Merge pull request 'switch to traefik' (#39) from traefik into main
All checks were successful
continuous-integration/drone/push Build is passing

Reviewed-on: #39
This commit is contained in:
Aaron Riedel 2024-02-18 06:26:05 +01:00
commit 461ad06fb2
6 changed files with 83 additions and 27 deletions

View file

@ -2,24 +2,24 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: nginx-ingress name: traefik
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
sources: sources:
- repoURL: https://helm.nginx.com/stable - repoURL: https://traefik.github.io/charts
chart: nginx-ingress chart: traefik
targetRevision: 1.1.2 targetRevision: 26.0.0
helm: helm:
releaseName: nginx releaseName: traefik
valueFiles: valueFiles:
- $values/ingress/values.yaml - $values/traefik/values.yaml
- repoURL: https://git.ar21.de/yolokube/core-deployments.git - repoURL: https://git.ar21.de/yolokube/core-deployments.git
targetRevision: HEAD targetRevision: HEAD
ref: values ref: values
destination: destination:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
namespace: nginx-ingress namespace: traefik
syncPolicy: syncPolicy:
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true

View file

@ -68,10 +68,8 @@ metadata:
name: example-ingress name: example-ingress
namespace: example namespace: example
#annotations: #annotations:
# Use for Basic auth: # Use for Basic auth:
#nginx.org/basic-auth-secret: example-basic-auth-secret # traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd
# Use the following annotation if the backend only speaks HTTPS (fill out the service name accordingly):
#nginx.org/ssl-services: "example-service"
spec: spec:
rules: rules:
- host: "example.apps.yolokube.de" - host: "example.apps.yolokube.de"
@ -84,14 +82,3 @@ spec:
name: example-service name: example-service
port: port:
number: 80 number: 80
# Use for Basic auth:
#---
#kind: Secret
#metadata:
# name: example-basic-auth-secret
# namespace: example
#apiVersion: v1
#type: nginx.org/htpasswd
#stringData:
# htpasswd: |
#test:$apr1$2XMU6EMv$f1MJ7zxqTS079YsB7Z.CX/

View file

@ -25,7 +25,7 @@ ingress:
ingressClassName: nginx ingressClassName: nginx
host: longhorn.services.yolokube.de host: longhorn.services.yolokube.de
annotations: annotations:
nginx.org/basic-auth-secret: longhorn-basic-auth-secret traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd
metrics: metrics:
serviceMonitor: serviceMonitor:
enabled: true enabled: true

View file

@ -60,7 +60,7 @@ alertmanager:
hosts: hosts:
- alertmanager.services.yolokube.de - alertmanager.services.yolokube.de
annotations: annotations:
nginx.org/basic-auth-secret: prometheus-basic-auth-secret traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd
ingressPerReplica: ingressPerReplica:
pathType: ImplementationSpecific pathType: ImplementationSpecific
paths: paths:
@ -70,7 +70,7 @@ alertmanager:
hostPrefix: alertmanager hostPrefix: alertmanager
hostDomain: services.yolokube.de hostDomain: services.yolokube.de
annotations: annotations:
nginx.org/basic-auth-secret: prometheus-basic-auth-secret traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd
servicePerReplica: servicePerReplica:
enabled: true enabled: true
podAntiAffinity: "hard" podAntiAffinity: "hard"
@ -107,7 +107,7 @@ prometheus:
hosts: hosts:
- prometheus.services.yolokube.de - prometheus.services.yolokube.de
annotations: annotations:
nginx.org/basic-auth-secret: prometheus-basic-auth-secret traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd
ingressPerReplica: ingressPerReplica:
pathType: ImplementationSpecific pathType: ImplementationSpecific
paths: paths:
@ -116,7 +116,7 @@ prometheus:
hostPrefix: prometheus hostPrefix: prometheus
hostDomain: services.yolokube.de hostDomain: services.yolokube.de
annotations: annotations:
nginx.org/basic-auth-secret: prometheus-basic-auth-secret traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd
prometheusSpec: prometheusSpec:
retentionSize: "45GB" retentionSize: "45GB"
replicas: 2 replicas: 2

20
traefik/basicauth.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: basic-auth
namespace: traefik
spec:
basicAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: traefik
data:
users: |2
YWFyb246JDJ5JDA1JEIyLlEuOS9lNFZFWHNub2UueXBqWU9raXlrbXJGMmhwQXBFN0NZYzJEUEly
MHBGSWRETzFPCnRvbTokMnkkMDUkQnNNN2Z2bWYzR3B1em5hazVPU2dyZTB4ODFLNC52eFVRTy9h
S1c1Y1k0Z21RT3p2c3NQTE8KYmFzdGk6JCRhcHIxJCRYYUdERnByYiQkTzlZMW9SaFROWTdVNWFh
NUxqM3dhMQo=

49
traefik/values.yaml Normal file
View file

@ -0,0 +1,49 @@
deployment:
kind: DaemonSet
hostNetwork: true
ports:
web:
port: 80
redirectTo:
port: "websecure"
websecure:
port: 443
tls:
certResolver: "letsencrypt"
securityContext:
capabilities:
drop: [ALL]
add: [NET_BIND_SERVICE]
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
service:
type: NodePort
ipFamilyPolicy: PreferDualStack
persistence:
enabled: true
certResolvers:
letsencrypt:
email: letsencrypt@ar21.de
tlsChallenge: true
httpChallenge:
entryPoint: "web"
storage: /data/acme.json
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 0
ingressRoute:
dashboard:
matchRule: Host(`traefik.lab.ar21.de`)
entryPoints: ["traefik", "websecure"]
middlewares:
- name: basic-auth