From f35e7e73fa8144578a7cd2c048a697e38af6dc29 Mon Sep 17 00:00:00 2001 From: Vargha Csongor Date: Wed, 6 Mar 2024 20:06:22 +0100 Subject: [PATCH] add traefik dashboard ingress --- oci-managed/main.tf | 9 +++- oci-managed/nlb/output.tf | 9 ++++ oci-managed/nlb/provider.tf | 12 +++++ oci-managed/nlb/traefik.tf | 20 ++++++- oci-managed/nlb/variables.tf | 10 +++- oci-managed/oke/provider.tf | 8 +++ oci-managed/output.tf | 9 ++++ oci-managed/provider.tf | 8 +++ oci-managed/snet/provider.tf | 8 +++ oci-managed/traefik-dashboard.tfpl.yaml | 33 ++++++++++++ ...ik-values.yml => traefik-values.tfpl.yaml} | 52 ++++++++++--------- oci-managed/variables.tf | 15 ++++-- 12 files changed, 161 insertions(+), 32 deletions(-) create mode 100644 oci-managed/nlb/output.tf create mode 100644 oci-managed/nlb/provider.tf create mode 100644 oci-managed/oke/provider.tf create mode 100644 oci-managed/snet/provider.tf create mode 100644 oci-managed/traefik-dashboard.tfpl.yaml rename oci-managed/{traefik-values.yml => traefik-values.tfpl.yaml} (97%) diff --git a/oci-managed/main.tf b/oci-managed/main.tf index c5e5fee..d4f2c12 100644 --- a/oci-managed/main.tf +++ b/oci-managed/main.tf @@ -51,7 +51,14 @@ module "nlb" { compartment_ocid = var.compartment_ocid cluster_ocid = module.oke.cluster_ocid - values_file = "traefik-values.yml" + values_file = "traefik-values.tfpl.yaml" + traefik_template_values = { + letsencrypt = var.cloudflare_api_key != "" + certmanager_email_address = var.certmanager_email_address + cloudflare_email_address = var.cloudflare_email_address + cloudflare_api_key = var.cloudflare_api_key + } + traefik_dashboard_ingress_file = "traefik-dashboard.tfpl.yaml" depends_on = [ module.oke ] } diff --git a/oci-managed/nlb/output.tf b/oci-managed/nlb/output.tf new file mode 100644 index 0000000..790527b --- /dev/null +++ b/oci-managed/nlb/output.tf @@ -0,0 +1,9 @@ +output "traefik_dashboard_password" { + value = random_password.traefik_dashboard_password.result + sensitive = true +} + +output "traefik_dashboard_username" { + value = "admin" + sensitive = true +} diff --git a/oci-managed/nlb/provider.tf b/oci-managed/nlb/provider.tf new file mode 100644 index 0000000..88d874b --- /dev/null +++ b/oci-managed/nlb/provider.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + helm = { + source = "hashicorp/helm" + version = ">= 2.12.1" + } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14.0" + } + } +} \ No newline at end of file diff --git a/oci-managed/nlb/traefik.tf b/oci-managed/nlb/traefik.tf index 28e2e53..6416830 100644 --- a/oci-managed/nlb/traefik.tf +++ b/oci-managed/nlb/traefik.tf @@ -11,10 +11,26 @@ resource "helm_release" "traefik" { # If values file specified by the var.values_file input variable exists then apply the values from this file # else apply the default values from the chart - values = [fileexists("${path.root}/${var.values_file}") == true ? file("${path.root}/${var.values_file}") : ""] + values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", var.traefik_template_values) : ""] set { name = "deployment.replicas" value = var.replica_count } -} \ No newline at end of file +} + +resource "random_password" "traefik_dashboard_password" { + length = 128 + special = true + override_special = "_%@" + upper = true + lower = true +} + +resource "kubectl_manifest" "dashboard-ingress" { + depends_on = [helm_release.traefik] + yaml_body = templatefile("${path.root}/${var.traefik_dashboard_ingress_file}", { + traefik_dashboard_username = base64encode("admin") + traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result) + }) +} diff --git a/oci-managed/nlb/variables.tf b/oci-managed/nlb/variables.tf index 5489f97..2374730 100644 --- a/oci-managed/nlb/variables.tf +++ b/oci-managed/nlb/variables.tf @@ -34,5 +34,13 @@ variable "replica_count" { variable "values_file" { description = "The name of the traefik helmchart values file to use" type = string - default = "traefik-values.yml" } + +variable "traefik_template_values" { + default = {} +} + +variable "traefik_dashboard_ingress_file" { + description = "The name of the kubernetes manifest file to use" + type = string +} \ No newline at end of file diff --git a/oci-managed/oke/provider.tf b/oci-managed/oke/provider.tf new file mode 100644 index 0000000..2014fe5 --- /dev/null +++ b/oci-managed/oke/provider.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + oci = { + source = "oracle/oci" + version = ">= 5.30.0" + } + } +} diff --git a/oci-managed/output.tf b/oci-managed/output.tf index e69de29..b506298 100644 --- a/oci-managed/output.tf +++ b/oci-managed/output.tf @@ -0,0 +1,9 @@ +output "traefik_dashboard_username" { + value = module.nlb.traefik_dashboard_username + sensitive = true +} + +output "traefik_dashboard_password" { + value = module.nlb.traefik_dashboard_password + sensitive = true +} \ No newline at end of file diff --git a/oci-managed/provider.tf b/oci-managed/provider.tf index afaeeaf..c6fcf10 100644 --- a/oci-managed/provider.tf +++ b/oci-managed/provider.tf @@ -8,6 +8,10 @@ terraform { source = "hashicorp/helm" version = ">= 2.12.1" } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14.0" + } } } @@ -24,4 +28,8 @@ provider "helm" { kubernetes { config_path = "oke/kubeconfig" } +} + +provider "kubectl" { + config_path = "oke/kubeconfig" } \ No newline at end of file diff --git a/oci-managed/snet/provider.tf b/oci-managed/snet/provider.tf new file mode 100644 index 0000000..2014fe5 --- /dev/null +++ b/oci-managed/snet/provider.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + oci = { + source = "oracle/oci" + version = ">= 5.30.0" + } + } +} diff --git a/oci-managed/traefik-dashboard.tfpl.yaml b/oci-managed/traefik-dashboard.tfpl.yaml new file mode 100644 index 0000000..41236fd --- /dev/null +++ b/oci-managed/traefik-dashboard.tfpl.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Secret +metadata: + name: dashboard-authsecret + namespace: traefik-loadbalancer +type: kubernetes.io/basic-auth +data: + username: ${traefik_dashboard_username} + password: ${traefik_dashboard_password} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: traefik-dashboard-auth + namespace: traefik-loadbalancer +spec: + basicAuth: + secret: dashboard-authsecret +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + namespace: traefik-loadbalancer +spec: + routes: + - match: Host(`traefik.varghacsongor.hu`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + kind: Rule + services: + - name: api@internal + kind: TraefikService + middlewares: + - name: traefik-dashboard-auth diff --git a/oci-managed/traefik-values.yml b/oci-managed/traefik-values.tfpl.yaml similarity index 97% rename from oci-managed/traefik-values.yml rename to oci-managed/traefik-values.tfpl.yaml index 0f6e66a..1cedb63 100644 --- a/oci-managed/traefik-values.yml +++ b/oci-managed/traefik-values.tfpl.yaml @@ -870,30 +870,34 @@ persistence: # -- Certificates resolvers configuration certResolvers: {} -#letsencrypt: -# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ -# email: email@example.com -# dnsChallenge: -# # also add the provider's required configuration under env -# # or expand then from secrets/configmaps with envfrom -# # cf. https://doc.traefik.io/traefik/https/acme/#providers -# provider: cloudflare -# # add futher options for the dns challenge as needed -# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge -# delayBeforeCheck: 30 -# resolvers: -# - 1.1.1.1 -# - 8.8.8.8 -# tlsChallenge: true -# httpChallenge: -# entryPoint: "web" -# # It has to match the path with a persistent volume -# storage: /data/acme.json -# env: -# - name: CLOUDFLARE_EMAIL -# value: "" -# - name: CLOUDFLARE_API_KEY -# value: "" + +%{ if letsencrypt } +letsencrypt: + # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ + email: ${certmanager_email_address} + dnsChallenge: + # also add the provider's required configuration under env + # or expand then from secrets/configmaps with envfrom + # cf. https://doc.traefik.io/traefik/https/acme/#providers + provider: cloudflare + # add futher options for the dns challenge as needed + # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge +# delayBeforeCheck: 30 + resolvers: + - 1.1.1.1 + - 1.0.0.2 + + tlsChallenge: true + httpChallenge: + entryPoint: "web" + # It has to match the path with a persistent volume + storage: /data/acme.json + env: + - name: CLOUDFLARE_EMAIL + value: ${cloudflare_email_address} + - name: CLOUDFLARE_API_KEY + value: ${cloudflare_api_key} +%{ endif } # -- If hostNetwork is true, runs traefik in the host network namespace # To prevent unschedulabel pods due to port collisions, if hostNetwork=true diff --git a/oci-managed/variables.tf b/oci-managed/variables.tf index 0b6e35c..beda21e 100644 --- a/oci-managed/variables.tf +++ b/oci-managed/variables.tf @@ -4,11 +4,18 @@ variable "user_ocid" {} variable "fingerprint" {} variable "private_key_path" {} variable "availability_domain" {} -variable "my_public_ip_cidr" {} variable "cluster_name" {} -variable "agent_os_image_id" {} -variable "server_os_image_id" {} -variable "certmanager_email_address" {} + +variable "certmanager_email_address" { + type = string +} +variable "cloudflare_email_address" { + type = string +} +variable "cloudflare_api_key" { + type = string +} + variable "region" {} variable "public_key_path" {}