diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 9344a0260..7d110dc2f 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,188 +1,176 @@ { - "enabled": true, - "timezone": "Europe/Paris", - "semanticCommits": "enabled", - "dependencyDashboard": true, - "dependencyDashboardTitle": "Renovate Dashboard", - "commitBody": "Signed-off-by: auricom <27022259+auricom@users.noreply.github.com>", + enabled: true, + timezone: "Europe/Paris", + semanticCommits: "enabled", + dependencyDashboard: true, + dependencyDashboardTitle: "Renovate Dashboard", + commitBody: "Signed-off-by: auricom <27022259+auricom@users.noreply.github.com>", // Do not notify on closed unmerged PRs - "suppressNotifications": ["prIgnoreNotification"], + suppressNotifications: ["prIgnoreNotification"], // Do not rebase PRs - "rebaseWhen": "conflicted", - "assignees": ["@auricom"], + rebaseWhen: "conflicted", + assignees: ["@auricom"], "helm-values": { - "fileMatch": [ - "cluster/.+/helm-release\\.yaml$" - ] + fileMatch: ["cluster/.+/helm-release\\.yaml$"], }, - "kubernetes": { - "fileMatch": [ - "cluster/.+\\.yaml$" - ], - "ignorePaths": [ - "cluster/base/" - ] + kubernetes: { + fileMatch: ["cluster/.+\\.yaml$"], + ignorePaths: ["cluster/base/"], }, - "regexManagers": [ + regexManagers: [ // regexManager to read and process HelmRelease files { - "fileMatch": [ - "cluster/.+\\.yaml$" - ], - "matchStrings": [ + fileMatch: ["cluster/.+\\.yaml$"], + matchStrings: [ // helm releases - "registryUrl=(?.*?)\n *chart: (?.*?)\n *version: (?.*)\n" + "registryUrl=(?.*?)\n *chart: (?.*?)\n *version: (?.*)\n", ], - "datasourceTemplate": "helm" + datasourceTemplate: "helm", }, // regexManager to read and process cert-manager CRD's { - "fileMatch": [ - "cluster/base-custom/crds/cert-manager/.+\\.yaml$" + fileMatch: ["cluster/base-custom/crds/cert-manager/.+\\.yaml$"], + matchStrings: [ + "registryUrl=(?.*?) chart=(?.*?)\n.*\\/(?.*?)\\/", ], - "matchStrings": [ - "registryUrl=(?.*?) chart=(?.*?)\n.*\\/(?.*?)\\/" - ], - "datasourceTemplate": "helm" + datasourceTemplate: "helm", }, // regexManager to read and process kube-prometheus-stack CRD's { - "fileMatch": [ - "cluster/base-custom/crds/kube-prometheus-stack/.+\\.yaml$" + fileMatch: ["cluster/base-custom/crds/kube-prometheus-stack/.+\\.yaml$"], + matchStrings: [ + "registryUrl=(?.*?)\n *tag: (?[a-zA-Z-]+)-(?.*)\n", ], - "matchStrings": [ - "registryUrl=(?.*?)\n *tag: (?[a-zA-Z-]+)-(?.*)\n" + datasourceTemplate: "helm", + }, + // regexManager to read and process Traefik CRD's + { + fileMatch: ["cluster/crds/traefik/.+\\.yaml$"], + matchStrings: [ + "registryUrl=(?.*?) chart=(?.*?)\n *tag: v(?.*)\n", ], - "datasourceTemplate": "helm" + datasourceTemplate: "helm", }, // regexManager to read and process Rook-Ceph CRD's { - "fileMatch": [ - "cluster/base-custom/crds/rook-ceph/.+\\.yaml$" + fileMatch: ["cluster/base-custom/crds/rook-ceph/.+\\.yaml$"], + matchStrings: [ + "registryUrl=(?.*?) chart=(?.*?)\n *tag: (?.*)\n", ], - "matchStrings": [ - "registryUrl=(?.*?) chart=(?.*?)\n *tag: (?.*)\n" - ], - "datasourceTemplate": "helm" - } + datasourceTemplate: "helm", + }, ], - "packageRules": [ + packageRules: [ // Setup datasources { - "matchDatasources": ["helm"], - "semanticCommitScope": "charts", - "commitMessageTopic": "{{depName}}", - "commitMessageExtra": "to {{{newValue}}}", - "separateMinorPatch": true, - "ignoreDeprecated": true + matchDatasources: ["helm"], + semanticCommitScope: "charts", + commitMessageTopic: "{{depName}}", + commitMessageExtra: "to {{{newValue}}}", + separateMinorPatch: true, + ignoreDeprecated: true, }, { - "matchDatasources": ["docker"], - "enabled": true, - "matchUpdateTypes": ["major", "minor", "patch"] + matchDatasources: ["docker"], + enabled: true, + matchUpdateTypes: ["major", "minor", "patch"], }, { - "matchDatasources": ["docker"], - "semanticCommitScope": "images", - "commitMessageTopic": "{{depName}}", - "commitMessageExtra": "to {{{newValue}}}", - "separateMinorPatch": true + matchDatasources: ["docker"], + semanticCommitScope: "images", + commitMessageTopic: "{{depName}}", + commitMessageExtra: "to {{{newValue}}}", + separateMinorPatch: true, }, // Add labels according to package and update types { - "matchDatasources": ["docker"], - "matchUpdateTypes": ["major"], - "commitMessagePrefix": "feat(images)!: ", - "labels": ["renovate/image", "dep/major"] + matchDatasources: ["docker"], + matchUpdateTypes: ["major"], + commitMessagePrefix: "feat(images)!: ", + labels: ["renovate/image", "dep/major"], }, { - "matchDatasources": ["docker"], - "matchUpdateTypes": ["minor"], - "semanticCommitType": "feat", - "labels": ["renovate/image", "dep/minor"] + matchDatasources: ["docker"], + matchUpdateTypes: ["minor"], + semanticCommitType: "feat", + labels: ["renovate/image", "dep/minor"], }, { - "matchDatasources": ["docker"], - "matchUpdateTypes": ["patch"], - "semanticCommitType": "fix", - "labels": ["renovate/image", "dep/patch"] + matchDatasources: ["docker"], + matchUpdateTypes: ["patch"], + semanticCommitType: "fix", + labels: ["renovate/image", "dep/patch"], }, { - "matchDatasources": ["helm"], - "matchUpdateTypes": ["major"], - "commitMessagePrefix": "feat(charts)!: ", - "labels": ["renovate/helm", "dep/major"] + matchDatasources: ["helm"], + matchUpdateTypes: ["major"], + commitMessagePrefix: "feat(charts)!: ", + labels: ["renovate/helm", "dep/major"], }, { - "matchDatasources": ["helm"], - "matchUpdateTypes": ["minor"], - "semanticCommitType": "feat", - "labels": ["renovate/helm", "dep/minor"] + matchDatasources: ["helm"], + matchUpdateTypes: ["minor"], + semanticCommitType: "feat", + labels: ["renovate/helm", "dep/minor"], }, { - "matchDatasources": ["helm"], - "matchUpdateTypes": ["patch"], - "semanticCommitType": "fix", - "labels": ["renovate/helm", "dep/patch"] + matchDatasources: ["helm"], + matchUpdateTypes: ["patch"], + semanticCommitType: "fix", + labels: ["renovate/helm", "dep/patch"], }, // custom version schemes { - "matchDatasources": ["docker"], - "versioning": "regex:^(?\\d+)\\.(?\\d+)\\.(?\\d+)-*-(?.*)$", - "matchPackageNames": ["blakeblackshear/frigate"] + matchDatasources: ["docker"], + versioning: "regex:^(?\\d+)\\.(?\\d+)\\.(?\\d+)-*-(?.*)$", + matchPackageNames: ["blakeblackshear/frigate"], }, // custom version schemes { - "matchDatasources": ["docker"], - "versioning": "regex:^version-v(?\\d+)\\.(?\\d+)\\.(?\\d+)$", - "matchPackageNames": ["ghcr.io/linuxserver/bookstack", "ghcr.io/linuxserver/healthchecks"] + matchDatasources: ["docker"], + versioning: "regex:^version-v(?\\d+)\\.(?\\d+)\\.(?\\d+)$", + matchPackageNames: [ + "ghcr.io/linuxserver/bookstack", + "ghcr.io/linuxserver/healthchecks", + ], }, // custom version schemes { - "matchDatasources": ["docker"], - "versioning": "regex:^version-(?\\d+)\\.(?\\d+)\\.(?\\d+)$", - "matchPackageNames": ["ghcr.io/linuxserver/resilio-sync"] + matchDatasources: ["docker"], + versioning: "regex:^version-(?\\d+)\\.(?\\d+)\\.(?\\d+)$", + matchPackageNames: ["ghcr.io/linuxserver/resilio-sync"], }, // pin package versions { - "matchDatasources": ["docker"], - "allowedVersions": "<13", - "matchPackageNames": [ - "postgres", - "prodrigestivill/postgres-backup-local" - ] + matchDatasources: ["docker"], + allowedVersions: "<13", + matchPackageNames: ["postgres", "prodrigestivill/postgres-backup-local"], }, { - "matchDatasources": ["docker"], - "versioning": "loose", - "matchPackageNames": [ - "ghcr.io/k8s-at-home/qbittorrent" - ] + matchDatasources: ["docker"], + versioning: "loose", + matchPackageNames: ["ghcr.io/k8s-at-home/qbittorrent"], }, // enable auto-merge { - "matchDatasources": ["docker"], - "automerge": true, - "automergeType": "branch", - "requiredStatusChecks": null, - "matchUpdateTypes": ["minor", "patch"], - "matchPackageNames": [ - "ghcr.io/k8s-at-home/prowlarr" - ] + matchDatasources: ["docker"], + automerge: true, + automergeType: "branch", + requiredStatusChecks: null, + matchUpdateTypes: ["minor", "patch"], + matchPackageNames: ["ghcr.io/k8s-at-home/prowlarr"], }, { - "matchDatasources": ["helm", "docker"], - "matchPackagePatterns": ["^rook.ceph"], - "groupName": "rook-ceph-suite", - "additionalBranchPrefix": "" + matchDatasources: ["helm", "docker"], + matchPackagePatterns: ["^rook.ceph"], + groupName: "rook-ceph-suite", + additionalBranchPrefix: "", }, { - "matchPackageNames": [ - "rancher/system-upgrade-controller" - ], - "groupName": "rancher/system-upgrade-controller", - "additionalBranchPrefix": "", - "separateMinorPatch": true - } - ] + matchPackageNames: ["rancher/system-upgrade-controller"], + groupName: "rancher/system-upgrade-controller", + additionalBranchPrefix: "", + separateMinorPatch: true, + }, + ], } diff --git a/cluster/apps/data/forecastle/helm-release.yaml b/cluster/apps/data/forecastle/helm-release.yaml index 0756f0c97..7c5ac27e1 100644 --- a/cluster/apps/data/forecastle/helm-release.yaml +++ b/cluster/apps/data/forecastle/helm-release.yaml @@ -26,7 +26,7 @@ spec: - development - home - media - - network + - networking ingress: enabled: true annotations: diff --git a/cluster/apps/kasten-io/k10/helm-release.yaml b/cluster/apps/kasten-io/k10/helm-release.yaml index f5ca193df..057e1842f 100644 --- a/cluster/apps/kasten-io/k10/helm-release.yaml +++ b/cluster/apps/kasten-io/k10/helm-release.yaml @@ -20,7 +20,7 @@ spec: values: eula: accept: true - company: "${SECRET_CLUSTER_DOMAIN_CERT}" + company: "${SECRET_CLUSTER_DOMAIN/./-}" email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" global: persistence: @@ -45,4 +45,4 @@ spec: - "k10.${SECRET_CLUSTER_DOMAIN}" tls: enabled: true - secretName: "${SECRET_CLUSTER_DOMAIN_CERT}-tls" + secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" diff --git a/cluster/apps/monitoring/healthchecks/helm-release.yaml b/cluster/apps/monitoring/healthchecks/helm-release.yaml index db6dfdd31..5ddca75af 100644 --- a/cluster/apps/monitoring/healthchecks/helm-release.yaml +++ b/cluster/apps/monitoring/healthchecks/helm-release.yaml @@ -68,8 +68,9 @@ spec: ingress: main: enabled: true + ingressClassName: "traefik" annotations: - kubernetes.io/ingress.class: "nginx" + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: - host: healthchecks.${SECRET_CLUSTER_DOMAIN} paths: diff --git a/cluster/apps/networking/certificate/certificate.yaml b/cluster/apps/networking/certificate/certificate.yaml index c2d6472af..a14e7198e 100644 --- a/cluster/apps/networking/certificate/certificate.yaml +++ b/cluster/apps/networking/certificate/certificate.yaml @@ -2,10 +2,10 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: "${SECRET_CLUSTER_DOMAIN_CERT}" + name: "${SECRET_CLUSTER_DOMAIN/./-}" namespace: networking spec: - secretName: "${SECRET_CLUSTER_DOMAIN_CERT}-tls" + secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" issuerRef: name: letsencrypt-production kind: ClusterIssuer diff --git a/cluster/apps/networking/ingress-nginx/helm-release.yaml b/cluster/apps/networking/ingress-nginx/helm-release.yaml index a75709bed..ed1820166 100644 --- a/cluster/apps/networking/ingress-nginx/helm-release.yaml +++ b/cluster/apps/networking/ingress-nginx/helm-release.yaml @@ -39,7 +39,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "networking/${SECRET_CLUSTER_DOMAIN_CERT}-tls" + default-ssl-certificate: "networking/${SECRET_CLUSTER_DOMAIN/./-}-tls" resources: requests: memory: 250Mi diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml index e055bd585..0a1d8baf2 100644 --- a/cluster/apps/networking/kustomization.yaml +++ b/cluster/apps/networking/kustomization.yaml @@ -8,4 +8,5 @@ resources: - certificate - ingress-nginx - k8s-gateway + - traefik - unifi diff --git a/cluster/apps/networking/traefik/dashboard/ingress.yaml b/cluster/apps/networking/traefik/dashboard/ingress.yaml new file mode 100644 index 000000000..d6cdd4e52 --- /dev/null +++ b/cluster/apps/networking/traefik/dashboard/ingress.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: traefik-dashboard + namespace: networking + annotations: + kubernetes.io/ingress.class: "traefik" + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" +spec: + tls: + - secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" + rules: + - host: traefik.${SECRET_CLUSTER_DOMAIN} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: traefik + port: + number: 9000 diff --git a/cluster/apps/networking/traefik/dashboard/kustomization.yaml b/cluster/apps/networking/traefik/dashboard/kustomization.yaml new file mode 100644 index 000000000..afec11c28 --- /dev/null +++ b/cluster/apps/networking/traefik/dashboard/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ingress.yaml diff --git a/cluster/apps/networking/traefik/helm-release.yaml b/cluster/apps/networking/traefik/helm-release.yaml new file mode 100644 index 000000000..d46854eee --- /dev/null +++ b/cluster/apps/networking/traefik/helm-release.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: traefik + namespace: networking +spec: + interval: 5m + chart: + spec: + # renovate: registryUrl=https://helm.traefik.io/traefik + chart: traefik + version: 10.1.1 + sourceRef: + kind: HelmRepository + name: traefik-charts + namespace: flux-system + interval: 5m + values: + deployment: + enabled: true + kind: DaemonSet + service: + enabled: true + type: LoadBalancer + spec: + externalIPs: + - "${CLUSTER_LB_TRAEFIK}" + externalTrafficPolicy: Local + logs: + general: + format: json + level: DEBUG + access: + enabled: true + format: json + ingressClass: + enabled: true + isDefaultClass: true + fallbackApiVersion: v1 + ingressRoute: + dashboard: + enabled: false + globalArguments: + - "--api.insecure=true" + - "--serverstransport.insecureskipverify=true" + - "--providers.kubernetesingress.ingressclass=traefik" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entryPoint=metrics" + - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" + additionalArguments: + - "--providers.kubernetesingress.ingressendpoint.ip=${CLUSTER_LB_TRAEFIK}" + ports: + traefik: + expose: true + web: + redirectTo: websecure + websecure: + tls: + enabled: true + options: "default" + metrics: + port: 8082 + expose: true + exposedPort: 8082 + tlsOptions: + default: + minVersion: VersionTLS12 + maxVersion: VersionTLS13 + sniStrict: true + pilot: + enabled: true + token: "${SECRET_TRAEFIK_PILOT_TOKEN}" + experimental: + plugins: + enabled: true + resources: + requests: + memory: 100Mi + cpu: 500m + limits: + memory: 500Mi diff --git a/cluster/apps/networking/traefik/kustomization.yaml b/cluster/apps/networking/traefik/kustomization.yaml new file mode 100644 index 000000000..f98382ac1 --- /dev/null +++ b/cluster/apps/networking/traefik/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml + - service-monitor.yaml + - tls-store + - dashboard + - middlewares diff --git a/cluster/apps/networking/traefik/middlewares/authelia.yaml b/cluster/apps/networking/traefik/middlewares/authelia.yaml new file mode 100644 index 000000000..296f8810a --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/authelia.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: authelia + namespace: networking +spec: + forwardAuth: + address: http://authelia.networking.svc.cluster.local./api/verify?rd=https://login.${SECRET_CLUSTER_DOMAIN} diff --git a/cluster/apps/networking/traefik/middlewares/buffering-large.yaml b/cluster/apps/networking/traefik/middlewares/buffering-large.yaml new file mode 100644 index 000000000..221c30eb3 --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/buffering-large.yaml @@ -0,0 +1,11 @@ +--- +# Sets the maximum request body to 2000Mb +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: buffering-large + namespace: networking +spec: + buffering: + maxRequestBodyBytes: 2000000000 + memRequestBodyBytes: 2000000 diff --git a/cluster/apps/networking/traefik/middlewares/buffering-medium.yaml b/cluster/apps/networking/traefik/middlewares/buffering-medium.yaml new file mode 100644 index 000000000..e9fd2a87d --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/buffering-medium.yaml @@ -0,0 +1,11 @@ +--- +# Sets the maximum request body to 200Mb +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: buffering-medium + namespace: networking +spec: + buffering: + maxRequestBodyBytes: 200000000 + memRequestBodyBytes: 2000000 diff --git a/cluster/apps/networking/traefik/middlewares/buffering-small.yaml b/cluster/apps/networking/traefik/middlewares/buffering-small.yaml new file mode 100644 index 000000000..aba836627 --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/buffering-small.yaml @@ -0,0 +1,11 @@ +--- +# Sets the maximum request body to 20Mb +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: buffering-small + namespace: networking +spec: + buffering: + maxRequestBodyBytes: 20000000 + memRequestBodyBytes: 2000000 diff --git a/cluster/apps/networking/traefik/middlewares/forward-auth.yaml b/cluster/apps/networking/traefik/middlewares/forward-auth.yaml new file mode 100644 index 000000000..54f0340dc --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/forward-auth.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: forward-auth + namespace: networking +spec: + chain: + middlewares: + - name: rfc1918-ips + - name: authelia diff --git a/cluster/apps/networking/traefik/middlewares/kustomization.yaml b/cluster/apps/networking/traefik/middlewares/kustomization.yaml new file mode 100644 index 000000000..d6544e459 --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - authelia.yaml + - buffering-large.yaml + - buffering-medium.yaml + - buffering-small.yaml + - rfc1918.yaml + - redirect-path.yaml + - forward-auth.yaml diff --git a/cluster/apps/networking/traefik/middlewares/redirect-path.yaml b/cluster/apps/networking/traefik/middlewares/redirect-path.yaml new file mode 100644 index 000000000..bacbe9c0a --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/redirect-path.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: redirect-regex + namespace: networking +spec: + redirectRegex: + regex: "^(https?://[^/]+/[a-z0-9_]+)$" + replacement: "${1}/" + permanent: true +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: strip-prefix-regex + namespace: networking +spec: + stripPrefixRegex: + regex: + - "/[a-z0-9_]+" +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: redirect-path + namespace: networking +spec: + chain: + middlewares: + - name: redirect-regex + - name: strip-prefix-regex diff --git a/cluster/apps/networking/traefik/middlewares/rfc1918.yaml b/cluster/apps/networking/traefik/middlewares/rfc1918.yaml new file mode 100644 index 000000000..de00e7469 --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/rfc1918.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: rfc1918-ips + namespace: networking +spec: + ipWhiteList: + sourceRange: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: rfc1918 + namespace: networking +spec: + chain: + middlewares: + - name: rfc1918-ips diff --git a/cluster/apps/networking/traefik/service-monitor.yaml b/cluster/apps/networking/traefik/service-monitor.yaml new file mode 100644 index 000000000..740f88d5a --- /dev/null +++ b/cluster/apps/networking/traefik/service-monitor.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: traefik + namespace: networking + labels: + app.kubernetes.io/name: traefik +spec: + endpoints: + - path: /metrics + targetPort: metrics + jobLabel: traefik + namespaceSelector: + matchNames: + - networking + selector: + matchLabels: + app.kubernetes.io/name: traefik diff --git a/cluster/apps/networking/traefik/tls-store/default.yaml b/cluster/apps/networking/traefik/tls-store/default.yaml new file mode 100644 index 000000000..2e57282ad --- /dev/null +++ b/cluster/apps/networking/traefik/tls-store/default.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSStore +metadata: + name: default + namespace: networking +spec: + defaultCertificate: + secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" diff --git a/cluster/apps/networking/traefik/tls-store/kustomization.yaml b/cluster/apps/networking/traefik/tls-store/kustomization.yaml new file mode 100644 index 000000000..17e7c2d3a --- /dev/null +++ b/cluster/apps/networking/traefik/tls-store/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - default.yaml diff --git a/cluster/base-custom/charts/kustomization.yaml b/cluster/base-custom/charts/kustomization.yaml index a3ea87547..b7cd3ed96 100644 --- a/cluster/base-custom/charts/kustomization.yaml +++ b/cluster/base-custom/charts/kustomization.yaml @@ -23,5 +23,6 @@ resources: - rook-ceph-charts.yaml - runix-charts.yaml - stakater-charts.yaml + - traefik-charts.yaml - twuni-charts.yaml - weaveworks-kured-charts.yaml diff --git a/cluster/base-custom/charts/traefik-charts.yaml b/cluster/base-custom/charts/traefik-charts.yaml new file mode 100644 index 000000000..b25f843bd --- /dev/null +++ b/cluster/base-custom/charts/traefik-charts.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: traefik-charts + namespace: flux-system +spec: + interval: 10m + url: https://helm.traefik.io/traefik + timeout: 3m diff --git a/cluster/base-custom/crds/kustomization.yaml b/cluster/base-custom/crds/kustomization.yaml index c635f57fe..9781743df 100644 --- a/cluster/base-custom/crds/kustomization.yaml +++ b/cluster/base-custom/crds/kustomization.yaml @@ -5,3 +5,4 @@ resources: - external-snapshotter - kube-prometheus-stack - rook-ceph + - traefik diff --git a/cluster/base-custom/crds/traefik/crds.yaml b/cluster/base-custom/crds/traefik/crds.yaml new file mode 100644 index 000000000..5f31a5107 --- /dev/null +++ b/cluster/base-custom/crds/traefik/crds.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: GitRepository +metadata: + name: traefik-crd-source + namespace: flux-system +spec: + interval: 30m + url: https://github.com/traefik/traefik-helm-chart.git + ref: + # renovate: registryUrl=https://helm.traefik.io/traefik chart=traefik + tag: v10.1.1 + ignore: | + # exclude all + /* + # path to crds + !/traefik/crds/ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 +kind: Kustomization +metadata: + name: traefik-crds + namespace: flux-system +spec: + interval: 15m + prune: false + sourceRef: + kind: GitRepository + name: traefik-crd-source + healthChecks: + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: ingressroutes.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: ingressroutetcps.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: ingressrouteudps.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: middlewares.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: middlewaretcps.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: serverstransports.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: tlsoptions.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: tlsstores.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: traefikservices.traefik.containo.us diff --git a/cluster/base-custom/crds/traefik/kustomization.yaml b/cluster/base-custom/crds/traefik/kustomization.yaml new file mode 100644 index 000000000..2ed3b3515 --- /dev/null +++ b/cluster/base-custom/crds/traefik/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - crds.yaml diff --git a/cluster/base-custom/secrets/cluster-secrets.yaml b/cluster/base-custom/secrets/cluster-secrets.yaml index 9cac20601..b0886a8d5 100644 --- a/cluster/base-custom/secrets/cluster-secrets.yaml +++ b/cluster/base-custom/secrets/cluster-secrets.yaml @@ -26,7 +26,6 @@ stringData: SECRET_BOOKSTACK_DB_ROOT_PASSWORD: ENC[AES256_GCM,data:4/o956Da0ckVLdxUqs1WWA==,iv:G8DddhYyMZKuGJyWnj+eOaNRiJm7oGetiIZlQgtRFEo=,tag:WX9+DDnA2UPm9nPRLYibXw==,type:str] SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:bK1J9v+/Dajd9qrvz3lH49GY,iv:Hq6cY96Te1frwXVf3HC3qgOiaCZW2hHCqjVvvslUGFg=,tag:Dq0cUemHKfcdpx9hLkUekQ==,type:str] SECRET_BOTKUBE_DISCORD_TOKEN: ENC[AES256_GCM,data:pDPm3TYITWApPZRMcSH6ijtPQQuHSd/PNT2Wy23tUp7uzluhHS5hvlujTkjk7oRb95kE6Gi2D8yDmNg=,iv:HQyMQiaRsjNIfPUTjLRVL/zchSdXFmevxaeruwGx3tk=,tag:l+po8014SaZd61DxE1T43A==,type:str] - SECRET_CLUSTER_DOMAIN_CERT: ENC[AES256_GCM,data:lQFcc5oCNhsXNN5OUzrG,iv:cVmRMmNfypUi+OhHSujSsxLcdqRKtkptl2R4M5q9dxo=,tag:plUtXx/JCTty+GWACtwqXg==,type:str] SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:kiuNa+aDxNQwby0BorWtRylnjbWw,iv:0j20Vdux17muKzlO2Q3KzsZg9VrT411VoYxjqQC5xhQ=,tag:w7gCUgQFIlVdUFfHhB7pvQ==,type:str] SECRET_CLUSTER_DOMAIN_ROOT: ENC[AES256_GCM,data:ho+ylXKrt7CZiOM=,iv:8873E4Td/82lWVwq/kXkEB8vgxEYha23/nbTkXfle/w=,tag:Yb/VInyUUOPhLUtq+Q+krQ==,type:str] SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:mVPDuVpAXej8CQ0AO85o,iv:PF739I+LZMZaPpfCMZO62eMUbFqgtMszj2cOuIgfcfI=,tag:zEAjj33h/Ux53ctkCzapyw==,type:str] @@ -77,6 +76,7 @@ stringData: SECRET_SHARRY_JDBC_URL: ENC[AES256_GCM,data:Z9vlzRj0cTi7TS9o+Y6qU1gAcCPpG9bs5wfsQSnesvY18PcCQvft7SYtMC9UJTBIUGUVbX0nyVr39qopTCiKQ31qrWY7,iv:KaHrAdwvTD2r+y7ZKj6uBb9kYtWRG6BCohCSqrHaDLc=,tag:ZqOk4hDb/iHiYG/In2Fjpw==,type:str] SECRET_SEARX_MORTY_KEY: ENC[AES256_GCM,data:UgvCIYVHVufp7FKsT7J4d+s1wr+PrVZ7y5haw3WaRdGwCJxdkCEor2e99W8=,iv:EvryXyd3wkyy5d9lUcf6WnY7OP3LfxPfgy3C7ahWv94=,tag:Wkcrs3MsEnJbKJia8mV3dg==,type:str] SECRET_SMTP_USERNAME: ENC[AES256_GCM,data:aq9pkTbnjOm/howevEEksUcHZ89fnJ8=,iv:pMnRHW9ovGVaGZT3ZdUum/Bma1DIIfhJKAUAOAoGOxA=,tag:fh5VBDiGaBWftaD6CEjb5w==,type:str] + SECRET_TRAEFIK_PILOT_TOKEN: ENC[AES256_GCM,data:iXgpUK3dNRNgUXdPqmMHRTlcaGEo8lXzEalDD96O5xFz5PWs,iv:Q4S1dDNsrCOD+UIpeVl+jkyKopN3Wc9Nv5913+SwDdk=,tag:0YNwNz/wqdy0cHhucVFx9g==,type:str] SECRET_QBITTORRENT_PASSWORD: ENC[AES256_GCM,data:QYPZQAfyCfFZDJ5rOzwwWyOFzss=,iv:ae8mdLGW+4KxI4ucsee0XSHfkHmwTK/mbtjsYpNICeo=,tag:h4xs4eCtzn0jax1Xag67Bg==,type:str] SECRET_VAULTWARDEN_ADMIN_TOKEN: ENC[AES256_GCM,data:vtwpb77LDqlbDs9MY3jhaIzvgZewXPnHzyoHWvUvHH7YehP/bcuDMIc8cyOKOoTFQvRr7ELzLUcdFwbnqS3QWg==,iv:IWY80COdm4yktD2YuyjE7GZNLbEqbXTstHO3RQQwgJk=,tag:RwKJke7H4vIghb0v15wAxw==,type:str] SECRET_VAULTWARDEN_DB_URL: ENC[AES256_GCM,data:jRWid42P/76nXkuFQjyyzNTUTVSTCafEcnp+7k01/vlj3hayfO8C0SbF61bOB7/xZmECHrfCEFvstQvbtsw19Ae98T4ZuWOk6Zic7tFE/j61eBo+OPK0MVDth60CT5ggPmKvxw==,iv:Wo8QyxwvyWu3SmDWg287nw0NiVER7c6wyLQLcOW3I/4=,tag:Og6XASh6g420fgZIS9uFXQ==,type:str] @@ -92,8 +92,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-08-05T23:52:05Z" - mac: ENC[AES256_GCM,data:wutzizSzG2/pdjFEYeTCpRYjsB7XgLdyOkfVlKkuhcmOw/l22hk3hLpytCdjNHLRQ5wFrEtXhfLNdXkvfPX17FJ+Sp5em/87jXG7z12FeM8FQBmmBth0+6k5pGgcb5ECBVvmp7Jv1Nk9/x/KN51bfy4INp7azK9OhzdvIdd9s/U=,iv:LnWgssuwz/zn+JS8LGzmODJhvMsygYzlsCJ6EIG9al0=,tag:wb6sHKa5hp/4lhi0L9jkOQ==,type:str] + lastmodified: "2021-08-06T12:33:06Z" + mac: ENC[AES256_GCM,data:kvUJdqOsMCa02I9GjZuxGdj/Y4GOEisrx5gMLrU6LeDb0qeUuqm3++8FhB38J4DTpitWxDivc8MBiYXFCgcQis7SRqPDGT+f/0scL0qCklsX0Q1PUOD9uG9M1ZBS+oo78i20rx5YJ6uv8M7SOVg4MwpG0HkNHuU9dPs1rUzQ4lY=,iv:f2wzA3gdagZsw4gTTDeenH8voLq9B4z5j5WbgBpLygQ=,tag:9+PRb5ch0J4qPC4gjgrjKw==,type:str] pgp: - created_at: "2021-07-17T21:14:34Z" enc: | diff --git a/cluster/base-custom/settings/cluster-settings.yaml b/cluster/base-custom/settings/cluster-settings.yaml index 97e2c5b02..26c4bab36 100644 --- a/cluster/base-custom/settings/cluster-settings.yaml +++ b/cluster/base-custom/settings/cluster-settings.yaml @@ -7,11 +7,12 @@ metadata: data: CLUSTER_LB_K8SGATEWAY: 192.168.169.100 CLUSTER_LB_INGRESS: 192.168.169.101 - CLUSTER_LB_HASS: 192.168.169.102 + CLUSTER_LB_TRAEFIK: 192.168.169.102 CLUSTER_LB_UNIFI: 192.168.169.103 CLUSTER_LB_GITEA: 192.168.169.104 CLUSTER_LB_QBITTORRENT: 192.168.169.105 CLUSTER_LB_RESILIOSYNC: 192.168.169.106 + CLUSTER_LB_HASS: 192.168.169.107 CLUSTER_LB_LOKI_SYSLOG: 192.168.169.108 CLUSTER_LB_EMQX: 192.168.169.109 CLUSTER_LB_TDARR: 192.168.169.110