Reorganized traefik

2025-02-17 04:16:36 +01:00 · 2025-02-17 04:16:36 +01:00 · c2b7d0db2e
commit c2b7d0db2e
parent 86c9ecaffc
13 changed files with 67 additions and 59 deletions
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -4,7 +4,6 @@ resources:
  - ./lldap
  - ./authelia
  - ./grafana
-  - ./traefik-dashboard

  - ./whoami.yaml
  - ./akri-demo.yaml
--- a/apps/traefik-dashboard/ingress.yaml
+++ b/apps/traefik-dashboard/ingress.yaml
@ -1,19 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard
-  namespace: traefik
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`traefik.${domain}`)
-      kind: Rule
-      middlewares:
-        - name: forwardauth-authelia
-          namespace: authelia
-      services:
-        - name: api@internal
-          kind: TraefikService
-  tls:
-    secretName: ${domain//./-}-tls
--- a/clusters/titan.lan.huizinga.dev/apps.yaml
+++ b/clusters/titan.lan.huizinga.dev/apps.yaml
@ -6,6 +6,7 @@ metadata:
 spec:
  dependsOn:
    - name: infra-configs
+    - name: traefik
  decryption:
    provider: sops
    secretRef:
--- a/clusters/titan.lan.huizinga.dev/infra/traefik-middleware.yaml
+++ b/clusters/titan.lan.huizinga.dev/infra/traefik-middleware.yaml
@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik-middleware
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./infra/traefik-middleware
+  dependsOn:
+    - name: traefik
+  prune: true
+  timeout: 10m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
--- a/clusters/titan.lan.huizinga.dev/infra/traefik.yaml
+++ b/clusters/titan.lan.huizinga.dev/infra/traefik.yaml
@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./infra/traefik
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars
--- a/infra/traefik-middleware/default-headers.yaml
+++ b/infra/traefik-middleware/default-headers.yaml
@ -2,7 +2,6 @@ apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: default-headers
-  namespace: default
 spec:
  headers:
    browserXssFilter: true
@ -14,21 +13,3 @@ spec:
    customFrameOptionsValue: SAMEORIGIN
    customRequestHeaders:
      X-Forwarded-Proto: https
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-errors
-  namespace: default
-spec:
-  errors:
-    status:
-      - "403"
-      - "500"
-      - "501"
-      - "503"
-      - "505-599"
-    query: /{status}.html
-    service:
-      name: whoami
-      port: 80
--- a/infra/traefik-middleware/kustomization.yaml
+++ b/infra/traefik-middleware/kustomization.yaml
@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: traefik
 resources:
-  - ingress.yaml
+  - ./default-headers.yaml
--- a/infrastructure/controllers/traefik.yaml
+++ b/infrastructure/controllers/traefik.yaml
@ -1,17 +1,3 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: traefik
---
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: traefik
-  namespace: traefik
-spec:
-  interval: 1m0s
-  url: https://traefik.github.io/charts
---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@ -46,13 +32,24 @@ spec:
          port: websecure
      websecure:
        middlewares:
-          - default-default-headers@kubernetescrd
-          - default-test-errors@kubernetescrd
+          - traefik-default-headers@kubernetescrd

    providers:
      kubernetesCRD:
        allowCrossNamespace: true

+    ingressRoute:
+      dashboard:
+        enabled: true
+        entryPoints:
+          - websecure
+        matchRule: Host(`traefik.${domain}`)
+        middlewares:
+          - name: forwardauth-authelia
+            namespace: authelia
+        tls:
+          secretName: ${domain//./-}-tls
+
    # This is needed in order to properly forward the real ip to each service
    # There are likely better ways of handling that, but for now this works
    # TODO(Tim): Figure out how to properly forward the IP
--- a/infra/traefik/helm-repository.yaml
+++ b/infra/traefik/helm-repository.yaml
@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik
+spec:
+  interval: 1m0s
+  url: https://traefik.github.io/charts
--- a/infra/traefik/kustomization.yaml
+++ b/infra/traefik/kustomization.yaml
@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: traefik
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
--- a/infra/traefik/namespace.yaml
+++ b/infra/traefik/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
--- a/infrastructure/configs/kustomization.yaml
+++ b/infrastructure/configs/kustomization.yaml
@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./middleware.yaml
-
  - ./intel-devices
--- a/infrastructure/controllers/kustomization.yaml
+++ b/infrastructure/controllers/kustomization.yaml
@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - akri.yaml
-  - traefik.yaml
  - cloudnative-pg.yaml
  - ./rook
  - ./topolvm