initial commit

dev/traefik/README.md

@@ -0,0 +1,36 @@
+1) traefik installeren via helmchart:
+helm repo add traefik https://helm.traefik.io/traefik
+helm repo update
+kubectl create namespace traefik
+
+2) persistent storage aanmaken:
+
+kubect apply -f traefik-pvc
+
+When enabling persistence for certificates, permissions on acme.json can be
+lost when Traefik restarts. You can ensure correct permissions with an
+initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager
+
+3) Installeren
+
+helm install traefik traefik/traefik -f values.yaml -n traefik
+
+CHECK OF PORTFORWARDING VAN POORT 80 en 443 OP DE ROUTER NAAR DE LOADBALANCER GOED STAAT! 
+HERSTART NA WIJZIGING DE KPN-ROUTER!
+
+4) TLS verzwaren (tlsoption.yml is afkomstig van whoami-voorbeeld)
+
+kubectl apply -f tlsoption.yaml 
+
+7) Daschboard toegankelijk maken (dashboard.yaml is afkomstig van helm-documentatie van traefik zelf) 
+
+kubectl apply -f ingressroute-dashboard.yaml - n traefik
+
+#migreren:
+
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+
+
+
+

dev/traefik/catalog-info.yaml

@@ -0,0 +1,19 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: dev-traefik
+  title: traefik (dev)
+  description: traefik instance running in Kubernetes
+  annotations:
+    backstage.io/kubernetes-label-selector: "app=traefik"
+  links:
+    - url: https://github.com/AllardKrings/kubernetes/dev/traefik
+      title: traefik-configuration
+  docs:
+    - url: ./README.md
+spec:
+  type: service
+  lifecycle: production
+  owner: group:default/allarddcs
+  subcomponentOf: component:default/DEV-cluster
+

dev/traefik/clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik
+rules:
+  - apiGroups: ["traefik.io"]
+    resources: ["ingressroutes", "ingressroutesstatus"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints", "pods", "secrets"]
+    verbs: ["get", "list", "watch"]

dev/traefik/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik-ingressroute
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik
+subjects:
+  - kind: ServiceAccount
+    name: traefik
+    namespace: traefik

dev/traefik/ingressroute-dashboard.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik-dev.allarddcs.nl`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService

dev/traefik/tlsoption.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: tsloption
+  namespace: traefik
+spec:
+  minVersion: VersionTLS12
+

dev/traefik/traefik-pvc.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: traefik-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 128Mi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/traefik/dev
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik-pvc
+  namespace: traefik
+spec:
+  storageClassName: ""
+  volumeName: traefik-pv
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 128Mi
+

dev/traefik/values.yaml

@@ -0,0 +1,235 @@
+USER-SUPPLIED VALUES:
+additionalArguments: []
+additionalVolumeMounts: []
+affinity: {}
+autoscaling:
+  enabled: false
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: admin@allarddcs.nl
+      storage: /data/acme.json
+      httpChallenge:
+        entryPoint: web
+commonLabels: {}
+core:
+  defaultRuleSyntax: v2
+deployment:
+  additionalContainers: []
+  additionalVolumes: []
+  annotations: {}
+  dnsConfig: {}
+  enabled: true
+  imagePullSecrets: []
+  initContainers:
+    - name: volume-permissions
+      image: busybox:latest
+      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
+      volumeMounts:
+      - mountPath: /data
+        name: data
+  kind: Deployment
+  labels: {}
+  lifecycle: {}
+  minReadySeconds: 0
+  podAnnotations: {}
+  podLabels: {}
+  replicas: 1
+  runtimeClassName: null
+  shareProcessNamespace: false
+  terminationGracePeriodSeconds: 60
+env:
+envFrom: []
+experimental:
+  kubernetesGateway:
+    enabled: false
+  plugins: {}
+extraObjects: []
+globalArguments:
+- --global.checknewversion
+- --global.sendanonymoususage
+global:
+  # Adjust timeout settings for Traefik
+  timeout:
+    connect: 60s  # Time to wait for a connection to establish (default: 30s)
+    read: 600s    # Increase read timeout for longer responses (default: 60s)
+    write: 600s
+hostNetwork: false
+image:
+  pullPolicy: Always
+  registry: docker.io
+  repository: traefik
+  tag: ""
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+ingressRoute:
+  dashboard:
+    annotations: {}
+    enabled: true
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+    middlewares: []
+    tls: {}
+  healthcheck:
+    annotations: {}
+    enabled: true
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/ping`)
+    middlewares: []
+    tls: {}
+livenessProbe:
+  failureThreshold: 3
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+logs:
+  access:
+    enabled: false
+    fields:
+      general:
+        defaultmode: keep
+        names: {}
+      headers:
+        defaultmode: drop
+        names: {}
+    filters: {}
+  general:
+    level: ERROR
+#metrics:
+#  prometheus:
+#    entryPoint: metrics
+nodeSelector: {}
+persistence:
+  enabled: true
+  existingClaim: traefik-pvc
+  path: /data
+podDisruptionBudget:
+  enabled: false
+podSecurityContext:
+  fsGroupChangePolicy: OnRootMismatch
+  runAsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532
+podSecurityPolicy:
+  enabled: false
+ports:
+#  metrics:
+#    exposedPort: 9100
+#    port: 9100
+#    protocol: TCP
+  traefik:
+    expose:
+      default: true
+    exposedPort: 9000
+    port: 9000
+    protocol: TCP
+  web:
+    expose:
+      default: true
+    exposedPort: 80
+    port: 8000
+    protocol: TCP
+    allowACMEByPass: true
+  websecure:
+    respondingTimeouts:
+      readTimeout: 600
+    expose:
+      default: true
+    exposedPort: 443
+    http3:
+      enabled: false
+    middlewares: []
+    port: 8443
+    protocol: TCP
+    allowACMEByPass: true
+    tls:
+      certResolver: ""
+      domains: []
+      enabled: true
+      options: ""
+    transport:
+      respondingTimeouts:
+        readTimeout: 0   # @schema type:[string, integer, null]
+        writeTimeout: 0 # @schema type:[string, integer, null]
+        idleTimeout: 0  # @schema type:[string, integer, null]
+      lifeCycle:
+        requestAcceptGraceTimeout:  # @schema type:[string, integer, null]
+        graceTimeOut: # @schema type:[string, integer, null]   
+      keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
+      keepAliveMaxTime: # @schema type:[string, integer, null]
+priorityClassName: ""
+providers:
+  file:
+    content: ""
+    enabled: false
+    watch: true
+  kubernetesCRD:
+    allowCrossNamespace: false
+    allowEmptyServices: false
+    allowExternalNameServices: false
+    enabled: true
+    namespaces: []
+  kubernetesIngress:
+    allowEmptyServices: false
+    allowExternalNameServices: false
+    disableIngressClassLookup: false
+    enabled: true
+    namespaces: []
+    publishedService:
+      enabled: false
+rbac:
+  enabled: true
+  namespaced: false
+  secretResourceNames: []
+readinessProbe:
+  failureThreshold: 1
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+resources:
+  requests:
+    memory: "512Mi"
+    cpu: "500m"
+  limits:
+    memory: "1Gi"
+    cpu: "1"
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+service:
+  additionalServices: {}
+  annotations: {}
+  annotationsTCP: {}
+  annotationsUDP: {}
+  enabled: true
+  externalIPs: []
+  labels: {}
+  loadBalancerSourceRanges: []
+  single: true
+  spec: {}
+  type: LoadBalancer
+serviceAccount:
+  name: ""
+serviceAccountAnnotations: {}
+startupProbe: null
+tlsOptions: {}
+tlsStore: {}
+tolerations: []
+topologySpreadConstraints: []
+tracing: {}
+updateStrategy:
+  rollingUpdate:
+    maxSurge: 1
+    maxUnavailable: 0
+  type: RollingUpdate
+volumes: []