| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 |
- apiVersion: helm.cattle.io/v1
- kind: HelmChartConfig
- metadata:
- name: traefik
- namespace: kube-system
- spec:
- valuesContent: |-
- additionalArguments:
- - "--entrypoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,172.16.69.0/24"
- - "--entrypoints.web.http.redirections.entryPoint.to=:443"
- - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=0s"
- # Auto cert renewal via cloudflare
- - "--certificatesresolvers.letsencrypt.acme.email=joshbicking@comcast.net"
- - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json"
- - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
- - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- - "--entrypoints.websecure.http.tls.certResolver=letsencrypt"
- # Main
- - "--entrypoints.websecure.http.tls.domains[0].main=jibby.org"
- - "--entrypoints.websecure.http.tls.domains[0].sans=*.jibby.org"
- # LAN-only
- - "--entrypoints.websecure.http.tls.domains[1].main=lan.jibby.org"
- - "--entrypoints.websecure.http.tls.domains[1].sans=*.lan.jibby.org"
- # Configuration for extra routers
- - "--providers.file.directory=/config"
- #- "--log.level=INFO"
- # debug, uncomment for testing
- #- "--log.level=DEBUG"
- #- "--certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
- volumes:
- - name: traefik-config
- mountPath: "/config"
- type: configMap
- ports:
- gogsssh:
- port: 2222
- expose:
- default: true
- exposedPort: 2222
- protocol: TCP
- env:
- - name: CLOUDFLARE_EMAIL
- valueFrom:
- secretKeyRef:
- name: cloudflare-secrets
- key: email
- optional: false
- - name: CLOUDFLARE_API_KEY
- valueFrom:
- secretKeyRef:
- name: cloudflare-secrets
- key: api-key
- optional: false
- # TODO can this be something with ReadWriteMany?
- persistence:
- enabled: true
- storageClass: ceph-block-ssd
- metrics:
- prometheus:
- addServicesLabels: true
- logs:
- access:
- enabled: true
- ingressRoute:
- dashboard:
- enabled: true
- matchRule: Host(`traefik.lan.jibby.org`)
- entryPoints: ["websecure"]
- middlewares:
- - name: lanonly
- namespace: kube-system
- - name: traefik-dash-auth
- namespace: kube-system
- # Fix for acme.json file being changed to 660 from 600
- # This can manifest as the incredibly unhelpful "the router <router name> uses a non-existent resolver: <resolver name>"
- # https://github.com/traefik/traefik/issues/10241
- podSecurityContext:
- fsGroup: 65532
- deployment:
- initContainers:
- # The "volume-permissions" init container is required if you run into permission issues.
- # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
- - name: volume-permissions
- image: busybox:latest
- command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
- securityContext:
- runAsNonRoot: true
- runAsGroup: 65532
- runAsUser: 65532
- volumeMounts:
- - name: data
- mountPath: /data
- podAnnotations:
- backup.velero.io/backup-volumes-excludes: data
- # ACME functionality is not supported when running Traefik as a DaemonSet
- #deployment:
- # kind: DaemonSet
- service:
- spec:
- # Required to show real IP to proxied services
- externalTrafficPolicy: Local
- providers:
- kubernetesCRD:
- # Allows IngressRoutes to use middleware from a different namespace
- allowCrossNamespace: true
- # pin pod to cluster-ingress node, so ServiceLB gives it the right external IP
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: cluster-ingress
- operator: In
- values:
- - "true"
|
