From cdec125a11bb662700ffd08989c5a4e75b681770 Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Thu, 21 Dec 2023 11:43:08 +0100 Subject: [PATCH] feat(traefik): Clean up Traefik config after certs are handled by Cert-manager Remove PV for Traefik certs and trimmed values.yaml --- infra/traefik/kustomization.yaml | 2 -- infra/traefik/pv-certs.yaml | 24 ------------- .../ingress.yaml} | 9 +---- .../traefik-forward-auth/kustomization.yaml | 1 + infra/traefik/values.yaml | 36 +++---------------- 5 files changed, 7 insertions(+), 65 deletions(-) delete mode 100644 infra/traefik/pv-certs.yaml rename infra/traefik/{ingress-route.yaml => traefik-forward-auth/ingress.yaml} (60%) diff --git a/infra/traefik/kustomization.yaml b/infra/traefik/kustomization.yaml index a22c003..c02856b 100644 --- a/infra/traefik/kustomization.yaml +++ b/infra/traefik/kustomization.yaml @@ -6,9 +6,7 @@ resources: - cloudflare-token-cert-manager.yaml - cloudflare-issuer.yaml - cloudflare-cert.yaml - - pv-certs.yaml - traefik-forward-auth - - ingress-route.yaml helmCharts: - name: traefik diff --git a/infra/traefik/pv-certs.yaml b/infra/traefik/pv-certs.yaml deleted file mode 100644 index 194a84a..0000000 --- a/infra/traefik/pv-certs.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - finalizers: - - kubernetes.io/pv-protection - name: traefik-cert-pv -spec: - capacity: - storage: 128Mi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - storageClassName: cert-storage - local: - path: /disk/etc/traefik/certs - nodeAffinity: - required: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - gauss \ No newline at end of file diff --git a/infra/traefik/ingress-route.yaml b/infra/traefik/traefik-forward-auth/ingress.yaml similarity index 60% rename from infra/traefik/ingress-route.yaml rename to infra/traefik/traefik-forward-auth/ingress.yaml index d0129a9..2221189 100644 --- a/infra/traefik/ingress-route.yaml +++ b/infra/traefik/traefik-forward-auth/ingress.yaml @@ -1,7 +1,7 @@ apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: - name: traefik-dashboard + name: traefik-dashboard-auth namespace: traefik-system spec: entryPoints: @@ -12,12 +12,5 @@ spec: services: - name: traefik-forward-auth port: 4181 - middlewares: - - name: traefik-forward-auth - - match: Host(`traefik.stonegarden.dev`) - kind: Rule - services: - - name: api@internal - kind: TraefikService middlewares: - name: traefik-forward-auth \ No newline at end of file diff --git a/infra/traefik/traefik-forward-auth/kustomization.yaml b/infra/traefik/traefik-forward-auth/kustomization.yaml index 5cc211e..0375034 100644 --- a/infra/traefik/traefik-forward-auth/kustomization.yaml +++ b/infra/traefik/traefik-forward-auth/kustomization.yaml @@ -9,6 +9,7 @@ resources: - service.yaml - deployment.yaml - middleware.yaml + - ingress.yaml configMapGenerator: - name: configs diff --git a/infra/traefik/values.yaml b/infra/traefik/values.yaml index 0bdf99f..f9343c0 100644 --- a/infra/traefik/values.yaml +++ b/infra/traefik/values.yaml @@ -1,13 +1,4 @@ deployment: - initContainers: - # The "volume-permissions" init container is required if you run into permission issues. - # Related issue: https://github.com/traefik/traefik/issues/6972 - - name: volume-permissions - image: busybox:1.31.1 - command: [ "sh", "-c", "chmod -Rv 600 /data/*" ] - volumeMounts: - - name: data - mountPath: /data dnsConfig: nameservers: - 192.168.1.153 @@ -17,30 +8,13 @@ service: annotations: io.cilium/lb-ipam-ips: 192.168.1.142 -providers: - kubernetesCRD: - allowCrossNamespace: true - kubernetesIngress: - publishedService: - enabled: true - # Need to override path since otherwise the namespace is set as default - pathOverride: traefik-system/traefik - -additionalArguments: - - "--log.level=ERROR" - - "--api.insecure" - ingressRoute: dashboard: - enabled: false - -persistence: - enabled: true - name: data - accessMode: ReadWriteOnce - size: 128Mi - storageClass: cert-storage - path: /data + entryPoints: + - websecure + matchRule: Host(`traefik.stonegarden.dev`) + middlewares: + - name: traefik-forward-auth tlsStore: default: