-namespace -f kubernetes/ingress/helm/values.yml +kubectl apply -f kubernetes/ingress + +# Deploy Prometheus +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +helm install prometheus prometheus-community/prometheus –namespace prometheus --create-namespace +helm install prometheus-adapter prometheus-community/prometheus-adapter -n prometheus --create-namespace -f kubernetes/prometheus/adapter/helm/values.yml + +# Deploy Kubernetes Dashboard +kubectl apply -f kubernetes/dashboard/ + +# Connect +./chisel client --auth "user:password" --tls-skip-verify --fingerprint -v +``` + +Enable modules on the host: + +``` +sudo modprobe -a ip_vs ip_vs_rr ip_vs_lc ip_vs_wrr ip_vs_sh +``` + +Or, create the file /etc/modules-load.d/ipvs-kube-proxy with the following content (and reboot, for the modules to be loaded): + +``` +ip_vs +ip_vs_rr +ip_vs_lc +ip_vs_wrr +ip_vs_sh +``` + +Now, enable IPVS mode on the kube-proxy. Put the scheduler on "lc" (least connections). +Of course, the existing kube-proxy keeps working with the old configuration. Delete the pod and Kubernetes will automatically re-create it, with the new configuration. +Verify that the kube-proxy activated IPVS + +``` +kubectl edit configmap kube-proxy -n kube-system +# ... +# mode: "ipvs" +# ipvs: +# scheduler: "lc" +# ... + +kubectl get pods -n kube-system +kubectl delete pod -n kube-system kube-proxy-${ID} +kubectl get pods -n kube-system +kubectl logs kube-proxy-${ID} -n kube-system +# ... +# "Using ipvs Proxier" +# ... +``` + +  +### Monitoring + +``` +# List objects in the default namespace +kubectl get nodes +kubectl get deployments +kubectl get pods +kubectl get pv +kubectl get pvc +kubectl get service +kubectl get ingress +kubectl get rs +kubectl get hpa +kubectl get cm + +# To list everything use the -A option +# To list a specific namespace use -n ... +# 'get' can be replaced by 'describe' to get more detailed information + +# Expose Kubernetes Dashboard +kubectl proxy + +# Generate token +kubectl describe secret admin-user -n kubernetes-dashboard | grep 'token:' + +# Kubernetes Dashboard URL +# http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/ingress?namespace=default + +# Chisel Prometheus metrics +docker ps -a +kubectl get pods -o wide +docker exec -it curl http://:9113/metrics + +# Or easier +kubectl get pods -o wide +minikube ssh +curl http://:9113/metrics + +# sessions mentioned match with ipvs connections in minikube proxy +# ipvsadm will have to be installed first +# +# There should be a section with the IP address of the Kubernetes Services, with all pod endpoints listed underneath. +# Number of connections on each pod, should match the 'chisel_number_of_active_sessions' metric. (unless somebody is requesting the metrics (:9113/metrics) from the service ;-)) +minikube ssh +sudo ipvsadm +``` diff --git a/kubernetes/chisel/deployment.yml b/kubernetes/chisel/deployment.yml new file mode 100644 index 00000000..03777d30 --- /dev/null +++ b/kubernetes/chisel/deployment.yml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: chisel + name: chisel +spec: + replicas: 2 + selector: + matchLabels: + app: chisel + template: + metadata: + labels: + app: chisel + spec: + containers: + - name: chisel + image: jpillora/chisel:latest + imagePullPolicy: Never + env: + - name: PORT + value: "443" + - name: CHISEL_KEY + value: "YourKey" + args: + - "server" + - "--socks5" + - "--metrics" + - "--keepalive=5s" + - "--tls-key=/app/data/certs/chisel.key" + - "--tls-cert=/app/data/certs/chisel.crt" + - "--authfile=/app/data/config/users.json" + ports: + - containerPort: 443 + - containerPort: 9113 + volumeMounts: + - name: local-persistent-storage + mountPath: /app/data + volumes: + - name: local-persistent-storage + persistentVolumeClaim: + claimName: persistent-volume-claim diff --git a/kubernetes/chisel/horizontal-pod-autoscaler.yml b/kubernetes/chisel/horizontal-pod-autoscaler.yml new file mode 100644 index 00000000..85b9369b --- /dev/null +++ b/kubernetes/chisel/horizontal-pod-autoscaler.yml @@ -0,0 +1,23 @@ +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: chisel-hpa +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: chisel + minReplicas: 2 + maxReplicas: 10 + metrics: + - type: Object + object: + metric: + name: chisel_number_of_active_sessions + describedObject: + apiVersion: v1 + kind: Service + name: chisel-service + target: + type: AverageValue + averageValue: 10 diff --git a/kubernetes/chisel/persistant-volume-claim.yml b/kubernetes/chisel/persistant-volume-claim.yml new file mode 100644 index 00000000..483cce77 --- /dev/null +++ b/kubernetes/chisel/persistant-volume-claim.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: persistent-volume-claim +spec: + volumeName: persistent-volume + accessModes: + - ReadWriteOnce + storageClassName: local-storage + resources: + requests: + storage: 1Gi diff --git a/kubernetes/chisel/persistant-volume.yml b/kubernetes/chisel/persistant-volume.yml new file mode 100644 index 00000000..4133ffcb --- /dev/null +++ b/kubernetes/chisel/persistant-volume.yml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: persistent-volume +spec: + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: local-storage + local: + path: /kubernetes/chisel + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - minikube diff --git a/kubernetes/chisel/service.yml b/kubernetes/chisel/service.yml new file mode 100644 index 00000000..bda7afef --- /dev/null +++ b/kubernetes/chisel/service.yml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: chisel-service + name: chisel-service + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: "true" + prometheus.io/port: "http" +spec: + type: ClusterIP + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: http + port: 9113 + protocol: TCP + targetPort: 9113 + selector: + app: chisel diff --git a/kubernetes/chisel/storage-class.yml b/kubernetes/chisel/storage-class.yml new file mode 100644 index 00000000..e6ce6fbf --- /dev/null +++ b/kubernetes/chisel/storage-class.yml @@ -0,0 +1,6 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: local-storage +provisioner: kubernetes.io/no-provisioner +volumeBindingMode: WaitForFirstConsumer diff --git a/kubernetes/dashboard/cluster-role-binding.yml b/kubernetes/dashboard/cluster-role-binding.yml new file mode 100644 index 00000000..6db3be51 --- /dev/null +++ b/kubernetes/dashboard/cluster-role-binding.yml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: admin-user + namespace: kubernetes-dashboard diff --git a/kubernetes/dashboard/kubernetes-dashboard-v2.6.1.yml b/kubernetes/dashboard/kubernetes-dashboard-v2.6.1.yml new file mode 100644 index 00000000..9466251e --- /dev/null +++ b/kubernetes/dashboard/kubernetes-dashboard-v2.6.1.yml @@ -0,0 +1,477 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: Namespace + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"name":"kubernetes-dashboard"}} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + kubernetes.io/metadata.name: kubernetes-dashboard + name: kubernetes-dashboard + resourceVersion: "773" + uid: 91ba55ca-7568-4a91-8404-7c1e37a5676a + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"}} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + resourceVersion: "776" + uid: 42dee519-3148-4a01-8290-b7896e6aa543 +- apiVersion: v1 + kind: Service + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + resourceVersion: "778" + uid: eb4aa85c-d44b-4c2e-81d1-9daddf81ab7c + spec: + clusterIP: 10.97.159.105 + clusterIPs: + - 10.97.159.105 + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard + sessionAffinity: None + type: ClusterIP + status: + loadBalancer: {} +- apiVersion: v1 + kind: Secret + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard-certs","namespace":"kubernetes-dashboard"},"type":"Opaque"} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kubernetes-dashboard + resourceVersion: "781" + uid: 6db54de5-42b9-45e8-9743-f27b8dc3fb34 + type: Opaque +- apiVersion: v1 + data: + csrf: "" + kind: Secret + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","data":{"csrf":""},"kind":"Secret","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard-csrf","namespace":"kubernetes-dashboard"},"type":"Opaque"} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kubernetes-dashboard + resourceVersion: "925" + uid: 12234553-bcea-4cf3-98c2-3a57a4a3af1e + type: Opaque +- apiVersion: v1 + data: + priv: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc24wVVlMMUdKYStMb3VZazhJb1V0ZUVsSzNVdFNrVzNyaEtrZEdaV3NML3JXZ1dQCmZseVAybFdKZU9aUTJGQ1daK2czdllUSFBsVGlUUnhVQVZrSVVTSWlpSWd6U2d4cElBazR2TEZ6S0VZZmhwcFIKS2xsMGJGVGNianRPaXZPbEw1YjFqNDlkZ2p6SlkxMGd5UG1NRHhrR0JrUXFGT3BXM3dtMEN2eWpsSE0vR01TUQpIMXZQc21sb2NSV0djalZhQ3JZVUFjRkFpbTVoKzJkbkNVNStRT3ZhVGRKNTVtYzZXQzdPTXRtdEY0ak9uTzU1ClZ2SmoxUjN6MmdnZGg2d2tBOCsrZUN0ck1FM3QxTUl2bFhLR1VwdWtBNXRGS0M2Z1RGeGJsWWVFd0pTUmQyUDIKOGsxWXZrb2JZVnZjT0lSd0ZnZVFTSUJwMWpzQ3ExeDlQWUg4RXdJREFRQUJBb0lCQUQrZUkyaERyai82Yk52WQpDZXlPV3NsbEFUbVhIMWhzdHdaZGNLNW9WNWZTSUJITEQ1VXJhcjZZWkZKcVRRQjg0TThTVHVQRzhyazl5aGRQCjlJVXlkYXR0YmorWnhDWXRmRDdGNnFvZTJYdk9XcWhBVXBPMHBMR0VJYmxNZkRjOGxuRDY3bldIMVAxNXF4STIKZkZ3RnppMEhiMFZHZ0hWSi9VS3NFN2NpeXk4NnQ3TVBFREl6MHQ1TjdWbXlZVWF5UWwxcDhIRFZ5a1ZERzZIbAp3QkRWeDhKSGlaVE5Oak5JcEtmc1g0Q3RoaXFHSmhjR2VvTTYrZVV2ZEcrZlFSSVZCditFUm1tdk5hOVF2bE1KCm5Va3pSZEZvVERML055U1dRQms2dUFiMFRSWHFWZDVXbXdvR3VwWjJwVnJEbDJQWGtOenpKa3dtQml5RFR5cXQKaHlHNW5NRUNnWUVBeFcrN29VVDhmOGRRN1VRS01seEttY1hybFpYaEU5TzBpVnh2N21RKzIvNTkzbmlZNzljaApzd1UwejZ4c1lGY3kvaVFBNlRhNTFYMmt0b0ltVzJsK3RndGxhWHk0ZjVRdjFlS2dKVUtNL1pFaWVWU3BzYllVCldjVXI1K3NSZlFwK2RlblN6SlFnK012M0FaQjhnRjVUWnVYQmVVYmtMKzZ5L2hwbjR2VXQ3ak1DZ1lFQTUyNk0KSFNvWE1CR3A5YXhKR0lWRThpNW9temJSbnBUQ096TlJ6SC9kM0YyTkF1QkdLaHJiZklNUTRqbzU1QjhrTERDQQprTzNZcGpBQlN4NU9BZU1FaHo5b1BVOTN0Sjd6aXRBOGZpSXY0ZVJQMTk4QnhicS9mZExtQzdzU1plVE5Nb0ZvCmJPVXlBeHVOSEYxdFV5Z2lsVzRWb3NISGd4NDhOeUlITGs3YUdxRUNnWUErOTF4cW1WckIwYXBBa1RPRFRpWEkKbHZPRU9GR1pCaXFNcUR0V1Z3Z3BGeWZEWE1qQnJPV2xkMktaWE04UGhwL1BwMkhXL3NvVGlVZVBvVUJrWk9leApYVDhSZm1KRTVkaS9xTkFVTWY1UEhBdFhrS1d4OUhUWEVHZnBSZkhFNUNUaXJCaTdmLzVuK255ak5oWk94a1pwCkNadERkMVZzNS82VHhZNGVOcjFZT3dLQmdIclRndTFmajFybHBReEwyYWQzNDNXZEI4dUl0b3V4YTd3N3FtZ2MKWE1VOXFUOGpoRm1JVTRDcmx1UlovcXVCazVNWVVzT1lWK2tyaFNRMit6T3BKcGdaSU51Wk4zRFhBMjVpd2hnMwpVSzVVbThONENkckZHQ2hSSytLQjhHdS9tTi83S2s3US9WQUU2VWxxbEVFVUJmYkVyQnJyT1ZYdlVBbjZ0MUR1CmJIYkJBb0dCQUsvK3BWY0lSMncvRHZkeGdGNTVET3lHZVdwWEhtbGU5cFgrd3hoRkdaVEVObVI4TWN3aER4cysKb210UXFRdTR0b0p3U3UxS1RtSFNUVkdOSHlicGsvZEZRU0cwcnZvSUdBZmhEQUZLdHJCTW1TeVZFSnFyenBpegpTTzFZKzZqa3lnem1jOEtYbGNzVUZMNzJhMzlhM1JSUURmQzBoR2RTelc0OUpjWG9hdGR2Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + pub: LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBc24wVVlMMUdKYStMb3VZazhJb1UKdGVFbEszVXRTa1czcmhLa2RHWldzTC9yV2dXUGZseVAybFdKZU9aUTJGQ1daK2czdllUSFBsVGlUUnhVQVZrSQpVU0lpaUlnelNneHBJQWs0dkxGektFWWZocHBSS2xsMGJGVGNianRPaXZPbEw1YjFqNDlkZ2p6SlkxMGd5UG1NCkR4a0dCa1FxRk9wVzN3bTBDdnlqbEhNL0dNU1FIMXZQc21sb2NSV0djalZhQ3JZVUFjRkFpbTVoKzJkbkNVNSsKUU92YVRkSjU1bWM2V0M3T010bXRGNGpPbk81NVZ2SmoxUjN6MmdnZGg2d2tBOCsrZUN0ck1FM3QxTUl2bFhLRwpVcHVrQTV0RktDNmdURnhibFllRXdKU1JkMlAyOGsxWXZrb2JZVnZjT0lSd0ZnZVFTSUJwMWpzQ3ExeDlQWUg4CkV3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K + kind: Secret + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard-key-holder","namespace":"kubernetes-dashboard"},"type":"Opaque"} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard + resourceVersion: "926" + uid: c6c4db09-18cd-4767-83ec-0909ca368884 + type: Opaque +- apiVersion: v1 + kind: ConfigMap + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard-settings","namespace":"kubernetes-dashboard"}} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard + resourceVersion: "784" + uid: 8f7bd8be-de6d-4697-877e-1542554e3d24 +- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"},"rules":[{"apiGroups":[""],"resourceNames":["kubernetes-dashboard-key-holder","kubernetes-dashboard-certs","kubernetes-dashboard-csrf"],"resources":["secrets"],"verbs":["get","update","delete"]},{"apiGroups":[""],"resourceNames":["kubernetes-dashboard-settings"],"resources":["configmaps"],"verbs":["get","update"]},{"apiGroups":[""],"resourceNames":["heapster","dashboard-metrics-scraper"],"resources":["services"],"verbs":["proxy"]},{"apiGroups":[""],"resourceNames":["heapster","http:heapster:","https:heapster:","dashboard-metrics-scraper","http:dashboard-metrics-scraper"],"resources":["services/proxy"],"verbs":["get"]}]} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + resourceVersion: "785" + uid: 4f68a72d-66c1-48fe-91cd-be899da9959a + rules: + - apiGroups: + - "" + resourceNames: + - kubernetes-dashboard-key-holder + - kubernetes-dashboard-certs + - kubernetes-dashboard-csrf + resources: + - secrets + verbs: + - get + - update + - delete + - apiGroups: + - "" + resourceNames: + - kubernetes-dashboard-settings + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - "" + resourceNames: + - heapster + - dashboard-metrics-scraper + resources: + - services + verbs: + - proxy + - apiGroups: + - "" + resourceNames: + - heapster + - 'http:heapster:' + - 'https:heapster:' + - dashboard-metrics-scraper + - http:dashboard-metrics-scraper + resources: + - services/proxy + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard"},"rules":[{"apiGroups":["metrics.k8s.io"],"resources":["pods","nodes"],"verbs":["get","list","watch"]}]} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + resourceVersion: "786" + uid: ad8d0212-6f72-4c5b-8692-6421bb2011ea + rules: + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"kubernetes-dashboard"},"subjects":[{"kind":"ServiceAccount","name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"}]} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + resourceVersion: "787" + uid: b9b392da-482f-4cf4-b666-6da59a2ca935 + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard + subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"kubernetes-dashboard"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubernetes-dashboard"},"subjects":[{"kind":"ServiceAccount","name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"}]} + creationTimestamp: "2022-10-28T11:47:00Z" + name: kubernetes-dashboard + resourceVersion: "788" + uid: dba9883e-efae-48d2-8f81-6871e76fe967 + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard + subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard +- apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + deployment.kubernetes.io/revision: "1" + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"},"spec":{"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"k8s-app":"kubernetes-dashboard"}},"template":{"metadata":{"labels":{"k8s-app":"kubernetes-dashboard"}},"spec":{"containers":[{"args":["--auto-generate-certificates","--namespace=kubernetes-dashboard"],"image":"kubernetesui/dashboard:v2.6.1","imagePullPolicy":"Always","livenessProbe":{"httpGet":{"path":"/","port":8443,"scheme":"HTTPS"},"initialDelaySeconds":30,"timeoutSeconds":30},"name":"kubernetes-dashboard","ports":[{"containerPort":8443,"protocol":"TCP"}],"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":2001,"runAsUser":1001},"volumeMounts":[{"mountPath":"/certs","name":"kubernetes-dashboard-certs"},{"mountPath":"/tmp","name":"tmp-volume"}]}],"nodeSelector":{"kubernetes.io/os":"linux"},"securityContext":{"seccompProfile":{"type":"RuntimeDefault"}},"serviceAccountName":"kubernetes-dashboard","tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"}],"volumes":[{"name":"kubernetes-dashboard-certs","secret":{"secretName":"kubernetes-dashboard-certs"}},{"emptyDir":{},"name":"tmp-volume"}]}}}} + creationTimestamp: "2022-10-28T11:47:00Z" + generation: 1 + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + resourceVersion: "866" + uid: bb0df7df-7068-43fa-8f12-6e99e45344f4 + spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - args: + - --auto-generate-certificates + - --namespace=kubernetes-dashboard + image: kubernetesui/dashboard:v2.6.1 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + name: kubernetes-dashboard + ports: + - containerPort: 8443 + protocol: TCP + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 2001 + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: kubernetes-dashboard-certs + - mountPath: /tmp + name: tmp-volume + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccount: kubernetes-dashboard + serviceAccountName: kubernetes-dashboard + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - name: kubernetes-dashboard-certs + secret: + defaultMode: 420 + secretName: kubernetes-dashboard-certs + - emptyDir: {} + name: tmp-volume + status: + availableReplicas: 1 + conditions: + - lastTransitionTime: "2022-10-28T11:47:35Z" + lastUpdateTime: "2022-10-28T11:47:35Z" + message: Deployment has minimum availability. + reason: MinimumReplicasAvailable + status: "True" + type: Available + - lastTransitionTime: "2022-10-28T11:47:00Z" + lastUpdateTime: "2022-10-28T11:47:35Z" + message: ReplicaSet "kubernetes-dashboard-66c887f759" has successfully progressed. + reason: NewReplicaSetAvailable + status: "True" + type: Progressing + observedGeneration: 1 + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 +- apiVersion: v1 + kind: Service + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"dashboard-metrics-scraper"},"name":"dashboard-metrics-scraper","namespace":"kubernetes-dashboard"},"spec":{"ports":[{"port":8000,"targetPort":8000}],"selector":{"k8s-app":"dashboard-metrics-scraper"}}} + creationTimestamp: "2022-10-28T11:47:00Z" + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard + resourceVersion: "794" + uid: 0f776cec-140c-408c-bb79-e5693e4e3431 + spec: + clusterIP: 10.99.132.57 + clusterIPs: + - 10.99.132.57 + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - port: 8000 + protocol: TCP + targetPort: 8000 + selector: + k8s-app: dashboard-metrics-scraper + sessionAffinity: None + type: ClusterIP + status: + loadBalancer: {} +- apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + deployment.kubernetes.io/revision: "1" + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"k8s-app":"dashboard-metrics-scraper"},"name":"dashboard-metrics-scraper","namespace":"kubernetes-dashboard"},"spec":{"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"k8s-app":"dashboard-metrics-scraper"}},"template":{"metadata":{"labels":{"k8s-app":"dashboard-metrics-scraper"}},"spec":{"containers":[{"image":"kubernetesui/metrics-scraper:v1.0.8","livenessProbe":{"httpGet":{"path":"/","port":8000,"scheme":"HTTP"},"initialDelaySeconds":30,"timeoutSeconds":30},"name":"dashboard-metrics-scraper","ports":[{"containerPort":8000,"protocol":"TCP"}],"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":2001,"runAsUser":1001},"volumeMounts":[{"mountPath":"/tmp","name":"tmp-volume"}]}],"nodeSelector":{"kubernetes.io/os":"linux"},"securityContext":{"seccompProfile":{"type":"RuntimeDefault"}},"serviceAccountName":"kubernetes-dashboard","tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"}],"volumes":[{"emptyDir":{},"name":"tmp-volume"}]}}}} + creationTimestamp: "2022-10-28T11:47:00Z" + generation: 1 + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard + resourceVersion: "840" + uid: 3aa0b715-6f68-41f0-8830-2fd0b9731a9d + spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + k8s-app: dashboard-metrics-scraper + spec: + containers: + - image: kubernetesui/metrics-scraper:v1.0.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: 8000 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + name: dashboard-metrics-scraper + ports: + - containerPort: 8000 + protocol: TCP + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 2001 + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: tmp-volume + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccount: kubernetes-dashboard + serviceAccountName: kubernetes-dashboard + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - emptyDir: {} + name: tmp-volume + status: + availableReplicas: 1 + conditions: + - lastTransitionTime: "2022-10-28T11:47:11Z" + lastUpdateTime: "2022-10-28T11:47:11Z" + message: Deployment has minimum availability. + reason: MinimumReplicasAvailable + status: "True" + type: Available + - lastTransitionTime: "2022-10-28T11:47:00Z" + lastUpdateTime: "2022-10-28T11:47:11Z" + message: ReplicaSet "dashboard-metrics-scraper-64bcc67c9c" has successfully + progressed. + reason: NewReplicaSetAvailable + status: "True" + type: Progressing + observedGeneration: 1 + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 +kind: List +metadata: {} diff --git a/kubernetes/dashboard/secret.yml b/kubernetes/dashboard/secret.yml new file mode 100644 index 00000000..68d64e1b --- /dev/null +++ b/kubernetes/dashboard/secret.yml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: admin-user + namespace: kubernetes-dashboard + annotations: + kubernetes.io/service-account.name: "admin-user" diff --git a/kubernetes/dashboard/service-account.yml b/kubernetes/dashboard/service-account.yml new file mode 100644 index 00000000..54cabb72 --- /dev/null +++ b/kubernetes/dashboard/service-account.yml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kubernetes-dashboard diff --git a/kubernetes/ingress/helm/values.yml b/kubernetes/ingress/helm/values.yml new file mode 100644 index 00000000..1085ebbb --- /dev/null +++ b/kubernetes/ingress/helm/values.yml @@ -0,0 +1,7 @@ +controller: + metrics: + enable: true + service: + type: LoadBalancer + publishService: + enabled: true diff --git a/kubernetes/ingress/ingress.yml b/kubernetes/ingress/ingress.yml new file mode 100644 index 00000000..d32382fe --- /dev/null +++ b/kubernetes/ingress/ingress.yml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress + annotations: + kubernetes.io/ingress.class: "nginx" + kubernetes.io/ingress.allow-http: "false" + ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/service-upstream: "true" +spec: + rules: + - host: chisel.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: chisel-service + port: + name: https diff --git a/kubernetes/prometheus/adapter/helm/values.yml b/kubernetes/prometheus/adapter/helm/values.yml new file mode 100644 index 00000000..7b132a4c --- /dev/null +++ b/kubernetes/prometheus/adapter/helm/values.yml @@ -0,0 +1,4 @@ +prometheus: + url: http://prometheus-server.prometheus.svc.cluster.local + port: 80 + path: "" diff --git a/.github/dependabot.yml b/src/.github/dependabot.yml similarity index 100% rename from .github/dependabot.yml rename to src/.github/dependabot.yml diff --git a/.github/goreleaser.yml b/src/.github/goreleaser.yml similarity index 100% rename from .github/goreleaser.yml rename to src/.github/goreleaser.yml diff --git a/.github/workflows/ci.yml b/src/.github/workflows/ci.yml similarity index 100% rename from .github/workflows/ci.yml rename to src/.github/workflows/ci.yml diff --git a/Dockerfile b/src/Dockerfile similarity index 100% rename from Dockerfile rename to src/Dockerfile diff --git a/LICENSE b/src/LICENSE similarity index 100% rename from LICENSE rename to src/LICENSE diff --git a/Makefile b/src/Makefile similarity index 100% rename from Makefile rename to src/Makefile diff --git a/README.md b/src/README.md similarity index 99% rename from README.md rename to src/README.md index ee3da3ad..d13af2d3 100644 --- a/README.md +++ b/src/README.md @@ -157,6 +157,8 @@ $ chisel server --help --reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes. + + --metrics, Enables prometheus metrics --tls-key, Enables TLS and provides optional path to a PEM-encoded TLS private key. When this flag is set, you must also set --tls-cert, diff --git a/client/client.go b/src/client/client.go similarity index 100% rename from client/client.go rename to src/client/client.go diff --git a/client/client_connect.go b/src/client/client_connect.go similarity index 100% rename from client/client_connect.go rename to src/client/client_connect.go diff --git a/client/client_test.go b/src/client/client_test.go similarity index 100% rename from client/client_test.go rename to src/client/client_test.go diff --git a/example/Flyfile b/src/example/Flyfile similarity index 100% rename from example/Flyfile rename to src/example/Flyfile diff --git a/example/fly.toml b/src/example/fly.toml similarity index 100% rename from example/fly.toml rename to src/example/fly.toml diff --git a/example/reverse-tunneling-authenticated.md b/src/example/reverse-tunneling-authenticated.md similarity index 100% rename from example/reverse-tunneling-authenticated.md rename to src/example/reverse-tunneling-authenticated.md diff --git a/example/users.json b/src/example/users.json similarity index 100% rename from example/users.json rename to src/example/users.json diff --git a/go.mod b/src/go.mod similarity index 100% rename from go.mod rename to src/go.mod diff --git a/go.sum b/src/go.sum similarity index 100% rename from go.sum rename to src/go.sum diff --git a/main.go b/src/main.go similarity index 99% rename from main.go rename to src/main.go index eb50e6ca..24a58fe1 100644 --- a/main.go +++ b/src/main.go @@ -142,6 +142,8 @@ var serverHelp = ` --reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes. + --metrics, Enables prometheus metrics + --tls-key, Enables TLS and provides optional path to a PEM-encoded TLS private key. When this flag is set, you must also set --tls-cert, and you cannot set --tls-domain. @@ -177,6 +179,7 @@ func server(args []string) { flags.StringVar(&config.Proxy, "backend", "", "") flags.BoolVar(&config.Socks5, "socks5", false, "") flags.BoolVar(&config.Reverse, "reverse", false, "") + flags.BoolVar(&config.Metrics, "metrics", false, "") flags.StringVar(&config.TLS.Key, "tls-key", "", "") flags.StringVar(&config.TLS.Cert, "tls-cert", "", "") flags.Var(multiFlag{&config.TLS.Domains}, "tls-domain", "") diff --git a/server/server.go b/src/server/server.go similarity index 98% rename from server/server.go rename to src/server/server.go index b7df1282..50f52cde 100644 --- a/server/server.go +++ b/src/server/server.go @@ -28,6 +28,7 @@ type Config struct { Proxy string Socks5 bool Reverse bool + Metrics bool KeepAlive time.Duration TLS TLSConfig } @@ -113,6 +114,10 @@ func NewServer(c *Config) (*Server, error) { if c.Reverse { server.Infof("Reverse tunnelling enabled") } + // prometheus metrics + if c.Metrics { + server.exposeMetrics() + } return server, nil } diff --git a/server/server_handler.go b/src/server/server_handler.go similarity index 99% rename from server/server_handler.go rename to src/server/server_handler.go index 952aa4d8..3e545fd5 100644 --- a/server/server_handler.go +++ b/src/server/server_handler.go @@ -157,10 +157,12 @@ func (s *Server) handleWebsocket(w http.ResponseWriter, req *http.Request) { //block return tunnel.BindRemotes(ctx, serverInbound) }) + activeSessions.Inc() err = eg.Wait() if err != nil && !strings.HasSuffix(err.Error(), "EOF") { l.Debugf("Closed connection (%s)", err) } else { l.Debugf("Closed connection") } + activeSessions.Dec() } diff --git a/server/server_listen.go b/src/server/server_listen.go similarity index 100% rename from server/server_listen.go rename to src/server/server_listen.go diff --git a/src/server/server_metrics.go b/src/server/server_metrics.go new file mode 100644 index 00000000..267c4cc7 --- /dev/null +++ b/src/server/server_metrics.go @@ -0,0 +1,32 @@ +package chserver + +import ( + "net/http" + + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promhttp" +) + +var ( + activeSessions = prometheus.NewGauge(prometheus.GaugeOpts{ + Name: "chisel_number_of_active_sessions", + Help: "The number of active sessions on this chisel server.", + }) +) + +func (s *Server) exposeMetrics() { + register() + activeSessions.Set(0) + + // Run second HTTP server in another goroutine + go func() { + // The Handler function provides a default handler to expose metrics + // via an HTTP server. "/metrics" is the usual endpoint for that. + http.Handle("/metrics", promhttp.Handler()) + http.ListenAndServe(":9113", nil) + }() +} + +func register() { + prometheus.MustRegister(activeSessions) +} \ No newline at end of file diff --git a/share/ccrypto/determ_rand.go b/src/share/ccrypto/determ_rand.go similarity index 100% rename from share/ccrypto/determ_rand.go rename to src/share/ccrypto/determ_rand.go diff --git a/share/ccrypto/keys.go b/src/share/ccrypto/keys.go similarity index 100% rename from share/ccrypto/keys.go rename to src/share/ccrypto/keys.go diff --git a/share/cio/logger.go b/src/share/cio/logger.go similarity index 100% rename from share/cio/logger.go rename to src/share/cio/logger.go diff --git a/share/cio/pipe.go b/src/share/cio/pipe.go similarity index 100% rename from share/cio/pipe.go rename to src/share/cio/pipe.go diff --git a/share/cio/stdio.go b/src/share/cio/stdio.go similarity index 100% rename from share/cio/stdio.go rename to src/share/cio/stdio.go diff --git a/share/cnet/conn_rwc.go b/src/share/cnet/conn_rwc.go similarity index 100% rename from share/cnet/conn_rwc.go rename to src/share/cnet/conn_rwc.go diff --git a/share/cnet/conn_ws.go b/src/share/cnet/conn_ws.go similarity index 100% rename from share/cnet/conn_ws.go rename to src/share/cnet/conn_ws.go diff --git a/share/cnet/connstats.go b/src/share/cnet/connstats.go similarity index 100% rename from share/cnet/connstats.go rename to src/share/cnet/connstats.go diff --git a/share/cnet/http_server.go b/src/share/cnet/http_server.go similarity index 100% rename from share/cnet/http_server.go rename to src/share/cnet/http_server.go diff --git a/share/cnet/meter.go b/src/share/cnet/meter.go similarity index 100% rename from share/cnet/meter.go rename to src/share/cnet/meter.go diff --git a/share/compat.go b/src/share/compat.go similarity index 100% rename from share/compat.go rename to src/share/compat.go diff --git a/share/cos/common.go b/src/share/cos/common.go similarity index 100% rename from share/cos/common.go rename to src/share/cos/common.go diff --git a/share/cos/pprof.go b/src/share/cos/pprof.go similarity index 100% rename from share/cos/pprof.go rename to src/share/cos/pprof.go diff --git a/share/cos/signal.go b/src/share/cos/signal.go similarity index 100% rename from share/cos/signal.go rename to src/share/cos/signal.go diff --git a/share/cos/signal_windows.go b/src/share/cos/signal_windows.go similarity index 100% rename from share/cos/signal_windows.go rename to src/share/cos/signal_windows.go diff --git a/share/settings/config.go b/src/share/settings/config.go similarity index 100% rename from share/settings/config.go rename to src/share/settings/config.go diff --git a/share/settings/env.go b/src/share/settings/env.go similarity index 100% rename from share/settings/env.go rename to src/share/settings/env.go diff --git a/share/settings/remote.go b/src/share/settings/remote.go similarity index 100% rename from share/settings/remote.go rename to src/share/settings/remote.go diff --git a/share/settings/remote_test.go b/src/share/settings/remote_test.go similarity index 100% rename from share/settings/remote_test.go rename to src/share/settings/remote_test.go diff --git a/share/settings/user.go b/src/share/settings/user.go similarity index 100% rename from share/settings/user.go rename to src/share/settings/user.go diff --git a/share/settings/users.go b/src/share/settings/users.go similarity index 100% rename from share/settings/users.go rename to src/share/settings/users.go diff --git a/share/tunnel/tunnel.go b/src/share/tunnel/tunnel.go similarity index 100% rename from share/tunnel/tunnel.go rename to src/share/tunnel/tunnel.go diff --git a/share/tunnel/tunnel_in_proxy.go b/src/share/tunnel/tunnel_in_proxy.go similarity index 100% rename from share/tunnel/tunnel_in_proxy.go rename to src/share/tunnel/tunnel_in_proxy.go diff --git a/share/tunnel/tunnel_in_proxy_udp.go b/src/share/tunnel/tunnel_in_proxy_udp.go similarity index 100% rename from share/tunnel/tunnel_in_proxy_udp.go rename to src/share/tunnel/tunnel_in_proxy_udp.go diff --git a/share/tunnel/tunnel_out_ssh.go b/src/share/tunnel/tunnel_out_ssh.go similarity index 100% rename from share/tunnel/tunnel_out_ssh.go rename to src/share/tunnel/tunnel_out_ssh.go diff --git a/share/tunnel/tunnel_out_ssh_udp.go b/src/share/tunnel/tunnel_out_ssh_udp.go similarity index 100% rename from share/tunnel/tunnel_out_ssh_udp.go rename to src/share/tunnel/tunnel_out_ssh_udp.go diff --git a/share/tunnel/udp.go b/src/share/tunnel/udp.go similarity index 100% rename from share/tunnel/udp.go rename to src/share/tunnel/udp.go diff --git a/share/tunnel/wg.go b/src/share/tunnel/wg.go similarity index 100% rename from share/tunnel/wg.go rename to src/share/tunnel/wg.go diff --git a/share/version.go b/src/share/version.go similarity index 100% rename from share/version.go rename to src/share/version.go diff --git a/test/bench/main.go b/src/test/bench/main.go similarity index 100% rename from test/bench/main.go rename to src/test/bench/main.go diff --git a/test/bench/perf.md b/src/test/bench/perf.md similarity index 100% rename from test/bench/perf.md rename to src/test/bench/perf.md diff --git a/test/bench/userfile b/src/test/bench/userfile similarity index 100% rename from test/bench/userfile rename to src/test/bench/userfile diff --git a/test/e2e/auth_test.go b/src/test/e2e/auth_test.go similarity index 100% rename from test/e2e/auth_test.go rename to src/test/e2e/auth_test.go diff --git a/test/e2e/base_test.go b/src/test/e2e/base_test.go similarity index 100% rename from test/e2e/base_test.go rename to src/test/e2e/base_test.go diff --git a/test/e2e/cert_utils_test.go b/src/test/e2e/cert_utils_test.go similarity index 100% rename from test/e2e/cert_utils_test.go rename to src/test/e2e/cert_utils_test.go diff --git a/test/e2e/proxy_test.go b/src/test/e2e/proxy_test.go similarity index 100% rename from test/e2e/proxy_test.go rename to src/test/e2e/proxy_test.go diff --git a/test/e2e/setup_test.go b/src/test/e2e/setup_test.go similarity index 100% rename from test/e2e/setup_test.go rename to src/test/e2e/setup_test.go diff --git a/test/e2e/socks_test.go b/src/test/e2e/socks_test.go similarity index 100% rename from test/e2e/socks_test.go rename to src/test/e2e/socks_test.go diff --git a/test/e2e/tls_test.go b/src/test/e2e/tls_test.go similarity index 100% rename from test/e2e/tls_test.go rename to src/test/e2e/tls_test.go diff --git a/test/e2e/udp_test.go b/src/test/e2e/udp_test.go similarity index 100% rename from test/e2e/udp_test.go rename to src/test/e2e/udp_test.go