kubernetes/common/apps/cert-manager/app/files/helm-release.yaml

@@ -14,7 +14,7 @@ spec:
         name: jetstack-charts
         namespace: flux-system
   values:
-    installCRDs: false
+    installCRDs: true
     webhook:
       enabled: true
     extraArgs:
@@ -26,8 +26,8 @@ spec:
       nameservers:
         - "1.1.1.1"
         - "9.9.9.9"
-    prometheus:
-      servicemonitor:
-        enabled: true
-        labels:
-          release: kube-prometheus-stack
+#    prometheus:
+#      servicemonitor:
+#        enabled: false
+#        labels:
+#          release: kube-prometheus-stack

kubernetes/common/apps/metallb/app/files/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml

kubernetes/common/apps/metallb/app/ks.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metallb
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/metallb/app/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/metallb/kustomization.yaml

@@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./namespace.yaml
-- ./helm-release.yaml
-- ./metallb-static-ips.yaml
+- ./app/ks.yaml
+- ./pool/ks.yaml

kubernetes/common/apps/metallb/pool/files/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./metallb-static-ip

kubernetes/common/apps/metallb/pool/ks.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metallb-pool
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/metallb/pool/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: metallb
+      namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/traefik/app/ks.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/traefik/app/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/traefik/extra/ks.yaml

@@ -0,0 +1,30 @@
+
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik-default-tls
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/traefik/extra/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+  - name: traefik
+    namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/traefik/ks.yaml

@@ -1,54 +0,0 @@
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: traefik
-  namespace: flux-system
-spec:
-  timeout: 5m
-  interval: 10m
-  path: ./kubernetes/common/apps/traefik/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-cluster
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-  postBuild:
-    substitute: {}
-    substituteFrom:
-      - kind: ConfigMap
-        name: cluster-settings
-      - kind: Secret
-        name: cluster-secrets
----
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: traefik-default-tls
-  namespace: flux-system
-spec:
-  timeout: 5m
-  interval: 10m
-  path: ./kubernetes/common/apps/traefik/extra
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-cluster
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-  dependsOn:
-  - name: traefik
-    namespace: flux-system
-  postBuild:
-    substitute: {}
-    substituteFrom:
-      - kind: ConfigMap
-        name: cluster-settings
-      - kind: Secret
-        name: cluster-secrets

kubernetes/common/apps/traefik/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./app/ks.yaml
+- ./extra/ks.yaml

kubernetes/main/core/kustomization.yaml

@@ -5,7 +5,7 @@ resources:
 - ./helm-repositories.yaml
 - ../../common/apps/cert-manager
 - ../../common/apps/metallb
-- ../../common/apps/traefik/ks.yaml
+- ../../common/apps/traefik
 # storage
 - ./longhorn
 - ./openebs

kubernetes/thin/apps/kustomization.yaml

@@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./helm-repositories.yaml
-- ./main-ip-pool.yaml
+#- ./main-ip-pool.yaml
 - ../../common/apps/cert-manager
-- ../../common/apps/traefik/ks.yaml
+- ../../common/apps/metallb
+- ../../common/apps/traefik
 # storage
 #- ../../common/apps/openebs
 

kubernetes/thin/apps/main-ip-pool.yaml

@@ -5,4 +5,4 @@ metadata:
 spec:
   blocks:
   - start: "192.168.1.50"
-    stop: "192.168.1.60"
+    stop: "192.168.1.59"

kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: traefik-dash-ingress
+  namespace: traefik
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+spec:
+  rules:
+    - host: "traefik.${SECRET_DOMAIN}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: traefik
+                port:
+                  number: 9000
+  tls:
+    - hosts:
+      - "${SECRET_DOMAIN}"
+      - "traefik.${SECRET_DOMAIN}"

kubernetes/thin/apps/traefik/app/files/helm-release.yaml

@@ -0,0 +1,87 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: traefik
+      version: '30.1.0'
+      sourceRef:
+        kind: HelmRepository
+        name: traefik-charts
+        namespace: flux-system
+      interval: 1m
+  values:
+    additionalArguments:
+    - --api.insecure
+
+    logs:
+      general:
+        level: DEBUG
+
+    providers:
+      kubernetesCRD:
+        enabled: true
+        allowCrossNamespace: false
+        allowExternalNameServices: false
+        allowEmptyServices: false
+        namespaces: []
+
+      kubernetesIngress:
+        enabled: true
+        allowExternalNameServices: false
+        allowEmptyServices: false
+        namespaces: []
+        publishedService:
+          enabled: false
+
+    ports:
+      traefik:
+        port: 9000
+        expose:
+          default: false
+        exposedPort: 9000
+        protocol: TCP
+
+      web:
+        port: 8000
+        #nodePort: 30080
+        expose:
+          default: true
+        redirectTo:
+          port: websecure
+        protocol: TCP
+
+      websecure:
+        port: 8443
+        #nodePort: 30443
+        expose:
+          default: true
+        protocol: TCP
+        tls:
+          enabled: true
+
+      metrics:
+        port: 9100
+        expose:
+          default: false
+        protocol: TCP
+
+    # Disable Dashboard
+    ingressRoute:
+      dashboard:
+        enabled: false
+
+    # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
+    ingressClass:
+      enabled: true
+      isDefaultClass: true
+
+    metrics:
+      prometheus:
+        entryPoint: metrics
+
+    namespaceOverride: traefik

kubernetes/thin/apps/traefik/app/files/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://traefik.github.io/charts

kubernetes/thin/apps/traefik/app/files/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./helm-repository.yaml
+- ./helm-release.yaml
+- ./dashboard-ingress.yaml

kubernetes/thin/apps/traefik/app/files/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    name: traefik

kubernetes/thin/apps/traefik/app/ks.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/traefik/app/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: traefik
+
+spec:
+  defaultCertificate:
+    secretName: wildcard-main-tls

kubernetes/thin/apps/traefik/extra/files/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./default-tls-store.yaml

kubernetes/thin/apps/traefik/extra/ks.yaml

@@ -0,0 +1,30 @@
+
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik-default-tls
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/traefik/extra/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+  - name: traefik
+    namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/thin/apps/traefik/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./app/ks.yaml
+- ./extra/ks.yaml