traefik: move to kustomize

Closes #102

shared/README.md

@@ -2,7 +2,7 @@
 
 It's quite odd there is no better way to generate these.
 
-
+```sh
 cat << EOF > networkpolicy-base.yml
 ---
 apiVersion: networking.k8s.io/v1
@@ -61,3 +61,6 @@ cat << EOF >> networkpolicy-base.yml
         cidr: $j/32
 EOF
 done
+
+cp networkpolicy-base.yml ../traefik/
+```

traefik/.gitignore

@@ -1 +0,0 @@
-application.yml

traefik/README.md

@@ -1,14 +1,10 @@
 # Traefik Ingress Controller
+See [/ripe87/application.yaml](/ripe87/application.yaml) for a basic example without authentication.
 
-This application is managed by
-[ArgoCD](https://argocd.k-space.ee/applications/argocd/traefik)
-
-Should ArgoCD be down manifests here can be applied with:
+# Deployment
+With ArgoCD. Render it locally:
 
-```
-kubectl create namespace traefik
-helm repo add traefik https://traefik.github.io/charts
-
-helm template --include-crds -n traefik --release-name k6 traefik/traefik -f values.yml > application.yml
-kubectl apply -n traefik -f application.yml -f application-extras.yml
+```sh
+cp ../shared/network-policy.yml .
+kustomize build . --enable-helm
 ```

traefik/application-extras.yml

@@ -26,7 +26,6 @@ spec:
     - key encipherment
   revisionHistoryLimit: 1
 ---
-
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCMiddlewareClient
 metadata:
@@ -45,7 +44,6 @@ spec:
     replacement: https://traefik.k-space.ee/dashboard/#/
     permanent: false
 ---
-
 apiVersion: v1
 kind: Service
 metadata:
@@ -53,7 +51,7 @@ metadata:
   namespace: traefik
 spec:
   selector:
-    app.kubernetes.io/instance: k6-traefik
+    app.kubernetes.io/instance: traefik-argocd
     app.kubernetes.io/name: traefik
   ports:
     - protocol: TCP

traefik/kustomization.yaml

@@ -0,0 +1,70 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: traefik
+
+# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
+helmCharts:
+- includeCRDs: true
+  name: &name traefik
+  releaseName: *name
+  repo: https://traefik.github.io/charts
+  valuesInline: # https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml
+    namespace: *name
+    image:
+      registry: mirror.gcr.io/library
+    websecure: # might not be needed
+      tls: {enabled: true}
+    providers:
+      kubernetesCRD:
+        allowExternalNameServices: true
+      kubernetesIngress:
+        allowExternalNameServices: true
+    deployment:
+      replicas: 4
+      annotations:
+        keel.sh/policy: minor
+        keel.sh/trigger: patch
+        keel.sh/pollSchedule: "@midnight"
+    affinity:
+     podAntiAffinity:
+       requiredDuringSchedulingIgnoredDuringExecution:
+         - labelSelector:
+             matchLabels:
+               app.kubernetes.io/name: '{{ template "traefik.name" . }}'
+               app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
+           topologyKey: topology.kubernetes.io/zone
+    logs:
+      access:
+        enabled: true
+        format: json
+    ports:
+      web:
+        redirections:
+          entryPoint:
+            to: websecure
+            scheme: https
+            permanent: true
+    service:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: traefik.k-space.ee
+      spec:
+        externalTrafficPolicy: Local
+    ingressRoute:
+      dashboard:
+        enabled: true
+        domain: traefik.k-space.ee
+        matchRule: Host(`traefik.k-space.ee`)
+        entryPoints: ["websecure"]
+        middlewares:
+          - name: "dashboard"
+          - name: "dashboard-redirect"
+    tlsOptions: # https://ssl-config.mozilla.org/#server=traefik&config=modern&hsts=false
+      default:
+        minVersion: VersionTLS13
+        curvePreferences: ["X25519", "CurveP256", "CurveP384"]
+  version: v36.2.0 # helm search repo traefik/traefik --versions
+
+resources:
+- ./application-extras.yml
+- ./networkpolicy-base.yml #TODO: should be ../shared/networkpolicy-base.yml

traefik/networkpolicy-base.yml

@@ -1 +0,0 @@
-../shared/networkpolicy-base.yml

traefik/networkpolicy-base.yml

@@ -0,0 +1,90 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubedns
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubeprobe
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 10.244.0.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.1.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.2.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.9.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.4.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.3.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.5.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.7.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.11.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.12.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.6.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.10.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.8.1/32
+  - from:
+    - ipBlock:
+        cidr: 10.244.13.1/32
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubeapi
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - ports:
+    - port: 6443
+    to:
+    - ipBlock:
+        cidr: 172.21.3.51/32
+    - ipBlock:
+        cidr: 172.21.3.52/32
+    - ipBlock:
+        cidr: 172.21.3.53/32

traefik/values.yml

@@ -1,83 +0,0 @@
-image:
-  registry: mirror.gcr.io/library
-  tag: "3.1.0"
-  pullPolicy: IfNotPresent
-
-websecure:
-  tls:
-    enabled: true
-
-providers:
-  kubernetesCRD:
-    enabled: true
-    allowEmptyServices: true
-    allowExternalNameServices: true
-
-  kubernetesIngress:
-    allowEmptyServices: true
-    allowExternalNameServices: true
-    publishedService:
-      enabled: true
-
-deployment:
-  replicas: 4
-
-  annotations:
-    keel.sh/policy: minor
-    keel.sh/trigger: patch
-    keel.sh/pollSchedule: "@midnight"
-
-affinity:
- podAntiAffinity:
-   requiredDuringSchedulingIgnoredDuringExecution:
-     - labelSelector:
-         matchLabels:
-           app.kubernetes.io/name: '{{ template "traefik.name" . }}'
-           app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
-       topologyKey: topology.kubernetes.io/zone
-
-updateStrategy:
-  type: Recreate
-  rollingUpdate:
-    maxUnavailable: 1
-    maxSurge: 1        
-
-accessLog:
-  format: json
-
-# Globally redirect to https://
-globalArguments:
- - --entryPoints.web.http.redirections.entryPoint.to=:443
- - --entryPoints.web.http.redirections.entryPoint.scheme=https
-
-service:
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: traefik.k-space.ee
-  spec:
-    externalTrafficPolicy: Local
-
-ingressRoute:
-  dashboard:
-    enabled: true
-    domain: traefik.k-space.ee
-    matchRule: Host(`traefik.k-space.ee`)
-    entryPoints: ["websecure"]
-    middlewares: 
-      - name: "dashboard"
-      - name: "dashboard-redirect"
-
-tlsOptions:
-  default:
-    minVersion: VersionTLS12
-    cipherSuites:
-      # TLS 1.1 and 1.2 ciphers
-      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-      # TLS 1.3 ciphers
-      - TLS_AES_128_GCM_SHA256
-      - TLS_AES_256_GCM_SHA384
-      - TLS_CHACHA20_POLY1305_SHA256