diff --git a/app-files/core-deployments.yaml b/app-files/core-deployments.yaml index 3a3903b..2613968 100644 --- a/app-files/core-deployments.yaml +++ b/app-files/core-deployments.yaml @@ -2,24 +2,24 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: nginx-ingress + name: traefik namespace: argocd spec: project: default sources: - - repoURL: https://helm.nginx.com/stable - chart: nginx-ingress - targetRevision: 1.1.2 + - repoURL: https://traefik.github.io/charts + chart: traefik + targetRevision: 26.0.0 helm: - releaseName: nginx + releaseName: traefik valueFiles: - - $values/ingress/values.yaml + - $values/traefik/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values destination: server: https://kubernetes.default.svc - namespace: nginx-ingress + namespace: traefik syncPolicy: syncOptions: - CreateNamespace=true diff --git a/examples/example-deployment.yaml b/examples/example-deployment.yaml index ff2791c..df94a40 100644 --- a/examples/example-deployment.yaml +++ b/examples/example-deployment.yaml @@ -68,10 +68,8 @@ metadata: name: example-ingress namespace: example #annotations: - # Use for Basic auth: - #nginx.org/basic-auth-secret: example-basic-auth-secret - # Use the following annotation if the backend only speaks HTTPS (fill out the service name accordingly): - #nginx.org/ssl-services: "example-service" + # Use for Basic auth: + # traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd spec: rules: - host: "example.apps.yolokube.de" @@ -84,14 +82,3 @@ spec: name: example-service port: number: 80 -# Use for Basic auth: -#--- -#kind: Secret -#metadata: -# name: example-basic-auth-secret -# namespace: example -#apiVersion: v1 -#type: nginx.org/htpasswd -#stringData: -# htpasswd: | -#test:$apr1$2XMU6EMv$f1MJ7zxqTS079YsB7Z.CX/ \ No newline at end of file diff --git a/longhorn/values.yaml b/longhorn/values.yaml index 997f65f..737bc84 100644 --- a/longhorn/values.yaml +++ b/longhorn/values.yaml @@ -25,7 +25,7 @@ ingress: ingressClassName: nginx host: longhorn.services.yolokube.de annotations: - nginx.org/basic-auth-secret: longhorn-basic-auth-secret + traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd metrics: serviceMonitor: enabled: true diff --git a/prometheus/values.yaml b/prometheus/values.yaml index fd72a50..dbf3935 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -60,7 +60,7 @@ alertmanager: hosts: - alertmanager.services.yolokube.de annotations: - nginx.org/basic-auth-secret: prometheus-basic-auth-secret + traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd ingressPerReplica: pathType: ImplementationSpecific paths: @@ -70,7 +70,7 @@ alertmanager: hostPrefix: alertmanager hostDomain: services.yolokube.de annotations: - nginx.org/basic-auth-secret: prometheus-basic-auth-secret + traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd servicePerReplica: enabled: true podAntiAffinity: "hard" @@ -107,7 +107,7 @@ prometheus: hosts: - prometheus.services.yolokube.de annotations: - nginx.org/basic-auth-secret: prometheus-basic-auth-secret + traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd ingressPerReplica: pathType: ImplementationSpecific paths: @@ -116,7 +116,7 @@ prometheus: hostPrefix: prometheus hostDomain: services.yolokube.de annotations: - nginx.org/basic-auth-secret: prometheus-basic-auth-secret + traefik.ingress.kubernetes.io/router.middlewares: traefik-basic-auth@kubernetescrd prometheusSpec: retentionSize: "45GB" replicas: 2 diff --git a/traefik/basicauth.yaml b/traefik/basicauth.yaml new file mode 100644 index 0000000..6b68db5 --- /dev/null +++ b/traefik/basicauth.yaml @@ -0,0 +1,20 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: basic-auth + namespace: traefik +spec: + basicAuth: + secret: authsecret +--- +apiVersion: v1 +kind: Secret +metadata: + name: authsecret + namespace: traefik +data: + users: |2 + YWFyb246JDJ5JDA1JEIyLlEuOS9lNFZFWHNub2UueXBqWU9raXlrbXJGMmhwQXBFN0NZYzJEUEly + MHBGSWRETzFPCnRvbTokMnkkMDUkQnNNN2Z2bWYzR3B1em5hazVPU2dyZTB4ODFLNC52eFVRTy9h + S1c1Y1k0Z21RT3p2c3NQTE8KYmFzdGk6JCRhcHIxJCRYYUdERnByYiQkTzlZMW9SaFROWTdVNWFh + NUxqM3dhMQo= \ No newline at end of file diff --git a/traefik/values.yaml b/traefik/values.yaml new file mode 100644 index 0000000..2f9b95b --- /dev/null +++ b/traefik/values.yaml @@ -0,0 +1,49 @@ +deployment: + kind: DaemonSet +hostNetwork: true +ports: + web: + port: 80 + redirectTo: + port: "websecure" + websecure: + port: 443 + tls: + certResolver: "letsencrypt" + +securityContext: + capabilities: + drop: [ALL] + add: [NET_BIND_SERVICE] + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + +service: + type: NodePort + ipFamilyPolicy: PreferDualStack + +persistence: + enabled: true + +certResolvers: + letsencrypt: + email: letsencrypt@ar21.de + tlsChallenge: true + httpChallenge: + entryPoint: "web" + storage: /data/acme.json + +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 0 + +ingressRoute: + dashboard: + matchRule: Host(`traefik.lab.ar21.de`) + entryPoints: ["traefik", "websecure"] + middlewares: + - name: basic-auth \ No newline at end of file