diff --git a/README.md b/README.md index 4c95f90..39e3264 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,48 @@ spec: - name: httpsredirect ``` +```yaml +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ .Release.Name }}-external-tls + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + tls: + certResolver: myresolver + routes: + - match: Host(`jellyfin.ducoterra.net`) + kind: Rule + services: + - name: {{ .Release.Name }} + port: 8096 + middlewares: + - name: {{ .Release.Name }} + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ .Release.Name }}-external-web + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - web + routes: + - match: Host(`jellyfin.ducoterra.net`) + kind: Rule + services: + - name: {{ .Release.Name }} + port: 8096 + middlewares: + - name: httpsredirect +``` + ## Create a name.com secret for traefik to use: export USERNAME= diff --git a/example.yaml b/example.yaml new file mode 100644 index 0000000..1a9f134 --- /dev/null +++ b/example.yaml @@ -0,0 +1,53 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ .Release.Name }}-tls + annotations: + kubernetes.io/ingress.class: traefik +spec: + entryPoints: + - websecure + tls: + certResolver: duconet + routes: + - match: Host(`{{ .Release.Name }}.ducoterra.net`) + kind: Rule + services: + - name: {{ .Release.Name }} + port: {{ .Values.service.port }} +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ .Release.Name }} + annotations: + kubernetes.io/ingress.class: traefik +spec: + entryPoints: + - web + routes: + - match: Host(`{{ .Release.Name }}.ducoterra.net`) + kind: Rule + services: + - name: {{ .Release.Name }} + port: {{ .Values.service.port }} + middlewares: + - name: httpsredirect-{{ .Release.Name }} +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: httpsredirect-{{ .Release.Name }} +spec: + redirectScheme: + scheme: https + permanent: true +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-auth-{{ .Release.Name }} +spec: + basicAuth: + secret: authsecret + removeHeader: true \ No newline at end of file diff --git a/helm/templates/deploy.yaml b/helm/templates/deploy.yaml index f06ac0e..5088993 100644 --- a/helm/templates/deploy.yaml +++ b/helm/templates/deploy.yaml @@ -20,6 +20,7 @@ spec: - name: traefik image: {{ .Values.image }} args: + - --providers.kubernetescrd - --providers.kubernetescrd.ingressclass={{ .Values.config.ingressclass }} - --log.level=ERROR - --accesslog=true @@ -28,7 +29,6 @@ spec: - --entrypoints.web.address=:{{ .Values.config.http_port }} - --entrypoints.websecure.address=:{{ .Values.config.https_port }} - --entrypoints.websecure.http.tls=true - - --providers.kubernetescrd {{ if .Values.enable.statsd }} - --metrics.statsd=true - --metrics.statsd.address={{ .Values.config.statsd_endpoint }} @@ -37,16 +37,16 @@ spec: - --metrics.statsd.prefix={{ .Release.Name }} {{ end }} {{ if .Values.enable.dnschallenge }} - - --certificatesresolvers.myresolver.acme.dnschallenge=true - - --certificatesresolvers.myresolver.acme.dnschallenge.provider={{ .Values.config.dnschallenge_provider }} - - --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }} - - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json - - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1 + - --certificatesresolvers.duconet.acme.dnschallenge=true + - --certificatesresolvers.duconet.acme.dnschallenge.provider={{ .Values.config.dnschallenge_provider }} + - --certificatesresolvers.duconet.acme.email={{ .Values.config.acme_email }} + - --certificatesresolvers.duconet.acme.storage=/acme/acme.json + - --certificatesresolvers.duconet.acme.dnschallenge.resolvers=1.1.1.1 {{ end }} {{ if .Values.enable.tlschallenge }} - - --certificatesresolvers.myresolver.acme.tlschallenge - - --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }} - - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json + - --certificatesresolvers.duconet.acme.tlschallenge + - --certificatesresolvers.duconet.acme.email={{ .Values.config.acme_email }} + - --certificatesresolvers.duconet.acme.storage=/acme/acme.json {{ end }} {{ if .Values.enable.tracing }} - --tracing=true diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml index ea59277..31ab4c8 100644 --- a/helm/templates/ingress.yaml +++ b/helm/templates/ingress.yaml @@ -4,40 +4,18 @@ metadata: name: {{ .Release.Name }}-tls namespace: kube-system annotations: - kubernetes.io/ingress.class: traefik-internal + kubernetes.io/ingress.class: traefik spec: entryPoints: - websecure tls: - certResolver: myresolver - domains: - - main: "*.ducoterra.net" + certResolver: duconet routes: - match: Host(`{{ .Release.Name }}.ducoterra.net`) kind: Rule services: - name: {{ .Release.Name }}-admin - port: 8080 + port: {{ .Values.config.admin_port }} middlewares: - name: basic-auth - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: {{ .Release.Name }}-web - namespace: kube-system - annotations: - kubernetes.io/ingress.class: traefik-internal -spec: - entryPoints: - - web - routes: - - match: Host(`{{ .Release.Name }}.ducoterra.net`) - kind: Rule - services: - - name: {{ .Release.Name }}-admin - port: 8080 - middlewares: - name: httpsredirect \ No newline at end of file diff --git a/helm/templates/rbac.yaml b/helm/templates/rbac.yaml index 84d0eb1..a88356c 100644 --- a/helm/templates/rbac.yaml +++ b/helm/templates/rbac.yaml @@ -34,6 +34,14 @@ rules: - ingresses/status verbs: - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch - apiGroups: - traefik.containo.us resources: diff --git a/helm/templates/resourcedefinition.yaml b/resource.yaml similarity index 96% rename from helm/templates/resourcedefinition.yaml rename to resource.yaml index 87e7ab7..da1a06d 100644 --- a/helm/templates/resourcedefinition.yaml +++ b/resource.yaml @@ -1,4 +1,3 @@ -{{ if .Values.install.resourcedefinition }} # All resources definition must be declared apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -102,5 +101,4 @@ spec: kind: TraefikService plural: traefikservices singular: traefikservice - scope: Namespaced -{{ end }} \ No newline at end of file + scope: Namespaced \ No newline at end of file diff --git a/upgrade.sh b/upgrade.sh new file mode 100755 index 0000000..087991d --- /dev/null +++ b/upgrade.sh @@ -0,0 +1,2 @@ +helm --kube-context mainframe-admin upgrade --install traefik ./helm --values values.yaml +kubectl --context mainframe-admin get pod -w diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..4f8957a --- /dev/null +++ b/values.yaml @@ -0,0 +1,23 @@ +image: traefik:v2.3.2 + +enable: + dnschallenge: false + tlschallenge: true + tracing: false + statsd: false + +middleware: + basicauth: true + redirectscheme: true + stricttransport: true + +config: + ingressclass: traefik + http_port: 9080 + https_port: 9443 + admin_port: 8080 + # statsd reporting + statsd_endpoint: graphite.ducoterra.net:8125 + acme_email: ducoterra@icloud.com + # zipkin tracing + tracing_endpoint: http://zipkin:9411/api/v2/spans \ No newline at end of file