Reorganized traefik

2025-02-17 04:16:36 +01:00 · 2025-02-17 04:16:36 +01:00 · c2b7d0db2e
commit c2b7d0db2e
parent 86c9ecaffc
13 changed files with 67 additions and 59 deletions
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -4,7 +4,6 @@ resources:
  - ./lldap
  - ./authelia
  - ./grafana
  - ./traefik-dashboard
  - ./whoami.yaml
  - ./akri-demo.yaml
--- a/apps/traefik-dashboard/ingress.yaml
+++ b/apps/traefik-dashboard/ingress.yaml
@ -1,19 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: traefik-dashboard
  namespace: traefik
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.${domain}`)
      kind: Rule
      middlewares:
        - name: forwardauth-authelia
          namespace: authelia
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName: ${domain//./-}-tls
--- a/clusters/titan.lan.huizinga.dev/apps.yaml
+++ b/clusters/titan.lan.huizinga.dev/apps.yaml
@ -6,6 +6,7 @@ metadata:
 spec:
  dependsOn:
    - name: infra-configs
    - name: traefik
  decryption:
    provider: sops
    secretRef:
--- a/clusters/titan.lan.huizinga.dev/infra/traefik-middleware.yaml
+++ b/clusters/titan.lan.huizinga.dev/infra/traefik-middleware.yaml
@ -0,0 +1,16 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: traefik-middleware
  namespace: flux-system
 spec:
  interval: 15m
  path: ./infra/traefik-middleware
  dependsOn:
    - name: traefik
  prune: true
  timeout: 10m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
--- a/clusters/titan.lan.huizinga.dev/infra/traefik.yaml
+++ b/clusters/titan.lan.huizinga.dev/infra/traefik.yaml
@ -0,0 +1,18 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: traefik
  namespace: flux-system
 spec:
  interval: 15m
  path: ./infra/traefik
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
  postBuild:
    substituteFrom:
      - kind: ConfigMap
        name: domain-vars
--- a/infra/traefik-middleware/default-headers.yaml
+++ b/infra/traefik-middleware/default-headers.yaml
@ -2,7 +2,6 @@ apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: default-headers
  namespace: default
 spec:
  headers:
    browserXssFilter: true
@ -14,21 +13,3 @@ spec:
    customFrameOptionsValue: SAMEORIGIN
    customRequestHeaders:
      X-Forwarded-Proto: https
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-errors
  namespace: default
 spec:
  errors:
    status:
      - "403"
      - "500"
      - "501"
      - "503"
      - "505-599"
    query: /{status}.html
    service:
      name: whoami
      port: 80
--- a/infra/traefik-middleware/kustomization.yaml
+++ b/infra/traefik-middleware/kustomization.yaml
@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: traefik
 resources:
-  - ingress.yaml
+  - ./default-headers.yaml
--- a/infrastructure/controllers/traefik.yaml
+++ b/infrastructure/controllers/traefik.yaml
@ -1,17 +1,3 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: traefik
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: traefik
  namespace: traefik
 spec:
  interval: 1m0s
  url: https://traefik.github.io/charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@ -46,13 +32,24 @@ spec:
          port: websecure
      websecure:
        middlewares:
-          - default-default-headers@kubernetescrd
+          - traefik-default-headers@kubernetescrd
          - default-test-errors@kubernetescrd
    providers:
      kubernetesCRD:
        allowCrossNamespace: true
    ingressRoute:
      dashboard:
        enabled: true
        entryPoints:
          - websecure
        matchRule: Host(`traefik.${domain}`)
        middlewares:
          - name: forwardauth-authelia
            namespace: authelia
        tls:
          secretName: ${domain//./-}-tls
    # This is needed in order to properly forward the real ip to each service
    # There are likely better ways of handling that, but for now this works
    # TODO(Tim): Figure out how to properly forward the IP
--- a/infra/traefik/helm-repository.yaml
+++ b/infra/traefik/helm-repository.yaml
@ -0,0 +1,7 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: traefik
 spec:
  interval: 1m0s
  url: https://traefik.github.io/charts
--- a/infra/traefik/kustomization.yaml
+++ b/infra/traefik/kustomization.yaml
@ -0,0 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: traefik
 resources:
  - ./namespace.yaml
  - ./helm-repository.yaml
  - ./helm-release.yaml
--- a/infra/traefik/namespace.yaml
+++ b/infra/traefik/namespace.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: traefik
--- a/infrastructure/configs/kustomization.yaml
+++ b/infrastructure/configs/kustomization.yaml
@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./middleware.yaml
  - ./intel-devices
--- a/infrastructure/controllers/kustomization.yaml
+++ b/infrastructure/controllers/kustomization.yaml
@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - akri.yaml
  - traefik.yaml
  - cloudnative-pg.yaml
  - ./rook
  - ./topolvm