initial commit

lp/traefik/README.md

@@ -0,0 +1,36 @@
+1) traefik installeren via helmchart:
+helm repo add traefik https://helm.traefik.io/traefik
+helm repo update
+kubectl create namespace traefik
+
+2) persistent storage aanmaken:
+
+kubect apply -f traefik-pvc
+
+When enabling persistence for certificates, permissions on acme.json can be
+lost when Traefik restarts. You can ensure correct permissions with an
+initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager
+
+3) Installeren
+
+helm install traefik traefik/traefik -f values.yaml -n traefik
+
+CHECK OF PORTFORWARDING VAN POORT 80 en 443 OP DE ROUTER NAAR DE LOADBALANCER GOED STAAT! 
+HERSTART NA WIJZIGING DE KPN-ROUTER!
+
+4) TLS verzwaren (tlsoption.yml is afkomstig van whoami-voorbeeld)
+
+kubectl apply -f tlsoption.yaml 
+
+7) Daschboard toegankelijk maken (dashboard.yaml is afkomstig van helm-documentatie van traefik zelf) 
+
+kubectl apply -f ingressroute-dashboard.yaml - n traefik
+
+#migreren:
+
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+
+
+
+

lp/traefik/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: lp-traefik
+  title: Traefik (lp)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

lp/traefik/clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik
+rules:
+  - apiGroups: ["traefik.io"]
+    resources: ["ingressroutes", "ingressroutesstatus"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints", "pods", "secrets"]
+    verbs: ["get", "list", "watch"]

lp/traefik/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik-ingressroute
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik
+subjects:
+  - kind: ServiceAccount
+    name: traefik
+    namespace: traefik

lp/traefik/forwarded_headers.yaml

@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: forwarded-headers
+spec:
+  headers:
+    customResponseHeaders:
+      X-Forwarded-Proto: "https"
+      X-Forwarded-For: "{remote}"
+      X-Real-IP: "{remote}"

lp/traefik/ingressroute-dashboard.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik-lp.allarddcs.nl`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService

lp/traefik/ingressroutes/ingressroute-dev-http.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dev-http
+  namespace: traefik
+spec:
+ ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: dev-http
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.181
+    ports:
+    - port: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dev-http
+  namespace: traefik
+spec:
+  entryPoints:
+  - web
+  routes:
+    - match: HostRegexp(`^[a-z0-9]+-dev\.allarddcs\.nl$`) 
+      kind: Rule
+      services:
+        - name: dev-http
+          port: 80

lp/traefik/ingressroutes/ingressroute-gitea-http.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-http
+  namespace: traefik
+spec:
+ ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitea-http
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.181
+    ports:
+    - port: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-http
+  namespace: traefik
+spec:
+  entryPoints:
+  - web
+  routes:
+  - match: Host(`gitea-dev.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: gitea-http
+      port: 80
+  - match: Host(`gitea-dev.allarddcs.nl`) && PathPrefix(`/.well-known/acme-challenge/`)
+    kind: Rule
+    services:
+    - name: gitea-http
+      port: 80

lp/traefik/ingressroutes/ingressroute-odroid-http.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: odroid-http
+  namespace: traefik
+spec:
+ ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: odroid-http
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.230
+    ports:
+    - port: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: odroid-http
+  namespace: traefik
+spec:
+  entryPoints:
+  - web
+  routes:
+  - match: HostRegexp(`^[a-z0-9]+-odroid\.allarddcs\.nl$`)
+    kind: Rule
+    services:
+    - name: odroid-http
+      port: 80

lp/traefik/ingressroutes/ingressroute-prod-http.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: prod-http
+  namespace: traefik
+spec:
+ ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: prod-http
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.191
+    ports:
+    - port: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: prod-http
+  namespace: traefik
+spec:
+  entryPoints:
+  - web
+  routes:
+  - match: HostRegexp(`^[a-z0-9]+-prod\.allarddcs\.nl$`)
+    kind: Rule
+    services:
+    - name: prod-http
+      port: 80

lp/traefik/ingressroutes/ingressroute-riscv-http.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: riscv-http
+  namespace: traefik
+spec:
+ ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: riscv-http
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.113
+    ports:
+    - port: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: riscv-http
+  namespace: traefik
+spec:
+  entryPoints:
+  - web
+  routes:
+    - match: HostRegexp(`^[a-z0-9]+-riscv\.allarddcs\.nl$`) 
+      kind: Rule
+      services:
+        - name: riscv-http
+          port: 80

lp/traefik/ingressroutes/ingressrouteTCP-dev-tls.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dev-tls
+  namespace: traefik
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: dev-tls
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.181
+    ports:
+    - port: 443
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: dev-tls
+  namespace: traefik
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: HostSNIRegexp(`^[a-z0-9]+-dev\.allarddcs\.nl$`)
+    services:
+    - name: dev-tls
+      port: 443
+  tls:
+    passthrough: true

lp/traefik/ingressroutes/ingressrouteTCP-odroid-tls.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: odroid-tls
+  namespace: traefik
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: odroid-tls
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.230
+    ports:
+    - port: 443
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: odroid-tls
+  namespace: traefik
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: HostSNIRegexp(`^[a-z0-9]+-odroid\.allarddcs\.nl$`)
+    services:
+    - name: odroid-tls
+      port: 443
+  tls:
+    passthrough: true

lp/traefik/ingressroutes/ingressrouteTCP-prod-tls.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: prod-tls
+  namespace: traefik
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: prod-tls
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.191
+    ports:
+    - port: 443
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: prod-tls
+  namespace: traefik
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: HostSNIRegexp(`^[a-z0-9]+-prod\.allarddcs\.nl$`)
+    services:
+    - name: prod-tls
+      port: 443
+  tls:
+    passthrough: true

lp/traefik/ingressroutes/ingressrouteTCP-riscv-tls.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: riscv-tls
+  namespace: traefik
+spec:
+  type: ExternalName
+  externalName: 192.168.2.113
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: riscv-tls
+  namespace: traefik
+subsets:
+  - addresses:
+    - ip: 192.168.2.113
+    ports:
+    - port: 443
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: riscv-tls
+  namespace: traefik
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: HostSNIRegexp(`^[a-z0-9]+-riscv\.allarddcs\.nl$`)
+    services:
+    - name: riscv-tls
+      port: 443
+  tls:
+    passthrough: true

lp/traefik/temp.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+data:
+  dbPassword: cm91bmRrdWJl
+  dbUsername: cm91bmRrdWJl
+  desKey: ZUdmaFIzdGNNVlhKZW10VkN1b0JRRmIyUUxSc0hoM3diRzBZbE9ySGVEaFdJTUoyOU1qRE01UnlTOEhvTHgzdw==
+  smtpPassword: JXA=
+  smtpUsername: JXU=
+kind: Secret
+metadata:
+  annotations:
+    meta.helm.sh/release-name: roundcube
+    meta.helm.sh/release-namespace: mail
+  creationTimestamp: "2025-01-25T09:41:15Z"
+  labels:
+    app.kubernetes.io/instance: roundcube
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: roundcube
+    app.kubernetes.io/version: 1.6.9
+    helm.sh/chart: roundcube-1.16.0
+  name: roundcube
+  namespace: mail
+  resourceVersion: "45407979"
+  uid: 3362cf2e-450f-40db-8f78-4f2e3198ea48
+type: Opaque

lp/traefik/tlsoption.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: tsloption
+  namespace: traefik
+spec:
+  minVersion: VersionTLS12
+

lp/traefik/traefik-pvc.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: traefik-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 128Mi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/traefik/lp
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik-pvc
+  namespace: traefik
+spec:
+  storageClassName: ""
+  volumeName: traefik-pv
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 128Mi
+

lp/traefik/values.yaml

@@ -0,0 +1,239 @@
+USER-SUPPLIED VALUES:
+affinity: {}
+autoscaling:
+  enabled: false
+global:
+  # Adjust timeout settings for Traefik
+  timeout:
+    connect: 30s  # Time to wait for a connection to establish (default: 30s)
+    read: 300s    # Increase read timeout for longer responses (default: 60s)
+    write: 300s   # Increase write timeout for larger pushes (default: 60s)
+#certificatesResolvers:
+#  letsencrypt:
+#    acme:
+#      email: admin@allarddcs.nl
+#      storage: /data/acme.json
+#      httpChallenge:
+#        entryPoint: web
+commonLabels: {}
+deployment:
+  additionalContainers: []
+  additionalVolumeMounts: {}
+  additionalVolumes: []
+  annotations: {}
+  dnsConfig: {}
+  enabled: true
+  imagePullSecrets: []
+  initContainers: []
+  kind: Deployment
+  labels: {}
+  lifecycle: {}
+  minReadySeconds: 0
+  podAnnotations: {}
+  podLabels: {}
+  replicas: 1
+  runtimeClassName: null
+  shareProcessNamespace: false
+  terminationGracePeriodSeconds: 60
+envFrom: []
+experimental:
+  kubernetesGateway:
+    enabled: false
+  plugins: {}
+extraObjects: []
+globalArguments:
+- --global.checknewversion
+- --global.sendanonymoususage
+hostNetwork: false
+image:
+  pullPolicy: Always
+  registry: docker.io
+  repository: traefik
+  tag: ""
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+ingressRoute:
+  dashboard:
+    annotations: {}
+    enabled: true
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+    middlewares: []
+    tls: {}
+  healthcheck:
+    annotations: {}
+    enabled: false
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/ping`)
+    middlewares: []
+    tls: {}
+livenessProbe:
+  failureThreshold: 3
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+logs:
+  access:
+    enabled: false
+    fields:
+      general:
+        defaultmode: keep
+        names: {}
+      headers:
+        defaultmode: drop
+        names: {}
+    filters: {}
+  general:
+    level: ERROR
+metrics:
+  prometheus:
+    entryPoint: metrics
+nodeSelector: {}
+persistence:
+  enabled: true
+  existingClaim: traefik-pvc
+  path: /data
+podDisruptionBudget:
+  enabled: false
+podSecurityContext:
+  fsGroupChangePolicy: OnRootMismatch
+  runAsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532
+podSecurityPolicy:
+  enabled: false
+ports:
+ports:
+  web:
+    expose:
+      default: true
+    exposedPort: 80
+    port: 8000
+    protocol: TCP
+    allowACMEByPass: true 
+  websecure:
+    expose:
+      default: true
+    exposedPort: 443
+    http3:
+      enabled: false
+    middlewares: []
+    port: 8443
+    protocol: TCP
+    allowACMEByPass: true 
+    tls:
+      certResolver: ""
+      domains: []
+      enabled: true
+      options: ""
+  traefik:
+    expose:
+      default: true
+    exposedPort: 9000
+    port: 9000
+    protocol: TCP
+  metrics:
+    expose:
+      default: false
+    exposedPort: 9100
+    port: 9100
+    protocol: TCP
+  imap:
+    expose:
+      default: true
+    exposedPort: 143
+    port: 9143
+    protocol: TCP
+  pop3:
+    expose:
+      default: true
+    exposedPort: 110
+    port: 9110
+    protocol: TCP
+  pop3s:
+    expose:
+      default: true
+    exposedPort: 995
+    port: 9995
+    protocol: TCP
+  smtp:
+    expose:
+      default: true
+    exposedPort: 25
+    port: 9025
+    protocol: TCP
+  smtps:
+    expose:
+      default: true
+    exposedPort: 465
+    port: 9465
+    protocol: TCP
+priorityClassName: ""
+providers:
+  file:
+    content: ""
+    enabled: true
+    watch: true
+  kubernetesCRD:
+    allowCrossNamespace: false
+    allowEmptyServices: true
+    allowExternalNameServices: true
+    enabled: true
+    namespaces: []
+  kubernetesIngress:
+    allowEmptyServices: true
+    allowExternalNameServices: true
+    disableIngressClassLookup: false
+    enabled: true
+    namespaces: []
+    publishedService:
+      enabled: false
+rbac:
+  enabled: true
+  namespaced: false
+  secretResourceNames: []
+readinessProbe:
+  failureThreshold: 1
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+resources: {}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+service:
+  additionalServices: {}
+  annotations: {}
+  annotationsTCP: {}
+  annotationsUDP: {}
+  enabled: true
+  externalIPs: []
+  labels: {}
+  loadBalancerSourceRanges: []
+  single: true
+  spec: {}
+  type: LoadBalancer
+serviceAccount:
+  name: ""
+serviceAccountAnnotations: {}
+startupProbe: null
+tlsOptions: {}
+tlsStore: {}
+tolerations: []
+topologySpreadConstraints: []
+tracing: {}
+updateStrategy:
+  rollingUpdate:
+    maxSurge: 1
+    maxUnavailable: 0
+  type: RollingUpdate
+