Attempt to add traefik with sops secrets
This commit is contained in:
parent
6e749490cf
commit
2ae133a7e2
|
@ -0,0 +1,5 @@
|
||||||
|
creation_rules:
|
||||||
|
- encrypted_regex: "^(data|stringData)$"
|
||||||
|
pgp: >-
|
||||||
|
2CC2B3631D5C3393901335DB68F95C5D753EE1E5,
|
||||||
|
8DF31C9F48A24F525FFB1815FC96C52B59328E95
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
generators:
|
||||||
|
- traefik
|
|
@ -0,0 +1,81 @@
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: traefik-helm
|
||||||
|
namespace: traefik
|
||||||
|
spec:
|
||||||
|
interval: 5m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: traefik
|
||||||
|
version: '2.9.9'
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: traefik-helm-repo
|
||||||
|
namespace: flux-system
|
||||||
|
interval: 1m
|
||||||
|
values:
|
||||||
|
additionalArguments:
|
||||||
|
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
|
||||||
|
- --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
|
||||||
|
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
|
||||||
|
- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
|
||||||
|
|
||||||
|
- --api.insecure
|
||||||
|
- --providers.kubernetesingress
|
||||||
|
|
||||||
|
logs:
|
||||||
|
general:
|
||||||
|
level: DEBUG
|
||||||
|
|
||||||
|
ports:
|
||||||
|
web:
|
||||||
|
expose: true
|
||||||
|
exposedPort: 8080
|
||||||
|
# (optional) Permanent Redirect to HTTPS
|
||||||
|
# redirectTo: websecure
|
||||||
|
websecure:
|
||||||
|
tls:
|
||||||
|
exposed: true
|
||||||
|
exposedPort: 8443
|
||||||
|
|
||||||
|
enabled: true
|
||||||
|
certResolver: cloudflare
|
||||||
|
|
||||||
|
|
||||||
|
env:
|
||||||
|
- name: CF_DNS_API_TOKEN
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
key: apiToken
|
||||||
|
name: cloudflare-credentials
|
||||||
|
|
||||||
|
# Disable Dashboard
|
||||||
|
ingressRoute:
|
||||||
|
dashboard:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# Persistent Storage
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
name: ssl-certs
|
||||||
|
size: 1Gi
|
||||||
|
path: /ssl-certs
|
||||||
|
|
||||||
|
#deployment:
|
||||||
|
# initContainers:
|
||||||
|
# The "volume-permissions" init container is required if you run into permission issues.
|
||||||
|
# Related issue: https://github.com/containous/traefik/issues/6972
|
||||||
|
# - name: volume-permissions
|
||||||
|
# image: busybox:1.31.1
|
||||||
|
# command: ["sh", "-c", "chmod -Rv 600 /ssl-certs"]
|
||||||
|
# volumeMounts:
|
||||||
|
# - name: ssl-certs
|
||||||
|
# mountPath: /ssl-certs
|
||||||
|
|
||||||
|
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
|
||||||
|
ingressClass:
|
||||||
|
enabled: true
|
||||||
|
isDefaultClass: true
|
||||||
|
|
||||||
|
namespaceOverride: traefik
|
|
@ -0,0 +1,8 @@
|
||||||
|
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
||||||
|
kind: HelmRepository
|
||||||
|
metadata:
|
||||||
|
name: traefik-helm-repo
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
interval: 1m
|
||||||
|
url: https://traefik.github.io/charts
|
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: viaduct.ai/v1
|
||||||
|
kind: ksops
|
||||||
|
metadata:
|
||||||
|
name: traefik-secret-generator
|
||||||
|
annotations:
|
||||||
|
config.kubernetes.io/function: |
|
||||||
|
exec:
|
||||||
|
path: ksops
|
||||||
|
files:
|
||||||
|
- ./traefik-secrets.enc.yaml
|
|
@ -0,0 +1,7 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
generators:
|
||||||
|
- ksops.yaml
|
||||||
|
resources:
|
||||||
|
- helm-repository.yaml
|
||||||
|
- helm-release.yaml
|
|
@ -0,0 +1,62 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: cloudflare-credentials
|
||||||
|
namespace: traefik
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
apiToken: ENC[AES256_GCM,data:2ofq1q6ZJ08RfWtb7KAkiLbTGuY0XX+YNOprSLPVf42MmcHk1AwIaw==,iv:TzSqE3UP8KeASgQeJmQJPOo0Gq4Qx5t7oPqXYr451sg=,tag:eumfMTxotVGmVdY5FmUhjQ==,type:str]
|
||||||
|
email: ENC[AES256_GCM,data:3SLMvJWYY/rCESO24AujCtdc,iv:bMvI+p8lL7UrkxdB+qCXhn+I3t99Kxx2uIoKv8WGJOE=,tag:c+3aqPigO1hUNEnTQih+7A==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age: []
|
||||||
|
lastmodified: "2023-04-02T17:15:20Z"
|
||||||
|
mac: ENC[AES256_GCM,data:aJlH+CJloGHMBlbWns9cCmNIUGSJPG43QnJdxEFDArUwRSQRtpM8IiCrIK/RrsP3GHzvZkbNIMSoFeXDq/KfW2ZbGIrDuvGjSwpKSd/tV40NulSOZILZViTV5FNrIO4q05spv0QoGsPcF9CSvRGpQ98w5RbPxQm6U6aYl6cM+7c=,iv:yhu+Zh9ksE2A0MlqDTknNcywpJhxjgTAD7a7VkRqslA=,tag:XGTJaPkAZyQeKG+xsUg0/Q==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2023-04-02T17:33:57Z"
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAzKleRwoSoixAQ//SGQIuAWmFUmI1DR1MpbDwjOg+s+YvbEbIcLv4iMTn6rM
|
||||||
|
vtNIpo5I183JJUxRcCKerpW9fIhMSqov7OlvS2c3cLNp2PapHWKR0av0r3Zk0D95
|
||||||
|
mcMjlpp6j8l9kXFnbGJBX8UkaCJ6jgm79xHhZjODa3A6WB1kQJ3kcXN0sQuZ61qH
|
||||||
|
UD2QKwPUnTR9cWURdBt4L1aX4+abEwKfLE+XygBTq/2sXOchEU6sKZ88ieGAt2te
|
||||||
|
8PQ3zWTTUBC2o+AVMnZ3CNCQrdvKKQ4vSEW6+jFsJLgloMThDcf83owvWNDfZwVS
|
||||||
|
O62k0Wsb9N7ZXScPp8A0VoPa4Qb6WVMJ7BpizUZcSmzC/qNz+CDk7u769xjHyBHC
|
||||||
|
8kS0JpCWDpozeqcXZjhMpC2MsgfU/FjB0dxy9vyhf910ZlM/TkXnrduJu8p20NQe
|
||||||
|
Mf1le0/kNoJiUzk0PZcG3l1osafvEChj7owGi1Tnjs1Z/Tz/7GpyDPUWwuxJi37A
|
||||||
|
ssMKFpuedckQlV6oTTvthX0YGGGF0lCoyLAUBqi81IX7b7GHxn/n8hP30oOGrljL
|
||||||
|
k77vpX/GDrK+3TtZdjAoQz079Go+AqyxKcgOfF0UJ6z88iYdBnPugHxCXXvMNHhF
|
||||||
|
HQxzlpFdqJ7P6XXDIFGm5G1oJCVzQyb5fSlh07NphNC6TTDUahkpYJz7qJoWwqPU
|
||||||
|
aAEJAhCXIy1CD5IdGnE16agicIw1VFhT1F7C4/zH7zBITyYXNTrZ4/5S0SdaT6Fi
|
||||||
|
XDVC7Eza3UTOIV6l4mJq5xOrGkV0mNi6hwPBJt334MDidNH3AaivUQgpCJX0hSTC
|
||||||
|
raho1DevzjCp
|
||||||
|
=vlaG
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
|
||||||
|
- created_at: "2023-04-02T17:33:57Z"
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA4WLYkVpP8xtAQ/7BW9zYpflHgi9WOyjyWjybWzsWbLDlHOXPSNMqcpKcsz1
|
||||||
|
uCp+ReZdsAbnPHRagpnpg5Wj2J9GfY1t8vgfQB4YwGfd0cfjTjumcCd7Lhd0iJjF
|
||||||
|
oJROOh2CD4B9MPxS0lbjFSUkMnS+8/M4mNdc1TzIRZNYJN0zgcFg51N7hg83d4K7
|
||||||
|
a2Jev4tCiaXkBLCPFUdTJfsL3BbR9sGt3+ip6qPJKf1fMQqQ8i/yHvzqVZWEtsI0
|
||||||
|
aD92ypqI32Jd+BFKKER1bxOA1QbsklkqLRLRIJtX0wA6SSH4Q0fRtUfvem4xSIei
|
||||||
|
m+8iQSSu1TSt65lRVXLmDUseKJcELv+DyKvDPnCZquLW3swYtWSGmv4ULAN8+bB2
|
||||||
|
W4+ZEi9XNouPTvYCG9rnS2PSsUigZ7lSwgL2y/Qe6h4UZgNibQ/nxGaESGik3dt6
|
||||||
|
igj9aJIbgF++QFQfHBfLxe3T+cbFyjw6WitrZPmksK3cKea3gx/33HBWu3VGL51x
|
||||||
|
nMkrjA9K4vu+7jec51HnuevXBhMMvRFrLZowogJy2usOBm2axfAIRJRJA9F/FSnT
|
||||||
|
ZNmq+PR3OuQZ6ytllSHnXDID+uCyAprVtqDKn3Nvw2WDK8Y8z8ssk24Nw1OmLZWo
|
||||||
|
6cCE1SJ1DBzsFOXjIhwkPD00gzYzyKYEbZLWAVF6aWPmvbdKIWorkdqiRcwcT/3U
|
||||||
|
aAEJAhBteUna4cfGfCufYAwi1SsNQ02KUb4kLDIr/OkzVkNUXOHxXJcvz/ACKwDI
|
||||||
|
gzPM91ZC5tslyR7K4171iEy2CbQWwZvoFqnKiCtXn4d0WunpArdc4XyfqWYoMUbA
|
||||||
|
Y58UlX+qac0F
|
||||||
|
=exhB
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
version: 3.7.3
|
|
@ -0,0 +1,64 @@
|
||||||
|
additionalArguments:
|
||||||
|
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
|
||||||
|
- --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
|
||||||
|
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
|
||||||
|
- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
|
||||||
|
|
||||||
|
- --api.insecure
|
||||||
|
- --providers.kubernetesingress
|
||||||
|
|
||||||
|
logs:
|
||||||
|
general:
|
||||||
|
level: DEBUG
|
||||||
|
|
||||||
|
ports:
|
||||||
|
web:
|
||||||
|
expose: true
|
||||||
|
exposedPort: 8080
|
||||||
|
# (optional) Permanent Redirect to HTTPS
|
||||||
|
# redirectTo: websecure
|
||||||
|
websecure:
|
||||||
|
tls:
|
||||||
|
exposed: true
|
||||||
|
exposedPort: 8443
|
||||||
|
|
||||||
|
enabled: true
|
||||||
|
certResolver: cloudflare
|
||||||
|
|
||||||
|
|
||||||
|
env:
|
||||||
|
- name: CF_DNS_API_TOKEN
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
key: apiToken
|
||||||
|
name: cloudflare-credentials
|
||||||
|
|
||||||
|
# Disable Dashboard
|
||||||
|
ingressRoute:
|
||||||
|
dashboard:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# Persistent Storage
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
name: ssl-certs
|
||||||
|
size: 1Gi
|
||||||
|
path: /ssl-certs
|
||||||
|
|
||||||
|
#deployment:
|
||||||
|
# initContainers:
|
||||||
|
# The "volume-permissions" init container is required if you run into permission issues.
|
||||||
|
# Related issue: https://github.com/containous/traefik/issues/6972
|
||||||
|
# - name: volume-permissions
|
||||||
|
# image: busybox:1.31.1
|
||||||
|
# command: ["sh", "-c", "chmod -Rv 600 /ssl-certs"]
|
||||||
|
# volumeMounts:
|
||||||
|
# - name: ssl-certs
|
||||||
|
# mountPath: /ssl-certs
|
||||||
|
|
||||||
|
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
|
||||||
|
ingressClass:
|
||||||
|
enabled: true
|
||||||
|
isDefaultClass: true
|
||||||
|
|
||||||
|
namespaceOverride: traefik
|
Loading…
Reference in New Issue