준비물
- 원본 소스코드
- NGINX Ingress Controller: 물론 다른 Ingress를 이용해도 무방하다.
- jetstack/cert-manager: 인증서를 관리한다.
- kubernetes-sigs/external-dns: external-dns를 이용해 Cloudflare에 등록한 도메인을 조작한다.
- Rook / NFS: 볼륨은 NFS가 아닌 AWS EBS 등의 블록 스토리지를 이용해도 된다.
- OAuth2 Proxy: n8n은 OAuth를 제공하지 않기 때문에 OAuth2 Proxy를 이용한다. 여기서는 GitHub과 OAuth 2.0 인증을 수행한다.
레시피
apiVersion: v1
kind: Secret
metadata:
name: n8n
namespace: n8n
type: Opaque
stringData:
N8N_BASIC_AUTH_USER: n8n
N8N_BASIC_AUTH_PASSWORD: ABCDEFG
N8N_ENCRYPTION_KEY: ABCDEFG
COOKIE_SECRET: ABCDEFG
OAUTH_CLIENT_ID: ABCDEFG
OAUTH_SECRET_KEY: ABCDEFG
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: n8n
namespace: n8n
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: http
nginx.ingress.kubernetes.io/proxy-body-size: 128m
cert-manager.io/issuer: letsencrypt-prod
# For Cloudflare proxied entries, set the TTL annotation to 1 (automatic), or do not set it.
external-dns.alpha.kubernetes.io/ttl: "1"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
spec:
tls:
- hosts:
- n8n.demo.com
secretName: tls-n8n
rules:
- host: n8n.demo.com
http:
paths:
- path: /
backend:
serviceName: n8n
servicePort: 5679
---
apiVersion: v1
kind: Service
metadata:
name: n8n
namespace: n8n
spec:
selector:
app: n8n
ports:
- protocol: TCP
port: 5679
targetPort: 5679
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: n8n
namespace: n8n
spec:
storageClassName: rook-nfs-default
accessModes:
- ReadWriteMany
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: n8n
namespace: n8n
spec:
replicas: 1
selector:
matchLabels:
app: n8n
template:
metadata:
labels:
app: n8n
spec:
containers:
- name: n8n
image: n8nio/n8n
ports:
- containerPort: 5678
env:
- name: N8N_BASIC_AUTH_ACTIVE
value: "false"
- name: N8N_BASIC_AUTH_USER
valueFrom:
secretKeyRef:
name: n8n
key: N8N_BASIC_AUTH_USER
- name: N8N_BASIC_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: n8n
key: N8N_BASIC_AUTH_PASSWORD
- name: GENERIC_TIMEZONE
value: "Asia/Seoul"
- name: N8N_PORT
value: "5678"
- name: N8N_HOST
value: "0.0.0.0"
- name: VUE_APP_URL_BASE_API
value: "http://n8n:5678"
- name: WEBHOOK_TUNNEL_URL
value: "https://n8n.demo.com/"
- name: N8N_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: n8n
key: N8N_ENCRYPTION_KEY
volumeMounts:
- name: data
mountPath: /root/
resources:
requests:
cpu: "100m"
memory: "64Mi"
limits:
cpu: "2000m"
memory: "1024Mi"
- name: oauth2-proxy
image: quay.io/pusher/oauth2_proxy:latest
imagePullPolicy: Always
args:
- "--email-domain=*"
- "--github-org=my-org"
- "--github-team=my-team"
- "--upstream=http://0.0.0.0:5678"
- "--approval-prompt=auto"
- "--redirect-url=https://n8n.demo.com/oauth2/callback"
- "--cookie-secret=$(COOKIE_SECRET)"
- "--cookie-secure=false"
- "--cookie-refresh=1h"
- "--cookie-name=_oauth2_proxy_n8n_demo_com"
- "--provider=github"
- "--client-id=$(OAUTH_CLIENT_ID)"
- "--client-secret=$(OAUTH_SECRET_KEY)"
- "--http-address=0.0.0.0:5679"
envFrom:
- secretRef:
name: n8n
ports:
- containerPort: 5679
resources:
requests:
cpu: "100m"
memory: "64Mi"
limits:
cpu: "1000m"
memory: "256Mi"
volumes:
- name: data
persistentVolumeClaim:
claimName: n8n
Author Details
Kubernetes, DevSecOps, AWS, 클라우드 보안, 클라우드 비용관리, SaaS 의 활용과 내재화 등 소프트웨어 개발 전반에 도움이 필요하다면 도움을 요청하세요. 지인이라면 가볍게 도와드리겠습니다. 전문적인 도움이 필요하다면 저의 현업에 방해가 되지 않는 선에서 협의가능합니다.