feat(k8s): Configure HTTPS ingress for the blog r/67

Uses Google-managed certificates and an Ingress resource to set up an
HTTPS load-balancer.

This probably won't be the final version as the GKE Ingress is very
limited and can not do things like redirect URLs, which I need to
decommission the old setup.

3 files changed, 29 insertions, 0 deletions

diff --git a/infra/kubernetes/https-lb/ingress.yaml b/infra/kubernetes/https-lb/ingress.yaml
new file mode 100644
index 000000000000..5afb5f3a48e1
--- /dev/null
+++ b/infra/kubernetes/https-lb/ingress.yaml
@@ -0,0 +1,15 @@
+# This resource configures the HTTPS load balancer that is used as the
+# entrypoint to all HTTPS services running in the cluster.
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: https-ingress
+  annotations:
+    networking.gke.io/managed-certificates: tazj-in, www-tazj-in
+spec:
+  # Default traffic is routed to the blog, in case people go to
+  # peculiar hostnames.
+  backend:
+    serviceName: tazblog
+    servicePort: 8000
diff --git a/infra/kubernetes/primary-cluster.yaml b/infra/kubernetes/primary-cluster.yaml
index f043f92fa89b..5b4b04d5d5c2 100644
--- a/infra/kubernetes/primary-cluster.yaml
+++ b/infra/kubernetes/primary-cluster.yaml
@@ -22,3 +22,4 @@ include:
       account: nixery@tazjins-infrastructure.iam.gserviceaccount.com
       repo: ssh://source.developers.google.com:2022/p/tazjins-infrastructure/r/monorepo
   - name: tazblog
+  - name: https-lb
diff --git a/infra/kubernetes/tazblog/config.yaml b/infra/kubernetes/tazblog/config.yaml
index 1f9daa35fd33..1ab6e9d2b421 100644
--- a/infra/kubernetes/tazblog/config.yaml
+++ b/infra/kubernetes/tazblog/config.yaml
@@ -19,3 +19,16 @@ spec:
       - name: tazblog
         image: nixery.local/shell/tazjin.blog:{{ gitHEAD }}
         command: [ "tazblog" ]
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tazblog
+spec:
+  type: NodePort
+  selector:
+    app: tazblog
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000