diff --git a/projects/system/values.yaml b/projects/system/values.yaml index 0e659fd..29b9add 100644 --- a/projects/system/values.yaml +++ b/projects/system/values.yaml @@ -80,13 +80,13 @@ app-of-apps: # labels: # pod-security.kubernetes.io/enforce: privileged # - # - name: traefik - # namespace: traefik - # path: traefik - # plugin: - # env: - # - name: SOPS_SECRET_FILE - # value: secret.sec.yaml + - name: traefik + namespace: traefik + path: traefik + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml # - name: node-feature-discovery # namespace: node-feature-discovery diff --git a/system/traefik/Chart.yaml b/system/traefik/Chart.yaml new file mode 100644 index 0000000..7086afb --- /dev/null +++ b/system/traefik/Chart.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v2 +name: external-traefik-subchart +type: application +version: 1.0.0 +appVersion: "2.6.1" +dependencies: + - name: traefik + version: 25.0.0 + repository: https://traefik.github.io/charts diff --git a/system/traefik/secret.sec.yaml b/system/traefik/secret.sec.yaml new file mode 100644 index 0000000..c66dea0 --- /dev/null +++ b/system/traefik/secret.sec.yaml @@ -0,0 +1,23 @@ +kind: Secret +data: + private-domain: ENC[AES256_GCM,data:kxGG/OWfCHByyJ4nv/I=,iv:gqILmNxktPvbx2ycWZSseNgxwLmf1D3if9bgCeE7lR8=,tag:HTBLXrPXokplzmDAN1Ka4Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nvkwdu3fnsy3r2ajw36d858hmgrw4nkg2e2t5p4n90zyvdnlffzqp3fxpf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMkd0UGhMV1RpRGl5UHQ1 + RkR6bFNBOHl4OFppRC9ncEJXUDVTeDJkdXpzCnNORnk0ZlNjVWdud3EwekpXSElE + NFpRRjVGb0lEZFdPdXFnWWxXa3ZoRWcKLS0tIG1GTDByaGZjSDY3U2czbzlJdGhh + YU42a2NWZTN0RXdZalpKbXpxSmxYNlkK0x/syDZZ9ig9itXzwnw/Pm2nvL1mE0mX + JgtvyXpStGVbBE/opQFhVfPGtFrHufZZ9atpDcwP8HkjqQ5RE8jwBA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-20T12:10:11Z" + mac: ENC[AES256_GCM,data:6Q+8GNGMKUZ8vVA3+nTYz55JVzPfQnnCNy2mIBkpNNzACwK9DpOjqbQDOsaGdqz1Vc4+O7/kRIdSajL9XwhBbkW1s4EDDuIrbztZNmOZM+2oFhcndMP/xaNPoSIN/wiAmWDdKFTpCdYroJLo9sXgxBpa510z7sP4yN2C73bXrsg=,iv:Ji5GXNBawc3jcINQgwWlI+7Y5uzylOKU1/jAL+OJBZ8=,tag:hktnNMSaPk8J/iSV72hu1w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/system/traefik/templates/cert.yaml b/system/traefik/templates/cert.yaml new file mode 100644 index 0000000..12d410e --- /dev/null +++ b/system/traefik/templates/cert.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: tls-cert + namespace: traefik +spec: + secretName: tls-cert + issuerRef: + name: lets-encrypt-dns01-production-cf + kind: ClusterIssuer + commonName: '{{ .Values.traefik.domain }}' + dnsNames: + - '{{ .Values.traefik.domain }}' + - '*.{{ .Values.traefik.domain }}' diff --git a/system/traefik/templates/dashboard.yaml b/system/traefik/templates/dashboard.yaml new file mode 100644 index 0000000..ec84fcb --- /dev/null +++ b/system/traefik/templates/dashboard.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: dashboard + namespace: traefik + annotations: + kubernetes.io/ingress.class: traefik +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.{{ .Values.traefik.domain }}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + kind: Rule + services: + - name: api@internal + kind: TraefikService diff --git a/system/traefik/values.yaml b/system/traefik/values.yaml new file mode 100644 index 0000000..c7115b3 --- /dev/null +++ b/system/traefik/values.yaml @@ -0,0 +1,45 @@ +--- +traefik: + domain: int.nc.landry.land + ports: + web: + redirectTo: + port: websecure + + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: + # annotations: { + # metallb.universe.tf/loadBalancerIPs: "192.168.48.21" + # } + # single: false + + tlsStore: + default: + defaultCertificate: + secretName: tls-cert + + ingressClass: + enabled: true + + ingressRoute: + dashboard: + enabled: true + + providers: + kubernetesCRD: + ingressClass: traefik + allowCrossNamespace: true + allowExternalNameServices: true + kubernetesIngress: + ingressClass: traefik + allowExternalNameServices: true + publishedService: + enabled: true + + logs: + access: + enabled: true + filters: + statuscodes: "400-405,500" + minDuration: "10ms"