use helm native traefik dashboard ingress

oci-managed/main.tf

@@ -57,8 +57,8 @@ module "nlb" {
     certmanager_email_address = var.certmanager_email_address
     cloudflare_email_address  = var.cloudflare_email_address
     cloudflare_api_key        = var.cloudflare_api_key
+    dashboard-url = "traefik.${var.my_domain}"
   }
-  traefik_dashboard_ingress_file = "traefik-dashboard.tfpl.yaml"
 
   depends_on = [ module.oke ]
 }

oci-managed/nlb/provider.tf

@@ -4,9 +4,5 @@ terraform {
       source  = "hashicorp/helm"
       version = ">= 2.12.1"
     }
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = ">= 1.14.0"
-    }
   }
 }

oci-managed/nlb/traefik.tf

@@ -5,13 +5,17 @@ resource "helm_release" "traefik" {
   repository       = "https://traefik.github.io/charts"
   chart            = "traefik"
   version          = var.traefik_chart_version
+  cleanup_on_fail = true
 
   # Helm chart deployment can sometimes take longer than the default 5 minutes
   timeout = var.timeout_seconds
 
   # If values file specified by the var.values_file input variable exists then apply the values from this file
   # else apply the default values from the chart
-  values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", var.traefik_template_values) : ""]
+  values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", merge({
+    traefik_dashboard_username = base64encode("admin")
+    traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result)
+  }, var.traefik_template_values)) : ""]
 
   set {
     name  = "deployment.replicas"
@@ -26,11 +30,3 @@ resource "random_password" "traefik_dashboard_password" {
   upper            = true
   lower            = true
 }
-
-resource "kubectl_manifest" "dashboard-ingress" {
-  depends_on = [helm_release.traefik]
-  yaml_body  = templatefile("${path.root}/${var.traefik_dashboard_ingress_file}", {
-    traefik_dashboard_username = base64encode("admin")
-    traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result)
-  })
-}

oci-managed/nlb/variables.tf

@@ -22,7 +22,7 @@ variable "traefik_chart_version" {
 variable "timeout_seconds" {
   type        = number
   description = "Helm chart deployment can sometimes take longer than the default 5 minutes. Set a custom timeout here."
-  default     = 800 # 10 minutes
+  default     = 180 # 10 minutes
 }
 
 variable "replica_count" {
@@ -39,8 +39,3 @@ variable "values_file" {
 variable "traefik_template_values" {
   default = {}
 }
-
-variable "traefik_dashboard_ingress_file" {
-  description = "The name of the kubernetes manifest file to use"
-  type        = string
-}

oci-managed/traefik-dashboard.tfpl.yaml

@@ -1,33 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: dashboard-authsecret
-  namespace: traefik-loadbalancer
-type: kubernetes.io/basic-auth
-data:
-  username: ${traefik_dashboard_username}
-  password: ${traefik_dashboard_password}
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-dashboard-auth
-  namespace: traefik-loadbalancer
-spec:
-  basicAuth:
-    secret: dashboard-authsecret
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard
-  namespace: traefik-loadbalancer
-spec:
-  routes:
-  - match: Host(`traefik.varghacsongor.hu`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-    kind: Rule
-    services:
-    - name: api@internal
-      kind: TraefikService
-    middlewares:
-      - name: traefik-dashboard-auth

oci-managed/traefik-values.tfpl.yaml

@@ -59,19 +59,19 @@ deployment:
   #   hostPath:
   #     path: /var/run/statsd-exporter
   # -- Additional initContainers (e.g. for setting file permission as shown below)
-  initContainers: []
+  initContainers:
   # The "volume-permissions" init container is required if you run into permission issues.
   # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
-  # - name: volume-permissions
+    - name: volume-permissions
-  #   image: busybox:latest
+      image: busybox:latest
-  #   command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
+      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
-  #   securityContext:
+      securityContext:
-  #     runAsNonRoot: true
+        runAsNonRoot: true
-  #     runAsGroup: 65532
+        runAsGroup: 65532
-  #     runAsUser: 65532
+        runAsUser: 65532
-  #   volumeMounts:
+      volumeMounts:
-  #     - name: data
+        - name: data
-  #       mountPath: /data
+          mountPath: /data
   # -- Use process namespace sharing
   shareProcessNamespace: false
   # -- Custom pod DNS policy. Apply if `hostNetwork: true`
@@ -155,15 +155,15 @@ ingressRoute:
     # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
     labels: {}
     # -- The router match rule used for the dashboard ingressRoute
-    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+    matchRule: Host(`${dashboard-url}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
     # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
     # By default, it's using traefik entrypoint, which is not exposed.
     # /!\ Do not expose your dashboard without any protection over the internet /!\
-    entryPoints: ["traefik"]
+    entryPoints: ["websecure"]
     # -- Additional ingressRoute middlewares (e.g. for authentication)
-    middlewares: []
+    middlewares: 
-    # -- TLS options (e.g. secret containing certificate)
+      - name: traefik-dashboard-auth 
-    tls: {}
+
   healthcheck:
     # -- Create an IngressRoute for the healthcheck probe
     enabled: false
@@ -588,6 +588,10 @@ env:
   valueFrom:
     fieldRef:
       fieldPath: metadata.namespace
+- name: CLOUDFLARE_EMAIL
+  value: ${cloudflare_email_address}
+- name: CLOUDFLARE_API_KEY
+  value: ${cloudflare_api_key}
 # - name: SOME_VAR
 #   value: some-var-value
 # - name: SOME_VAR_FROM_CONFIG_MAP
@@ -856,7 +860,7 @@ persistence:
   # -- Enable persistence using Persistent Volume Claims
   # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
   # It can be used to store TLS certificates, see `storage` in certResolvers
-  enabled: false
+  enabled: true
   name: data
   #  existingClaim: ""
   accessMode: ReadWriteOnce
@@ -868,21 +872,14 @@ persistence:
   # -- Only mount a subpath of the Volume into the pod
   # subPath: ""
 
-# -- Certificates resolvers configuration
-certResolvers: {}
-
 %{ if letsencrypt }
+# -- Certificates resolvers configuration
+certResolvers:
   letsencrypt:
     # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
     email: ${certmanager_email_address}
     dnsChallenge:
-       # also add the provider's required configuration under env
-       # or expand then from secrets/configmaps with envfrom
-       # cf. https://doc.traefik.io/traefik/https/acme/#providers
       provider: cloudflare   
-       # add futher options for the dns challenge as needed
-       # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
-#      delayBeforeCheck: 30
       resolvers:
         - 1.1.1.1
         - 1.0.0.2
@@ -890,13 +887,7 @@ letsencrypt:
       tlsChallenge: true
       httpChallenge:
       entryPoint: "web"
-     # It has to match the path with a persistent volume
       storage: /data/acme.json
-      env:
-        - name: CLOUDFLARE_EMAIL
-          value: ${cloudflare_email_address}
-        - name: CLOUDFLARE_API_KEY
-          value: ${cloudflare_api_key}
 %{ endif }
 
 # -- If hostNetwork is true, runs traefik in the host network namespace
@@ -996,7 +987,24 @@ podSecurityContext:
 #
 # In some cases, it can avoid the need for additional, extended or adhoc deployments.
 # See #595 for more details and traefik/tests/values/extra.yaml for example.
-extraObjects: []
+extraObjects:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: dashboard-authsecret
+      namespace: traefik-loadbalancer
+    type: kubernetes.io/basic-auth
+    data:
+      username: ${traefik_dashboard_username}
+      password: ${traefik_dashboard_password}
+  - apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: traefik-dashboard-auth
+      namespace: traefik-loadbalancer
+    spec:
+      basicAuth:
+        secret: dashboard-authsecret
 
 # This will override the default Release Namespace for Helm.
 # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`

oci-managed/variables.tf

@@ -15,6 +15,9 @@ variable "cloudflare_email_address" {
 variable "cloudflare_api_key" {
   type = string
 }
+variable "my_domain" {
+  type = string
+}
 
 variable "region" {}
 variable "public_key_path" {}