diff --git a/shared/README.md b/shared/README.md index 9c54376..e7adb1e 100644 --- a/shared/README.md +++ b/shared/README.md @@ -2,7 +2,7 @@ It's quite odd there is no better way to generate these. - +```sh cat << EOF > networkpolicy-base.yml --- apiVersion: networking.k8s.io/v1 @@ -61,3 +61,6 @@ cat << EOF >> networkpolicy-base.yml cidr: $j/32 EOF done + +cp networkpolicy-base.yml ../traefik/ +``` diff --git a/traefik/.gitignore b/traefik/.gitignore deleted file mode 100644 index 3bed397..0000000 --- a/traefik/.gitignore +++ /dev/null @@ -1 +0,0 @@ -application.yml diff --git a/traefik/README.md b/traefik/README.md index 44c068e..94c8b46 100644 --- a/traefik/README.md +++ b/traefik/README.md @@ -1,14 +1,10 @@ # Traefik Ingress Controller +See [/ripe87/application.yaml](/ripe87/application.yaml) for a basic example without authentication. -This application is managed by -[ArgoCD](https://argocd.k-space.ee/applications/argocd/traefik) - -Should ArgoCD be down manifests here can be applied with: +# Deployment +With ArgoCD. Render it locally: -``` -kubectl create namespace traefik -helm repo add traefik https://traefik.github.io/charts - -helm template --include-crds -n traefik --release-name k6 traefik/traefik -f values.yml > application.yml -kubectl apply -n traefik -f application.yml -f application-extras.yml +```sh +cp ../shared/network-policy.yml . +kustomize build . --enable-helm ``` diff --git a/traefik/application-extras.yml b/traefik/application-extras.yml index 8cbc200..a4f4859 100644 --- a/traefik/application-extras.yml +++ b/traefik/application-extras.yml @@ -26,7 +26,6 @@ spec: - key encipherment revisionHistoryLimit: 1 --- - apiVersion: codemowers.cloud/v1beta1 kind: OIDCMiddlewareClient metadata: @@ -45,7 +44,6 @@ spec: replacement: https://traefik.k-space.ee/dashboard/#/ permanent: false --- - apiVersion: v1 kind: Service metadata: @@ -53,7 +51,7 @@ metadata: namespace: traefik spec: selector: - app.kubernetes.io/instance: k6-traefik + app.kubernetes.io/instance: traefik-argocd app.kubernetes.io/name: traefik ports: - protocol: TCP diff --git a/traefik/kustomization.yaml b/traefik/kustomization.yaml new file mode 100644 index 0000000..9368d76 --- /dev/null +++ b/traefik/kustomization.yaml @@ -0,0 +1,70 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: traefik + +# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_ +helmCharts: +- includeCRDs: true + name: &name traefik + releaseName: *name + repo: https://traefik.github.io/charts + valuesInline: # https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml + namespace: *name + image: + registry: mirror.gcr.io/library + websecure: # might not be needed + tls: {enabled: true} + providers: + kubernetesCRD: + allowExternalNameServices: true + kubernetesIngress: + allowExternalNameServices: true + deployment: + replicas: 4 + annotations: + keel.sh/policy: minor + keel.sh/trigger: patch + keel.sh/pollSchedule: "@midnight" + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ template "traefik.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' + topologyKey: topology.kubernetes.io/zone + logs: + access: + enabled: true + format: json + ports: + web: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: traefik.k-space.ee + spec: + externalTrafficPolicy: Local + ingressRoute: + dashboard: + enabled: true + domain: traefik.k-space.ee + matchRule: Host(`traefik.k-space.ee`) + entryPoints: ["websecure"] + middlewares: + - name: "dashboard" + - name: "dashboard-redirect" + tlsOptions: # https://ssl-config.mozilla.org/#server=traefik&config=modern&hsts=false + default: + minVersion: VersionTLS13 + curvePreferences: ["X25519", "CurveP256", "CurveP384"] + version: v36.2.0 # helm search repo traefik/traefik --versions + +resources: +- ./application-extras.yml +- ./networkpolicy-base.yml #TODO: should be ../shared/networkpolicy-base.yml diff --git a/traefik/networkpolicy-base.yml b/traefik/networkpolicy-base.yml deleted file mode 120000 index e84a698..0000000 --- a/traefik/networkpolicy-base.yml +++ /dev/null @@ -1 +0,0 @@ -../shared/networkpolicy-base.yml \ No newline at end of file diff --git a/traefik/networkpolicy-base.yml b/traefik/networkpolicy-base.yml new file mode 100644 index 0000000..e58af61 --- /dev/null +++ b/traefik/networkpolicy-base.yml @@ -0,0 +1,90 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubedns +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubeprobe +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 10.244.0.1/32 + - from: + - ipBlock: + cidr: 10.244.1.1/32 + - from: + - ipBlock: + cidr: 10.244.2.1/32 + - from: + - ipBlock: + cidr: 10.244.9.1/32 + - from: + - ipBlock: + cidr: 10.244.4.1/32 + - from: + - ipBlock: + cidr: 10.244.3.1/32 + - from: + - ipBlock: + cidr: 10.244.5.1/32 + - from: + - ipBlock: + cidr: 10.244.7.1/32 + - from: + - ipBlock: + cidr: 10.244.11.1/32 + - from: + - ipBlock: + cidr: 10.244.12.1/32 + - from: + - ipBlock: + cidr: 10.244.6.1/32 + - from: + - ipBlock: + cidr: 10.244.10.1/32 + - from: + - ipBlock: + cidr: 10.244.8.1/32 + - from: + - ipBlock: + cidr: 10.244.13.1/32 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubeapi +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - ports: + - port: 6443 + to: + - ipBlock: + cidr: 172.21.3.51/32 + - ipBlock: + cidr: 172.21.3.52/32 + - ipBlock: + cidr: 172.21.3.53/32 diff --git a/traefik/values.yml b/traefik/values.yml deleted file mode 100644 index d006d4f..0000000 --- a/traefik/values.yml +++ /dev/null @@ -1,83 +0,0 @@ -image: - registry: mirror.gcr.io/library - tag: "3.1.0" - pullPolicy: IfNotPresent - -websecure: - tls: - enabled: true - -providers: - kubernetesCRD: - enabled: true - allowEmptyServices: true - allowExternalNameServices: true - - kubernetesIngress: - allowEmptyServices: true - allowExternalNameServices: true - publishedService: - enabled: true - -deployment: - replicas: 4 - - annotations: - keel.sh/policy: minor - keel.sh/trigger: patch - keel.sh/pollSchedule: "@midnight" - -affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: '{{ template "traefik.name" . }}' - app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' - topologyKey: topology.kubernetes.io/zone - -updateStrategy: - type: Recreate - rollingUpdate: - maxUnavailable: 1 - maxSurge: 1 - -accessLog: - format: json - -# Globally redirect to https:// -globalArguments: - - --entryPoints.web.http.redirections.entryPoint.to=:443 - - --entryPoints.web.http.redirections.entryPoint.scheme=https - -service: - annotations: - external-dns.alpha.kubernetes.io/hostname: traefik.k-space.ee - spec: - externalTrafficPolicy: Local - -ingressRoute: - dashboard: - enabled: true - domain: traefik.k-space.ee - matchRule: Host(`traefik.k-space.ee`) - entryPoints: ["websecure"] - middlewares: - - name: "dashboard" - - name: "dashboard-redirect" - -tlsOptions: - default: - minVersion: VersionTLS12 - cipherSuites: - # TLS 1.1 and 1.2 ciphers - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - # TLS 1.3 ciphers - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256