single traefik entrypoint

2020-12-12 22:11:49 -05:00
parent 2852083fef
commit 09c05c356e
8 changed files with 141 additions and 37 deletions
--- a/README.md
+++ b/README.md
@@ -55,6 +55,48 @@ spec:
      - name: httpsredirect
 ```

+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ .Release.Name }}-external-tls
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    certResolver: myresolver
+  routes:
+  - match: Host(`jellyfin.ducoterra.net`)
+    kind: Rule
+    services:
+    - name: {{ .Release.Name }}
+      port: 8096
+    middlewares:
+      - name: {{ .Release.Name }}
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ .Release.Name }}-external-web
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`jellyfin.ducoterra.net`)
+    kind: Rule
+    services:
+    - name: {{ .Release.Name }}
+      port: 8096
+    middlewares:
+      - name: httpsredirect
+```
+
 ## Create a name.com secret for traefik to use:

 export USERNAME=
--- a/example.yaml
+++ b/example.yaml
@@ -0,0 +1,53 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ .Release.Name }}-tls
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    certResolver: duconet
+  routes:
+  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
+    kind: Rule
+    services:
+    - name: {{ .Release.Name }}
+      port: {{ .Values.service.port }}
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ .Release.Name }}
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
+    kind: Rule
+    services:
+    - name: {{ .Release.Name }}
+      port: {{ .Values.service.port }}
+    middlewares:
+      - name: httpsredirect-{{ .Release.Name }}
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: httpsredirect-{{ .Release.Name }}
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: basic-auth-{{ .Release.Name }}
+spec:
+  basicAuth:
+    secret: authsecret
+    removeHeader: true
--- a/helm/templates/deploy.yaml
+++ b/helm/templates/deploy.yaml
@@ -20,6 +20,7 @@ spec:
        - name: traefik
          image: {{ .Values.image }}
          args:
+            - --providers.kubernetescrd
            - --providers.kubernetescrd.ingressclass={{ .Values.config.ingressclass }}
            - --log.level=ERROR
            - --accesslog=true
@@ -28,7 +29,6 @@ spec:
            - --entrypoints.web.address=:{{ .Values.config.http_port }}
            - --entrypoints.websecure.address=:{{ .Values.config.https_port }}
            - --entrypoints.websecure.http.tls=true
-            - --providers.kubernetescrd
 {{ if .Values.enable.statsd }}
            - --metrics.statsd=true
            - --metrics.statsd.address={{ .Values.config.statsd_endpoint }}
@@ -37,16 +37,16 @@ spec:
            - --metrics.statsd.prefix={{ .Release.Name }}
 {{ end }}
 {{ if .Values.enable.dnschallenge }}
-            - --certificatesresolvers.myresolver.acme.dnschallenge=true
-            - --certificatesresolvers.myresolver.acme.dnschallenge.provider={{ .Values.config.dnschallenge_provider }}
-            - --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }}
-            - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
-            - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1
+            - --certificatesresolvers.duconet.acme.dnschallenge=true
+            - --certificatesresolvers.duconet.acme.dnschallenge.provider={{ .Values.config.dnschallenge_provider }}
+            - --certificatesresolvers.duconet.acme.email={{ .Values.config.acme_email }}
+            - --certificatesresolvers.duconet.acme.storage=/acme/acme.json
+            - --certificatesresolvers.duconet.acme.dnschallenge.resolvers=1.1.1.1
 {{ end }}
 {{ if .Values.enable.tlschallenge }}
-            - --certificatesresolvers.myresolver.acme.tlschallenge
-            - --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }}
-            - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
+            - --certificatesresolvers.duconet.acme.tlschallenge
+            - --certificatesresolvers.duconet.acme.email={{ .Values.config.acme_email }}
+            - --certificatesresolvers.duconet.acme.storage=/acme/acme.json
 {{ end }}
 {{ if .Values.enable.tracing }}
            - --tracing=true
--- a/helm/templates/ingress.yaml
+++ b/helm/templates/ingress.yaml
@@ -4,40 +4,18 @@ metadata:
  name: {{ .Release.Name }}-tls
  namespace: kube-system
  annotations:
-    kubernetes.io/ingress.class: traefik-internal
+    kubernetes.io/ingress.class: traefik
 spec:
  entryPoints:
    - websecure
  tls:
-    certResolver: myresolver
-    domains:
-    - main: "*.ducoterra.net"
+    certResolver: duconet
  routes:
  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
    kind: Rule
    services:
    - name: {{ .Release.Name }}-admin
-      port: 8080
+      port: {{ .Values.config.admin_port }}
    middlewares:
      - name: basic-auth
-
---
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: {{ .Release.Name }}-web
-  namespace: kube-system
-  annotations:
-    kubernetes.io/ingress.class: traefik-internal
-spec:
-  entryPoints:
-    - web
-  routes:
-  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
-    kind: Rule
-    services:
-    - name: {{ .Release.Name }}-admin
-      port: 8080
-    middlewares:
      - name: httpsredirect
--- a/helm/templates/rbac.yaml
+++ b/helm/templates/rbac.yaml
@@ -34,6 +34,14 @@ rules:
      - ingresses/status
    verbs:
      - update
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
--- a/helm/templates/resourcedefinition.yaml
+++ b/helm/templates/resourcedefinition.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.install.resourcedefinition }}
 # All resources definition must be declared
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -103,4 +102,3 @@ spec:
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced
-{{ end }}
--- a/upgrade.sh
+++ b/upgrade.sh
@@ -0,0 +1,2 @@
+helm --kube-context mainframe-admin upgrade --install traefik ./helm --values values.yaml
+kubectl --context mainframe-admin get pod -w
--- a/values.yaml
+++ b/values.yaml
@@ -0,0 +1,23 @@
+image: traefik:v2.3.2
+
+enable:
+  dnschallenge: false
+  tlschallenge: true
+  tracing: false
+  statsd: false
+
+middleware:
+  basicauth: true
+  redirectscheme: true
+  stricttransport: true
+
+config:
+  ingressclass: traefik
+  http_port: 9080
+  https_port: 9443
+  admin_port: 8080
+  # statsd reporting
+  statsd_endpoint: graphite.ducoterra.net:8125
+  acme_email: ducoterra@icloud.com
+  # zipkin tracing
+  tracing_endpoint: http://zipkin:9411/api/v2/spans