Traefik resources and helm values file

ingress-traefik/README.md

@@ -0,0 +1,57 @@
+# Traefik Ingress Controller
+
+Here is the values file for configuring traefik.
+
+> [!IMPORTANT]  
+> Requires configuring persistent storage, view `../nfs-storage`.
+
+# Deployment
+
+## 1. Add the Helm Repository and Update
+
+```bash
+helm repo add traefik https://traefik.github.io/charts
+helm repo update
+```
+
+## 2. Install Traefik with Helm
+
+```bash
+helm install traefik traefik/traefik -n traefik --values=values.yml
+```
+
+# Configuration
+
+
+Configured to use cloudflare to resolve and generate certificates. This requires:
+ - 1. cloudflare setup
+ - 2. persistent storage
+ - 3. 
+
+### 1. Cloudflare ceritficate resolver
+
+
+
+# Topology
+
+Public --> Traefik on each kub host --> SVC or nginx or varnish
+
+
+
+# SSL Termination
+
+I want to have one box that is running nginx, one that is running varnish and ingress using traefik in kubernetes. How do I terminate a central place and route to correct host?
+
+
+# Terminology
+
+Ingress controller - a cluster wide controller for the Ingress resource.
+Ingress resource - 
+
+
+
+# Ingress Controllers
+
+A ingress controller is required to enable Ingress Resources. Any number of ingress controllers using `ingress class` can be deployed to a cluster.
+
+If you **do not** specify a `IngressClass` for a Ingrtess, and your cluster has exactly one IngressClass marked as default, then Kubernetes applies the clusters default IngressClass to the Ingress.

ingress-traefik/cloudflare-credentials.yml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-credentials
+  namespace: traefik
+type: Opaque
+stringData:
+  email: kevin.midboe@gmail.com
+  apiKey: ***REMOVED***

ingress-traefik/kubernetes-crd-rbac.yml

@@ -0,0 +1,65 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.io
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - middlewaretcps
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik-ingress-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: default

ingress-traefik/values.yml

@@ -0,0 +1,90 @@
+additionalArguments:
+# Configure your CertificateResolver here...
+# 
+# DNS Challenge
+# ---
+# Cloudflare Example:
+  - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
+  - --certificatesresolvers.cloudflare.acme.email=kevin.midboe+kazan-cf@gmail.com
+  - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
+  - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
+
+logs:
+# Configure log settings here...
+  general:
+    level: ERROR
+
+ports:
+# Configure your entrypoints here...
+  web:
+    # address: :80
+    # http:
+    # (optional) Permanent Redirect to HTTPS
+    redirectTo:
+      port: websecure
+  websecure:
+    tls:
+      enabled: true
+      # (optional) Set a Default CertResolver
+      certResolver: cloudflare
+  
+
+env:
+# Set your environment variables here...
+# 
+# DNS Challenge Credentials
+# ---
+# Cloudflare Example:
+  - name: CF_API_EMAIL
+    valueFrom:
+      secretKeyRef:
+        key: email
+        name: cloudflare-credentials
+  - name: CF_API_KEY
+    valueFrom:
+      secretKeyRef:
+        key: apiKey
+        name: cloudflare-credentials
+
+# Disable Dashboard
+ingressRoute:
+  dashboard:
+    enabled: false
+
+# Persistent Storage
+persistence:
+  enabled: true
+  name: ssl-certs
+  accessMode: ReadWriteOnce
+  size: 1Gi
+  storageClass: nfs-csi
+  path: /ssl-certs
+
+deployment:
+  initContainers:
+    # The "volume-permissions" init container is required if you run into permission issues.
+    # Related issue: https://github.com/containous/traefik/issues/6972
+    - name: volume-permissions
+      image: busybox:1.31.1
+      command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
+      volumeMounts:
+        - name: ssl-certs
+          mountPath: /ssl-certs
+
+# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+
+# Set the container security context
+# To run the container with ports below 1024 this will need to be adjust to run as root
+securityContext:
+  capabilities:
+    drop: [ALL]
+  readOnlyRootFilesystem: false
+  runAsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532
+
+podSecurityContext:
+  fsGroup: 65532