davad/argo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

chore(system): start pulling over example traefik ingress

Browse source
This commit is contained in:
David Landry 2023-11-12 15:46:29 -05:00
parent 45a0eab837
commit 9e1d6de3d1
7 changed files with 269 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
projects/system/Chart.yaml Normal file
View file

@ -0,0 +1,11 @@
---
apiVersion: v2
name: system-apps
type: application
version: 1.0.0
appVersion: "1.0.0"
dependencies:
- name: app-of-apps
version: 1.0.2
repository: file://../../../charts/app-of-apps/

151
projects/system/values.yaml Normal file
View file

@ -0,0 +1,151 @@
---
app-of-apps:
project: system
destination:
server: https://kubernetes.default.svc
source:
repoURL: https://git.nc.landry.land/davad/argo.git
path: system
apps:
# - name: cert-manager
# namespace: cert-manager
# path: cert-manager
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# - name: cloudflared
# namespace: cloudflared
# path: cloudflared
# - name: cloudnative-pg
# namespace: cnpg
# path: cloudnative-pg
# - name: kubernetes-dashboard
# namespace: kubernetes-dashboard
# path: dashboard
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# extraSyncOptions:
# - RespectIgnoreDifferences=true
# ignoreDifferences:
# - name: kubernetes-dashboard-csrf
# kind: Secret
# jsonPointers:
# - /data/csrf
# - name: dyndns
# namespace: dyndns
# path: dyndns
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# - name: keycloak
# namespace: identity
# path: identity/keycloak
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# - name: metrics-server
# namespace: metrics-server
# path: metrics-server
# - name: nfs-subdir-external-provisioner
# namespace: nfs-subdir-provisioner
# path: nfs-subdir-external-provisioner
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# - name: oauth2-proxy
# namespace: oauth2-proxy
# path: oauth2-proxy
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# - name: prometheus-stack
# namespace: monitoring
# path: prometheus-stack
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# extraSyncOptions:
# - ServerSideApply=true
# managedNamespaceMetadata:
# labels:
# pod-security.kubernetes.io/enforce: privileged
#
- name: traefik
namespace: traefik
path: traefik
plugin:
env:
- name: SOPS_SECRET_FILE
value: secret.sec.yaml
# - name: node-feature-discovery
# namespace: node-feature-discovery
# path: node-feature-discovery
# extraSyncOptions:
# - RespectIgnoreDifferences=true
# ignoreDifferences:
# - group: apps
# kind: DaemonSet
# jsonPointers:
# - /spec/template/metadata/annotations
# managedNamespaceMetadata:
# labels:
# pod-security.kubernetes.io/enforce: privileged
# - name: intel-device-plugins-operator
# namespace: intel-device-plugins-operator
# path: intel-device-plugins-operator
# managedNamespaceMetadata:
# labels:
# pod-security.kubernetes.io/enforce: privileged
# - name: intel-gpu-plugin
# namespace: intel-gpu-plugin
# path: intel-gpu-plugin
# extraSyncOptions:
# - RespectIgnoreDifferences=true
# ignoreDifferences:
# - group: deviceplugin.intel.com
# kind: GpuDevicePlugin
# jsonPointers:
# - /spec/resourceManager
# managedNamespaceMetadata:
# labels:
# pod-security.kubernetes.io/enforce: privileged
# - name: snapshot-controller
# namespace: snapshot-controller
# path: snapshot-controller
# ignoreDifferences:
# - group: "admissionregistration.k8s.io"
# kind: ValidatingWebhookConfiguration
# name: snapshot-validation-webhook
# jqPathExpressions:
# - .webhooks[]?.clientConfig.caBundle
# - kind: Secret
# name: snapshot-validation-webhook-tls
# jsonPointers:
# - /data
# - name: external-secrets
# namespace: external-secrets
# path: external-secrets
# plugin:
# env:
# - name: SOPS_SECRET_FILE
# value: secret.sec.yaml
# - name: kubelet-csr-approver
# namespace: kube-system
# path: kubelet-csr-approver
# - name: volsync
# namespace: volsync
# path: volsync
# - name: talos-backup
# namespace: talos-backup
# path: talos-backup

10
system/traefik/Chart.yaml Normal file
View file

@ -0,0 +1,10 @@
---
apiVersion: v2
name: external-traefik-subchart
type: application
version: 1.0.0
appVersion: "2.6.1"
dependencies:
- name: traefik
version: 25.0.0
repository: https://traefik.github.io/charts

23
system/traefik/secret.sec.yaml Normal file
View file

@ -0,0 +1,23 @@
kind: Secret
data:
private-domain: ENC[AES256_GCM,data:kxGG/OWfCHByyJ4nv/I=,iv:gqILmNxktPvbx2ycWZSseNgxwLmf1D3if9bgCeE7lR8=,tag:HTBLXrPXokplzmDAN1Ka4Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nvkwdu3fnsy3r2ajw36d858hmgrw4nkg2e2t5p4n90zyvdnlffzqp3fxpf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMkd0UGhMV1RpRGl5UHQ1
RkR6bFNBOHl4OFppRC9ncEJXUDVTeDJkdXpzCnNORnk0ZlNjVWdud3EwekpXSElE
NFpRRjVGb0lEZFdPdXFnWWxXa3ZoRWcKLS0tIG1GTDByaGZjSDY3U2czbzlJdGhh
YU42a2NWZTN0RXdZalpKbXpxSmxYNlkK0x/syDZZ9ig9itXzwnw/Pm2nvL1mE0mX
JgtvyXpStGVbBE/opQFhVfPGtFrHufZZ9atpDcwP8HkjqQ5RE8jwBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-20T12:10:11Z"
mac: ENC[AES256_GCM,data:6Q+8GNGMKUZ8vVA3+nTYz55JVzPfQnnCNy2mIBkpNNzACwK9DpOjqbQDOsaGdqz1Vc4+O7/kRIdSajL9XwhBbkW1s4EDDuIrbztZNmOZM+2oFhcndMP/xaNPoSIN/wiAmWDdKFTpCdYroJLo9sXgxBpa510z7sP4yN2C73bXrsg=,iv:Ji5GXNBawc3jcINQgwWlI+7Y5uzylOKU1/jAL+OJBZ8=,tag:hktnNMSaPk8J/iSV72hu1w==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

14
system/traefik/templates/cert.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tls-cert
namespace: traefik
spec:
secretName: tls-cert
issuerRef:
name: lets-encrypt-dns01-production-cf
kind: ClusterIssuer
commonName: '<secret:private-domain>'
dnsNames:
- '<secret:private-domain>'
- '*.<secret:private-domain>'

16
system/traefik/templates/dashboard.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: dashboard
namespace: traefik
annotations:
kubernetes.io/ingress.class: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.<secret:private-domain>`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService

44
system/traefik/values.yaml Normal file
View file

@ -0,0 +1,44 @@
---
traefik:
ports:
web:
redirectTo:
port: websecure
# Options for the main traefik service, where the entrypoints traffic comes
# from.
service:
annotations: {
metallb.universe.tf/loadBalancerIPs: "192.168.48.21"
}
single: false
tlsStore:
default:
defaultCertificate:
secretName: tls-cert
ingressClass:
enabled: true
ingressRoute:
dashboard:
enabled: false
providers:
kubernetesCRD:
ingressClass: traefik
allowCrossNamespace: true
allowExternalNameServices: true
kubernetesIngress:
ingressClass: traefik
allowExternalNameServices: true
publishedService:
enabled: true
logs:
access:
enabled: true
filters:
statuscodes: "400-405,500"
minDuration: "10ms"