SeanOMik
/
k3s-cluster
1
0
Fork 0
Code Issues 2 Pull Requests 32 Packages Projects Releases Wiki Activity

Attempt to add traefik with sops secrets

This commit is contained in:
SeanOMik 2023-04-02 13:34:20 -04:00
parent 6e749490cf
commit 2ae133a7e2
Signed by: SeanOMik
GPG Key ID: 568F326C7EB33ACB
8 changed files with 241 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.sops.yaml Normal file
View File

@ -0,0 +1,5 @@
creation_rules:
- encrypted_regex: "^(data|stringData)$"
pgp: >-
2CC2B3631D5C3393901335DB68F95C5D753EE1E5,
8DF31C9F48A24F525FFB1815FC96C52B59328E95

4
cluster/apps/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- traefik

81
cluster/apps/traefik/helm-release.yaml Normal file
View File

@ -0,0 +1,81 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: traefik-helm
namespace: traefik
spec:
interval: 5m
chart:
spec:
chart: traefik
version: '2.9.9'
sourceRef:
kind: HelmRepository
name: traefik-helm-repo
namespace: flux-system
interval: 1m
values:
additionalArguments:
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
- --api.insecure
- --providers.kubernetesingress
logs:
general:
level: DEBUG
ports:
web:
expose: true
exposedPort: 8080
# (optional) Permanent Redirect to HTTPS
# redirectTo: websecure
websecure:
tls:
exposed: true
exposedPort: 8443
enabled: true
certResolver: cloudflare
env:
- name: CF_DNS_API_TOKEN
valueFrom:
secretKeyRef:
key: apiToken
name: cloudflare-credentials
# Disable Dashboard
ingressRoute:
dashboard:
enabled: false
# Persistent Storage
persistence:
enabled: true
name: ssl-certs
size: 1Gi
path: /ssl-certs
#deployment:
# initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/containous/traefik/issues/6972
# - name: volume-permissions
# image: busybox:1.31.1
# command: ["sh", "-c", "chmod -Rv 600 /ssl-certs"]
# volumeMounts:
# - name: ssl-certs
# mountPath: /ssl-certs
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
ingressClass:
enabled: true
isDefaultClass: true
namespaceOverride: traefik

8
cluster/apps/traefik/helm-repository.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: traefik-helm-repo
namespace: flux-system
spec:
interval: 1m
url: https://traefik.github.io/charts

10
cluster/apps/traefik/ksops.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: traefik-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./traefik-secrets.enc.yaml

7
cluster/apps/traefik/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ksops.yaml
resources:
- helm-repository.yaml
- helm-release.yaml

62
cluster/apps/traefik/traefik-secrets.enc.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-credentials
namespace: traefik
type: Opaque
stringData:
apiToken: ENC[AES256_GCM,data:2ofq1q6ZJ08RfWtb7KAkiLbTGuY0XX+YNOprSLPVf42MmcHk1AwIaw==,iv:TzSqE3UP8KeASgQeJmQJPOo0Gq4Qx5t7oPqXYr451sg=,tag:eumfMTxotVGmVdY5FmUhjQ==,type:str]
email: ENC[AES256_GCM,data:3SLMvJWYY/rCESO24AujCtdc,iv:bMvI+p8lL7UrkxdB+qCXhn+I3t99Kxx2uIoKv8WGJOE=,tag:c+3aqPigO1hUNEnTQih+7A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-02T17:15:20Z"
mac: ENC[AES256_GCM,data:aJlH+CJloGHMBlbWns9cCmNIUGSJPG43QnJdxEFDArUwRSQRtpM8IiCrIK/RrsP3GHzvZkbNIMSoFeXDq/KfW2ZbGIrDuvGjSwpKSd/tV40NulSOZILZViTV5FNrIO4q05spv0QoGsPcF9CSvRGpQ98w5RbPxQm6U6aYl6cM+7c=,iv:yhu+Zh9ksE2A0MlqDTknNcywpJhxjgTAD7a7VkRqslA=,tag:XGTJaPkAZyQeKG+xsUg0/Q==,type:str]
pgp:
- created_at: "2023-04-02T17:33:57Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ//SGQIuAWmFUmI1DR1MpbDwjOg+s+YvbEbIcLv4iMTn6rM
vtNIpo5I183JJUxRcCKerpW9fIhMSqov7OlvS2c3cLNp2PapHWKR0av0r3Zk0D95
mcMjlpp6j8l9kXFnbGJBX8UkaCJ6jgm79xHhZjODa3A6WB1kQJ3kcXN0sQuZ61qH
UD2QKwPUnTR9cWURdBt4L1aX4+abEwKfLE+XygBTq/2sXOchEU6sKZ88ieGAt2te
8PQ3zWTTUBC2o+AVMnZ3CNCQrdvKKQ4vSEW6+jFsJLgloMThDcf83owvWNDfZwVS
O62k0Wsb9N7ZXScPp8A0VoPa4Qb6WVMJ7BpizUZcSmzC/qNz+CDk7u769xjHyBHC
8kS0JpCWDpozeqcXZjhMpC2MsgfU/FjB0dxy9vyhf910ZlM/TkXnrduJu8p20NQe
Mf1le0/kNoJiUzk0PZcG3l1osafvEChj7owGi1Tnjs1Z/Tz/7GpyDPUWwuxJi37A
ssMKFpuedckQlV6oTTvthX0YGGGF0lCoyLAUBqi81IX7b7GHxn/n8hP30oOGrljL
k77vpX/GDrK+3TtZdjAoQz079Go+AqyxKcgOfF0UJ6z88iYdBnPugHxCXXvMNHhF
HQxzlpFdqJ7P6XXDIFGm5G1oJCVzQyb5fSlh07NphNC6TTDUahkpYJz7qJoWwqPU
aAEJAhCXIy1CD5IdGnE16agicIw1VFhT1F7C4/zH7zBITyYXNTrZ4/5S0SdaT6Fi
XDVC7Eza3UTOIV6l4mJq5xOrGkV0mNi6hwPBJt334MDidNH3AaivUQgpCJX0hSTC
raho1DevzjCp
=vlaG
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-02T17:33:57Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ/7BW9zYpflHgi9WOyjyWjybWzsWbLDlHOXPSNMqcpKcsz1
uCp+ReZdsAbnPHRagpnpg5Wj2J9GfY1t8vgfQB4YwGfd0cfjTjumcCd7Lhd0iJjF
oJROOh2CD4B9MPxS0lbjFSUkMnS+8/M4mNdc1TzIRZNYJN0zgcFg51N7hg83d4K7
a2Jev4tCiaXkBLCPFUdTJfsL3BbR9sGt3+ip6qPJKf1fMQqQ8i/yHvzqVZWEtsI0
aD92ypqI32Jd+BFKKER1bxOA1QbsklkqLRLRIJtX0wA6SSH4Q0fRtUfvem4xSIei
m+8iQSSu1TSt65lRVXLmDUseKJcELv+DyKvDPnCZquLW3swYtWSGmv4ULAN8+bB2
W4+ZEi9XNouPTvYCG9rnS2PSsUigZ7lSwgL2y/Qe6h4UZgNibQ/nxGaESGik3dt6
igj9aJIbgF++QFQfHBfLxe3T+cbFyjw6WitrZPmksK3cKea3gx/33HBWu3VGL51x
nMkrjA9K4vu+7jec51HnuevXBhMMvRFrLZowogJy2usOBm2axfAIRJRJA9F/FSnT
ZNmq+PR3OuQZ6ytllSHnXDID+uCyAprVtqDKn3Nvw2WDK8Y8z8ssk24Nw1OmLZWo
6cCE1SJ1DBzsFOXjIhwkPD00gzYzyKYEbZLWAVF6aWPmvbdKIWorkdqiRcwcT/3U
aAEJAhBteUna4cfGfCufYAwi1SsNQ02KUb4kLDIr/OkzVkNUXOHxXJcvz/ACKwDI
gzPM91ZC5tslyR7K4171iEy2CbQWwZvoFqnKiCtXn4d0WunpArdc4XyfqWYoMUbA
Y58UlX+qac0F
=exhB
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

64
cluster/apps/traefik/traefik-values.yaml Normal file
View File

@ -0,0 +1,64 @@
additionalArguments:
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
- --api.insecure
- --providers.kubernetesingress
logs:
general:
level: DEBUG
ports:
web:
expose: true
exposedPort: 8080
# (optional) Permanent Redirect to HTTPS
# redirectTo: websecure
websecure:
tls:
exposed: true
exposedPort: 8443
enabled: true
certResolver: cloudflare
env:
- name: CF_DNS_API_TOKEN
valueFrom:
secretKeyRef:
key: apiToken
name: cloudflare-credentials
# Disable Dashboard
ingressRoute:
dashboard:
enabled: false
# Persistent Storage
persistence:
enabled: true
name: ssl-certs
size: 1Gi
path: /ssl-certs
#deployment:
# initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/containous/traefik/issues/6972
# - name: volume-permissions
# image: busybox:1.31.1
# command: ["sh", "-c", "chmod -Rv 600 /ssl-certs"]
# volumeMounts:
# - name: ssl-certs
# mountPath: /ssl-certs
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
ingressClass:
enabled: true
isDefaultClass: true
namespaceOverride: traefik