use helm native traefik dashboard ingress

2025-08-12 13:59:09 +02:00 · 2024-03-06 21:22:43 +01:00
parent f35e7e73fa
commit b82d213532
7 changed files with 57 additions and 92 deletions
--- a/oci-managed/main.tf
+++ b/oci-managed/main.tf
@@ -57,8 +57,8 @@ module "nlb" {
    certmanager_email_address = var.certmanager_email_address
    cloudflare_email_address  = var.cloudflare_email_address
    cloudflare_api_key        = var.cloudflare_api_key
+    dashboard-url = "traefik.${var.my_domain}"
  }
-  traefik_dashboard_ingress_file = "traefik-dashboard.tfpl.yaml"

  depends_on = [ module.oke ]
 }
--- a/oci-managed/nlb/provider.tf
+++ b/oci-managed/nlb/provider.tf
@@ -4,9 +4,5 @@ terraform {
      source  = "hashicorp/helm"
      version = ">= 2.12.1"
    }
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = ">= 1.14.0"
-    }
  }
 }
--- a/oci-managed/nlb/traefik.tf
+++ b/oci-managed/nlb/traefik.tf
@@ -5,13 +5,17 @@ resource "helm_release" "traefik" {
  repository       = "https://traefik.github.io/charts"
  chart            = "traefik"
  version          = var.traefik_chart_version
+  cleanup_on_fail = true

  # Helm chart deployment can sometimes take longer than the default 5 minutes
  timeout = var.timeout_seconds

  # If values file specified by the var.values_file input variable exists then apply the values from this file
  # else apply the default values from the chart
-  values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", var.traefik_template_values) : ""]
+  values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", merge({
+    traefik_dashboard_username = base64encode("admin")
+    traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result)
+  }, var.traefik_template_values)) : ""]

  set {
    name  = "deployment.replicas"
@@ -25,12 +29,4 @@ resource "random_password" "traefik_dashboard_password" {
  override_special = "_%@"
  upper            = true
  lower            = true
-}
-
-resource "kubectl_manifest" "dashboard-ingress" {
-  depends_on = [helm_release.traefik]
-  yaml_body  = templatefile("${path.root}/${var.traefik_dashboard_ingress_file}", {
-    traefik_dashboard_username = base64encode("admin")
-    traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result)
-  })
-}
+}
--- a/oci-managed/nlb/variables.tf
+++ b/oci-managed/nlb/variables.tf
@@ -22,7 +22,7 @@ variable "traefik_chart_version" {
 variable "timeout_seconds" {
  type        = number
  description = "Helm chart deployment can sometimes take longer than the default 5 minutes. Set a custom timeout here."
-  default     = 800 # 10 minutes
+  default     = 180 # 10 minutes
 }

 variable "replica_count" {
@@ -38,9 +38,4 @@ variable "values_file" {

 variable "traefik_template_values" {
  default = {}
-}
-
-variable "traefik_dashboard_ingress_file" {
-  description = "The name of the kubernetes manifest file to use"
-  type        = string
 }
--- a/oci-managed/traefik-dashboard.tfpl.yaml
+++ b/oci-managed/traefik-dashboard.tfpl.yaml
@@ -1,33 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: dashboard-authsecret
-  namespace: traefik-loadbalancer
-type: kubernetes.io/basic-auth
-data:
-  username: ${traefik_dashboard_username}
-  password: ${traefik_dashboard_password}
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-dashboard-auth
-  namespace: traefik-loadbalancer
-spec:
-  basicAuth:
-    secret: dashboard-authsecret
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard
-  namespace: traefik-loadbalancer
-spec:
-  routes:
-  - match: Host(`traefik.varghacsongor.hu`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-    kind: Rule
-    services:
-    - name: api@internal
-      kind: TraefikService
-    middlewares:
-      - name: traefik-dashboard-auth
--- a/oci-managed/traefik-values.tfpl.yaml
+++ b/oci-managed/traefik-values.tfpl.yaml
@@ -59,19 +59,19 @@ deployment:
  #   hostPath:
  #     path: /var/run/statsd-exporter
  # -- Additional initContainers (e.g. for setting file permission as shown below)
-  initContainers: []
+  initContainers:
  # The "volume-permissions" init container is required if you run into permission issues.
  # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
-  # - name: volume-permissions
-  #   image: busybox:latest
-  #   command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
-  #   securityContext:
-  #     runAsNonRoot: true
-  #     runAsGroup: 65532
-  #     runAsUser: 65532
-  #   volumeMounts:
-  #     - name: data
-  #       mountPath: /data
+    - name: volume-permissions
+      image: busybox:latest
+      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 65532
+        runAsUser: 65532
+      volumeMounts:
+        - name: data
+          mountPath: /data
  # -- Use process namespace sharing
  shareProcessNamespace: false
  # -- Custom pod DNS policy. Apply if `hostNetwork: true`
@@ -155,15 +155,15 @@ ingressRoute:
    # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
    labels: {}
    # -- The router match rule used for the dashboard ingressRoute
-    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+    matchRule: Host(`${dashboard-url}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
    # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
    # By default, it's using traefik entrypoint, which is not exposed.
    # /!\ Do not expose your dashboard without any protection over the internet /!\
-    entryPoints: ["traefik"]
+    entryPoints: ["websecure"]
    # -- Additional ingressRoute middlewares (e.g. for authentication)
-    middlewares: []
-    # -- TLS options (e.g. secret containing certificate)
-    tls: {}
+    middlewares: 
+      - name: traefik-dashboard-auth 
+
  healthcheck:
    # -- Create an IngressRoute for the healthcheck probe
    enabled: false
@@ -588,6 +588,10 @@ env:
  valueFrom:
    fieldRef:
      fieldPath: metadata.namespace
+- name: CLOUDFLARE_EMAIL
+  value: ${cloudflare_email_address}
+- name: CLOUDFLARE_API_KEY
+  value: ${cloudflare_api_key}
 # - name: SOME_VAR
 #   value: some-var-value
 # - name: SOME_VAR_FROM_CONFIG_MAP
@@ -856,7 +860,7 @@ persistence:
  # -- Enable persistence using Persistent Volume Claims
  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
  # It can be used to store TLS certificates, see `storage` in certResolvers
-  enabled: false
+  enabled: true
  name: data
  #  existingClaim: ""
  accessMode: ReadWriteOnce
@@ -868,35 +872,22 @@ persistence:
  # -- Only mount a subpath of the Volume into the pod
  # subPath: ""

-# -- Certificates resolvers configuration
-certResolvers: {}
-
 %{ if letsencrypt }
-letsencrypt:
-     # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
+# -- Certificates resolvers configuration
+certResolvers:
+  letsencrypt:
+    # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
    email: ${certmanager_email_address}
    dnsChallenge:
-       # also add the provider's required configuration under env
-       # or expand then from secrets/configmaps with envfrom
-       # cf. https://doc.traefik.io/traefik/https/acme/#providers
      provider: cloudflare   
-       # add futher options for the dns challenge as needed
-       # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
-#      delayBeforeCheck: 30
      resolvers:
-         - 1.1.1.1
-         - 1.0.0.2
+        - 1.1.1.1
+        - 1.0.0.2

      tlsChallenge: true
      httpChallenge:
-       entryPoint: "web"
-     # It has to match the path with a persistent volume
+      entryPoint: "web"
      storage: /data/acme.json
-      env:
-        - name: CLOUDFLARE_EMAIL
-          value: ${cloudflare_email_address}
-        - name: CLOUDFLARE_API_KEY
-          value: ${cloudflare_api_key}
 %{ endif }

 # -- If hostNetwork is true, runs traefik in the host network namespace
@@ -996,7 +987,24 @@ podSecurityContext:
 #
 # In some cases, it can avoid the need for additional, extended or adhoc deployments.
 # See #595 for more details and traefik/tests/values/extra.yaml for example.
-extraObjects: []
+extraObjects:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: dashboard-authsecret
+      namespace: traefik-loadbalancer
+    type: kubernetes.io/basic-auth
+    data:
+      username: ${traefik_dashboard_username}
+      password: ${traefik_dashboard_password}
+  - apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: traefik-dashboard-auth
+      namespace: traefik-loadbalancer
+    spec:
+      basicAuth:
+        secret: dashboard-authsecret

 # This will override the default Release Namespace for Helm.
 # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
--- a/oci-managed/variables.tf
+++ b/oci-managed/variables.tf
@@ -15,6 +15,9 @@ variable "cloudflare_email_address" {
 variable "cloudflare_api_key" {
  type = string
 }
+variable "my_domain" {
+  type = string
+}

 variable "region" {}
 variable "public_key_path" {}