feat(traefik): Exposing Traefik Dashboard

2025-11-02 10:57:53 +00:00 · 2023-01-26 19:03:20 +01:00
parent 1f0136a2f2
commit 5a5869f87a
9 changed files with 126 additions and 0 deletions
--- a/infra/traefik/ingress-route.yaml
+++ b/infra/traefik/ingress-route.yaml
@@ -0,0 +1,25 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth-traefik.stonegarden.dev`)
+      kind: Rule
+      services:
+        - name: traefik-forward-auth
+          port: 4181
+      middlewares:
+        - name: traefik-forward-auth
+    - match: Host(`traefik.stonegarden.dev`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+      middlewares:
+        - name: traefik-forward-auth
+  tls:
+    certResolver: letsencrypt
--- a/infra/traefik/kustomization.yaml
+++ b/infra/traefik/kustomization.yaml
@@ -5,6 +5,8 @@ namespace: traefik-system
 resources:
  - storageClass.yaml
  - persistentVolume.yaml
+  - traefik-forward-auth
+  - ingress-route.yaml

 helmCharts:
  - name: traefik
--- a/infra/traefik/traefik-forward-auth/configs/traefik-forward-auth.ini
+++ b/infra/traefik/traefik-forward-auth/configs/traefik-forward-auth.ini
@@ -0,0 +1,5 @@
+cookie-name = "_traefik_auth"
+log-level = "error"
+cookie-domain = "stonegarden.dev"
+auth-host = "auth-traefik.stonegarden.dev"
+whitelist = "veghag@gmail.com"
--- a/infra/traefik/traefik-forward-auth/deployment.yaml
+++ b/infra/traefik/traefik-forward-auth/deployment.yaml
@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+        - image: thomseddon/traefik-forward-auth:2
+          imagePullPolicy: Always
+          name: traefik-forward-auth
+          ports:
+            - containerPort: 4181
+              protocol: TCP
+          env:
+            - name: CONFIG
+              value: "/config"
+            - name: PROVIDERS_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: google-client-id
+            - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: google-client-secret
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: secret
+          volumeMounts:
+            - name: configs
+              mountPath: /config
+              subPath: traefik-forward-auth.ini
+
+      volumes:
+        - name: configs
+          configMap:
+            name: configs
+        - name: traefik-forward-auth-secrets
+          secret:
+            secretName: traefik-forward-auth-secrets
--- a/infra/traefik/traefik-forward-auth/kustomization.yaml
+++ b/infra/traefik/traefik-forward-auth/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app: traefik-forward-auth
+
+resources:
+  - service.yaml
+  - deployment.yaml
+  - middleware.yaml
+
+configMapGenerator:
+  - name: configs
+    files:
+      - configs/traefik-forward-auth.ini
--- a/infra/traefik/traefik-forward-auth/middleware.yaml
+++ b/infra/traefik/traefik-forward-auth/middleware.yaml
@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth.traefik-system.svc.cluster.local:4181
+    authResponseHeaders:
+      - X-Forwarded-User
+    trustForwardHeader: true
--- a/infra/traefik/traefik-forward-auth/service.yaml
+++ b/infra/traefik/traefik-forward-auth/service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik-forward-auth
+  ports:
+    - name: auth-http
+      port: 4181
--- a/infra/traefik/values.yaml
+++ b/infra/traefik/values.yaml
@@ -22,6 +22,10 @@ additionalArguments:
  - "--log.level=ERROR"
  - "--api.insecure"

+ingressRoute:
+  dashboard:
+    enabled: false
+
 persistence:
  enabled: true
  name: data
--- a/secrets/kustomization.yaml
+++ b/secrets/kustomization.yaml
@@ -4,4 +4,5 @@ kind: Kustomization
 resources:
  - arr.yaml
  - dashboard.yaml
+  - traefik-system.yaml
  - whoami.yaml