Initial commit

traefik/.gitignore

@@ -0,0 +1 @@
+application.yml

traefik/README.md

@@ -0,0 +1,6 @@
+Traefik Ingress Controller:
+
+```
+helm template --include-crds -n traefik --release-name k6 traefik/traefik -f values.yml > application.yml
+kubectl apply -n traefik -f namespace.yml -f application.yml -f application-extras.yml -f whoami.yml -f proxmox.yml -f voron.yml
+```

traefik/application-extras.yml

@@ -0,0 +1,111 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: sso
+spec:
+  chain:
+    middlewares:
+      - name: chain-k6-authelia-auth
+        namespace: authelia
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+spec:
+  selector:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/instance: k6
+  ports:
+    - protocol: TCP
+      port: 9000
+      targetPort: 9000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-metrics
+  namespace: traefik
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '9100'
+spec:
+  selector:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/instance: k6
+  ports:
+    - protocol: TCP
+      port: 9100
+      targetPort: 9100
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: default
+    # Keep IP address in sync with values.yaml
+    external-dns.alpha.kubernetes.io/target: 193.40.103.36
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd,traefik-dashboard-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: traefik.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: traefik-dashboard
+            port:
+              number: 9000
+  tls:
+  - hosts:
+    - traefik.k-space.ee
+    secretName: traefik-tls
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: dashboard-redirect
+spec:
+  redirectRegex:
+    regex: ^https://traefik.k-space.ee/?$
+    replacement: https://traefik.k-space.ee/dashboard/
+    permanent: false
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: traefik
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: traefik
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+  - ports:
+    - port: 80
+    - port: 443
+  egress:
+  - {}
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: block-metrics
+spec:
+  replacePathRegex:
+    regex: ^/metrics
+    replacement: /

traefik/networkpolicy-base.yml

@@ -0,0 +1 @@
+../shared/networkpolicy-base.yml

traefik/proxmox.yml

@@ -0,0 +1,162 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: proxmox-servers-transport
+spec:
+  rootCAsSecrets:
+    - pve
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pve
+data:
+  # This is not actually secret, this is CA certificate of the key
+  # used to sign Proxmox HTTPS endpoint keypairs.
+  # This makes sure Traefik is talking to the real Proxmox machines,
+  # and not arbitrary machines that have hijacked the Proxmox machine IP-s.
+  # To inspect current value:
+  # kubectl get secret -n traefik pve -o=json | jq '.data ."pve.pem"' -r | base64 -d | openssl x509 -text -inform PEM -noout
+  pve.pem: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ6VENDQTdXZ0F3SUJBZ0lVUGk5SFNhQlp0
+    ZG5JL01NREFBb05DT3ZpaGJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RqRWtNQ0lHQTFVRUF3d2JV
+    SEp2ZUcxdmVDQldhWEowZFdGc0lFVnVkbWx5YjI1dFpXNTBNUzB3S3dZRApWUVFMRENSbFptTmpN
+    elF6WXkweU5HSXhMVFJqWXpNdFlqTXhZaTA0Tm1KaE0yVmxOemt6WTJZeEh6QWRCZ05WCkJBb01G
+    bEJXUlNCRGJIVnpkR1Z5SUUxaGJtRm5aWElnUTBFd0hoY05NakF3T0RJek1Ea3pNalEyV2hjTk16
+    QXcKT0RJeE1Ea3pNalEyV2pCMk1TUXdJZ1lEVlFRRERCdFFjbTk0Ylc5NElGWnBjblIxWVd3Z1JX
+    NTJhWEp2Ym0xbApiblF4TFRBckJnTlZCQXNNSkdWbVkyTXpORE5qTFRJMFlqRXROR05qTXkxaU16
+    RmlMVGcyWW1FelpXVTNPVE5qClpqRWZNQjBHQTFVRUNnd1dVRlpGSUVOc2RYTjBaWElnVFdGdVlX
+    ZGxjaUJEUVRDQ0FpSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1yTXZq
+    VEJ2ZkdIUEZFbmJhWUh6Qm5TeTJNdnBkV0h3TTIrQU9XRQpnbmpDcjhiYnNWaUxBZnpMdGlNYzM0
+    bEJIRXp6d3JwbmlQdXAyS2doNmtCc3BKa2c0bXZSY25pQW9XK3F4UDlWCmpXRlJiTU9OYVB1UHZF
+    UWhrS2xBakJCL2hqZkRxS3FKaURZeU5CNjZsZG9RbnFFQ3RyRXEvRFFDZHZYWitJWW4KNmZpelBk
+    enp3UHk4dzhxU1RiMmlpNzZjSkplOWdJYWVjdUlCRk5mK1dUYW0vRndGL2ZXbGU1aHMyNTZsa25w
+    OQpKbTV6Q0R3eFljNCt5dVF1WEM0WEgzclNKc2U1UWI5QmhyVEx0VTdiRHZTbzZMWEZsOTR4YTlR
+    VGQ1L3UvT3h0CmdONVN2aTBnS1RXUUdiK0pvTHJHYVducS9ocmN4THpnVzJSclMxOGJUZFE2MEZz
+    WVdXSUFTRmZuSzdzSDJjQ2oKRWI5Sk8yWjJzNXpzQ3ZBYjlQQkF6ZkdwSFc0dnFibHpHdmZtbFV5
+    em10NFpEU3V6cGlwRTJ4SUpWVHNBOXJqdwpJd0plU1E0bitpeUF6cUQwMUprbjdRaEtJQ0kzZ21s
+    ZmJ5YzRuTkxEZlZnQTA0VDBmUG5LMDBTSnN2ek1WRjNMCncvbmNheHBhczlhV2ptQ1BBWTEvREJ2
+    RmU3M05EeGRsazFpd0Y5L1V6OGl2WWlLYlk3K3I4blhGM0V3YjZtQmYKZFdsTUlaYSsyeVEweHl6
+    MDlqanNKU1dSRlduV25oRVg1SDVISERBYXhkZmZXUkRtVXR3d2ExWlN6VU1MNHNENgo4U2NHclFQ
+    YWVicE5ZWWI3WmdGTm82ZVp3YytlWmpJVW9XMXhYNlhqSWQ2UENvSmw5UDdMUnJUTWF3NjhHU3Nn
+    CjdLd0RBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FH
+    NWpBZkJnTlYKSFNNRUdEQVdnQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FHNWpBUEJnTlZIUk1C
+    QWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk1JTmszTFlHTHZITlpSWURh
+    YVYwaW45bGtzaWIvd0dZQ01vUDhQZE03Ckw0ZktsUjNDNXJ3clhKNjRwWVJrOFByemFWRjJvclNr
+    REI1Z1Jaa1phbVkzbCtSOU9ISkNheXBNSjVTeHZtVlkKZFBYZ1hBYVlGR1V1cjZHU0RsZkxDUmp1
+    OWdMRnhEbEhZZTVPcm5JbURUcENzK2xXVmcwSDVrUlFNZFJ2eVplTAp1SWs5UEZVcE5GSksyWmtl
+    c0tOWUlPNldwRzBBd0hSZUI0U0MzYzBWNkdrQW84bHUxeGhYMWpUMnFuQXRQTDM4CkkzQkpCNDhY
+    KzkzZGxHcDNBRlp4WmhSSjU1ejdHTm56c1UxaGNTSk1rOUpTN2RhWVhtM3FjTmxZNnY5OCtVK3gK
+    U0RxdUFKU0tIanF5RzRDdjZlL2toamNLMzJpcENuZmYzb2plblpTZlFtN3l3OXpCQjFSc1Z3TU9k
+    aTBCOW44cApDWHpRcHdHTERiNjB1VCtycTJ4eHJici9yT3VtQU5GbXByd1oxbi9yWE45bndxUktW
+    VVBRU1lQdVVKa2xCTktLCnNVL1dTSHBzMGF4dTRUMElFUk0zZHVCWEJ5Yms0TXJXSTBCZ2ptNXZz
+    NFNPNHVGSU96d2RBVkdIQ09lRWhQQzIKMzRiSW9ES09tZDFNcmtjYTQyTWw4bDFtb0hTUFd3djZ4
+    dVo1U1I0UXhPaXdWa0tJRHdvSmg2M2swTmxwUzZFUwp4N253ekZIc01rNTRFTWNMMjJjRk9YK3Rh
+    Q1JtTDVRVVdDMGQ3bEFCMElXQS9UTkRXU3lQbHlRN1VCcjRIZGoxClh2NU43Yks0SUN5NWRhN25h
+    RWRmRHIzNTBpZkRCQkVuL3RvL3JUczFOVjhyOGpjcG14a2MzNjlSQXp3TmJiRVkKMVE9PQotLS0t
+    LUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pve1
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: traefik-proxmox-servers-transport@kubernetescrd
+spec:
+  type: ExternalName
+  externalName: pve1.proxmox.infra.k-space.ee
+  ports:
+    - name: https
+      port: 8006
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pve8
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: traefik-proxmox-servers-transport@kubernetescrd
+spec:
+  type: ExternalName
+  externalName: pve8.proxmox.infra.k-space.ee
+  ports:
+    - name: https
+      port: 8006
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pve9
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: traefik-proxmox-servers-transport@kubernetescrd
+spec:
+  type: ExternalName
+  externalName: pve9.proxmox.infra.k-space.ee
+  ports:
+    - name: https
+      port: 8006
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pve
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: default
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd,traefik-proxmox-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: proxmox.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: whoami
+            port:
+              number: 80
+  - host: pve.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: pve1
+            port:
+              number: 8006
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: pve8
+            port:
+              number: 8006
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: pve9
+            port:
+              number: 8006
+  tls:
+  - hosts:
+    - pve.k-space.ee
+    - proxmox.k-space.ee
+    secretName: pve-tls
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: proxmox-redirect
+spec:
+  redirectRegex:
+    regex: ^https://proxmox.k-space.ee/(.*)$
+    replacement: https://pve.k-space.ee/$1
+    permanent: false

traefik/values.yml

@@ -0,0 +1,54 @@
+image:
+  tag: "2.8"
+
+websecure:
+  tls:
+    enabled: true
+
+providers:
+  kubernetesIngress:
+    allowExternalNameServices: true
+
+deployment:
+  replicas: 2
+
+  annotations:
+    keel.sh/policy: minor
+    keel.sh/trigger: patch
+    keel.sh/pollSchedule: "@midnight"
+
+  podAnnotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '9100'
+
+# Globally redirect to https://
+globalArguments:
+ - --entryPoints.web.http.redirections.entryPoint.to=:443
+ - --entryPoints.web.http.redirections.entryPoint.scheme=https
+
+service:
+  spec:
+    # Keep sync with ingress.yml
+    loadBalancerIP: 193.40.103.36
+    externalTrafficPolicy: Local
+
+ingressRoute:
+  dashboard:
+    enabled: true
+    domain: traefik.k-space.ee
+
+tlsOptions:
+  default:
+    minVersion: VersionTLS12
+    cipherSuites:
+      # TLS 1.1 and 1.2 ciphers
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+      # TLS 1.3 ciphers
+      - TLS_AES_128_GCM_SHA256
+      - TLS_AES_256_GCM_SHA384
+      - TLS_CHACHA20_POLY1305_SHA256

traefik/voron.yml

@@ -0,0 +1,40 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: voron
+spec:
+  type: ExternalName
+  externalName: 100.101.3.1
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: voron
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: default
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: voron.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: voron
+            port:
+              name: http
+  tls:
+  - hosts:
+    - voron.k-space.ee
+    secretName: voron-tls

traefik/whoami.yml

@@ -0,0 +1,65 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami
+spec:
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+      - image: containous/whoami
+        name: whoami
+        ports:
+        - containerPort: 80
+          protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  type: ClusterIP
+  selector:
+    app: whoami
+  ports:
+  - name: whoami-http
+    port: 80
+    targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whoami
+  annotations:
+    cert-manager.io/cluster-issuer: default
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
+spec:
+  tls:
+  - hosts:
+    - "whoami.k-space.ee"
+    secretName: whoami-tls
+  rules:
+  - host: "whoami.k-space.ee"
+    http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: whoami
+            port:
+              number: 80