From b82d213532a6b0c7665a6e725e4200ca5f19ff95 Mon Sep 17 00:00:00 2001 From: Vargha Csongor Date: Wed, 6 Mar 2024 21:22:43 +0100 Subject: [PATCH] use helm native traefik dashboard ingress --- oci-managed/main.tf | 2 +- oci-managed/nlb/provider.tf | 4 -- oci-managed/nlb/traefik.tf | 16 ++--- oci-managed/nlb/variables.tf | 7 +-- oci-managed/traefik-dashboard.tfpl.yaml | 33 ---------- oci-managed/traefik-values.tfpl.yaml | 84 ++++++++++++++----------- oci-managed/variables.tf | 3 + 7 files changed, 57 insertions(+), 92 deletions(-) delete mode 100644 oci-managed/traefik-dashboard.tfpl.yaml diff --git a/oci-managed/main.tf b/oci-managed/main.tf index d4f2c12..8c3b93b 100644 --- a/oci-managed/main.tf +++ b/oci-managed/main.tf @@ -57,8 +57,8 @@ module "nlb" { certmanager_email_address = var.certmanager_email_address cloudflare_email_address = var.cloudflare_email_address cloudflare_api_key = var.cloudflare_api_key + dashboard-url = "traefik.${var.my_domain}" } - traefik_dashboard_ingress_file = "traefik-dashboard.tfpl.yaml" depends_on = [ module.oke ] } diff --git a/oci-managed/nlb/provider.tf b/oci-managed/nlb/provider.tf index 88d874b..94f1517 100644 --- a/oci-managed/nlb/provider.tf +++ b/oci-managed/nlb/provider.tf @@ -4,9 +4,5 @@ terraform { source = "hashicorp/helm" version = ">= 2.12.1" } - kubectl = { - source = "gavinbunney/kubectl" - version = ">= 1.14.0" - } } } \ No newline at end of file diff --git a/oci-managed/nlb/traefik.tf b/oci-managed/nlb/traefik.tf index 6416830..d38c5be 100644 --- a/oci-managed/nlb/traefik.tf +++ b/oci-managed/nlb/traefik.tf @@ -5,13 +5,17 @@ resource "helm_release" "traefik" { repository = "https://traefik.github.io/charts" chart = "traefik" version = var.traefik_chart_version + cleanup_on_fail = true # Helm chart deployment can sometimes take longer than the default 5 minutes timeout = var.timeout_seconds # If values file specified by the var.values_file input variable exists then apply the values from this file # else apply the default values from the chart - values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", var.traefik_template_values) : ""] + values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", merge({ + traefik_dashboard_username = base64encode("admin") + traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result) + }, var.traefik_template_values)) : ""] set { name = "deployment.replicas" @@ -25,12 +29,4 @@ resource "random_password" "traefik_dashboard_password" { override_special = "_%@" upper = true lower = true -} - -resource "kubectl_manifest" "dashboard-ingress" { - depends_on = [helm_release.traefik] - yaml_body = templatefile("${path.root}/${var.traefik_dashboard_ingress_file}", { - traefik_dashboard_username = base64encode("admin") - traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result) - }) -} +} \ No newline at end of file diff --git a/oci-managed/nlb/variables.tf b/oci-managed/nlb/variables.tf index 2374730..1159167 100644 --- a/oci-managed/nlb/variables.tf +++ b/oci-managed/nlb/variables.tf @@ -22,7 +22,7 @@ variable "traefik_chart_version" { variable "timeout_seconds" { type = number description = "Helm chart deployment can sometimes take longer than the default 5 minutes. Set a custom timeout here." - default = 800 # 10 minutes + default = 180 # 10 minutes } variable "replica_count" { @@ -38,9 +38,4 @@ variable "values_file" { variable "traefik_template_values" { default = {} -} - -variable "traefik_dashboard_ingress_file" { - description = "The name of the kubernetes manifest file to use" - type = string } \ No newline at end of file diff --git a/oci-managed/traefik-dashboard.tfpl.yaml b/oci-managed/traefik-dashboard.tfpl.yaml deleted file mode 100644 index 41236fd..0000000 --- a/oci-managed/traefik-dashboard.tfpl.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: dashboard-authsecret - namespace: traefik-loadbalancer -type: kubernetes.io/basic-auth -data: - username: ${traefik_dashboard_username} - password: ${traefik_dashboard_password} ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: traefik-dashboard-auth - namespace: traefik-loadbalancer -spec: - basicAuth: - secret: dashboard-authsecret ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard - namespace: traefik-loadbalancer -spec: - routes: - - match: Host(`traefik.varghacsongor.hu`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) - kind: Rule - services: - - name: api@internal - kind: TraefikService - middlewares: - - name: traefik-dashboard-auth diff --git a/oci-managed/traefik-values.tfpl.yaml b/oci-managed/traefik-values.tfpl.yaml index 1cedb63..7760015 100644 --- a/oci-managed/traefik-values.tfpl.yaml +++ b/oci-managed/traefik-values.tfpl.yaml @@ -59,19 +59,19 @@ deployment: # hostPath: # path: /var/run/statsd-exporter # -- Additional initContainers (e.g. for setting file permission as shown below) - initContainers: [] + initContainers: # The "volume-permissions" init container is required if you run into permission issues. # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 - # - name: volume-permissions - # image: busybox:latest - # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] - # securityContext: - # runAsNonRoot: true - # runAsGroup: 65532 - # runAsUser: 65532 - # volumeMounts: - # - name: data - # mountPath: /data + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] + securityContext: + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + volumeMounts: + - name: data + mountPath: /data # -- Use process namespace sharing shareProcessNamespace: false # -- Custom pod DNS policy. Apply if `hostNetwork: true` @@ -155,15 +155,15 @@ ingressRoute: # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) labels: {} # -- The router match rule used for the dashboard ingressRoute - matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + matchRule: Host(`${dashboard-url}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). # By default, it's using traefik entrypoint, which is not exposed. # /!\ Do not expose your dashboard without any protection over the internet /!\ - entryPoints: ["traefik"] + entryPoints: ["websecure"] # -- Additional ingressRoute middlewares (e.g. for authentication) - middlewares: [] - # -- TLS options (e.g. secret containing certificate) - tls: {} + middlewares: + - name: traefik-dashboard-auth + healthcheck: # -- Create an IngressRoute for the healthcheck probe enabled: false @@ -588,6 +588,10 @@ env: valueFrom: fieldRef: fieldPath: metadata.namespace +- name: CLOUDFLARE_EMAIL + value: ${cloudflare_email_address} +- name: CLOUDFLARE_API_KEY + value: ${cloudflare_api_key} # - name: SOME_VAR # value: some-var-value # - name: SOME_VAR_FROM_CONFIG_MAP @@ -856,7 +860,7 @@ persistence: # -- Enable persistence using Persistent Volume Claims # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ # It can be used to store TLS certificates, see `storage` in certResolvers - enabled: false + enabled: true name: data # existingClaim: "" accessMode: ReadWriteOnce @@ -868,35 +872,22 @@ persistence: # -- Only mount a subpath of the Volume into the pod # subPath: "" -# -- Certificates resolvers configuration -certResolvers: {} - %{ if letsencrypt } -letsencrypt: - # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ +# -- Certificates resolvers configuration +certResolvers: + letsencrypt: + # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ email: ${certmanager_email_address} dnsChallenge: - # also add the provider's required configuration under env - # or expand then from secrets/configmaps with envfrom - # cf. https://doc.traefik.io/traefik/https/acme/#providers provider: cloudflare - # add futher options for the dns challenge as needed - # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge -# delayBeforeCheck: 30 resolvers: - - 1.1.1.1 - - 1.0.0.2 + - 1.1.1.1 + - 1.0.0.2 tlsChallenge: true httpChallenge: - entryPoint: "web" - # It has to match the path with a persistent volume + entryPoint: "web" storage: /data/acme.json - env: - - name: CLOUDFLARE_EMAIL - value: ${cloudflare_email_address} - - name: CLOUDFLARE_API_KEY - value: ${cloudflare_api_key} %{ endif } # -- If hostNetwork is true, runs traefik in the host network namespace @@ -996,7 +987,24 @@ podSecurityContext: # # In some cases, it can avoid the need for additional, extended or adhoc deployments. # See #595 for more details and traefik/tests/values/extra.yaml for example. -extraObjects: [] +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: dashboard-authsecret + namespace: traefik-loadbalancer + type: kubernetes.io/basic-auth + data: + username: ${traefik_dashboard_username} + password: ${traefik_dashboard_password} + - apiVersion: traefik.containo.us/v1alpha1 + kind: Middleware + metadata: + name: traefik-dashboard-auth + namespace: traefik-loadbalancer + spec: + basicAuth: + secret: dashboard-authsecret # This will override the default Release Namespace for Helm. # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` diff --git a/oci-managed/variables.tf b/oci-managed/variables.tf index beda21e..d290f3a 100644 --- a/oci-managed/variables.tf +++ b/oci-managed/variables.tf @@ -15,6 +15,9 @@ variable "cloudflare_email_address" { variable "cloudflare_api_key" { type = string } +variable "my_domain" { + type = string +} variable "region" {} variable "public_key_path" {}