add traefik dashboard ingress

oci-managed/main.tf

@@ -51,7 +51,14 @@ module "nlb" {
 
   compartment_ocid = var.compartment_ocid
   cluster_ocid     = module.oke.cluster_ocid
-  values_file      = "traefik-values.yml"
+  values_file      = "traefik-values.tfpl.yaml"
+  traefik_template_values = {
+    letsencrypt = var.cloudflare_api_key != ""
+    certmanager_email_address = var.certmanager_email_address
+    cloudflare_email_address  = var.cloudflare_email_address
+    cloudflare_api_key        = var.cloudflare_api_key
+  }
+  traefik_dashboard_ingress_file = "traefik-dashboard.tfpl.yaml"
 
   depends_on = [ module.oke ]
 }

oci-managed/nlb/output.tf

@@ -0,0 +1,9 @@
+output "traefik_dashboard_password" {
+    value = random_password.traefik_dashboard_password.result
+    sensitive = true
+}
+
+output "traefik_dashboard_username" {
+    value = "admin"
+    sensitive = true
+}

oci-managed/nlb/provider.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.12.1"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14.0"
+    }
+  }
+}

oci-managed/nlb/traefik.tf

@@ -11,10 +11,26 @@ resource "helm_release" "traefik" {
 
   # If values file specified by the var.values_file input variable exists then apply the values from this file
   # else apply the default values from the chart
-  values = [fileexists("${path.root}/${var.values_file}") == true ? file("${path.root}/${var.values_file}") : ""]
+  values = [fileexists("${path.root}/${var.values_file}") == true ? templatefile("${path.root}/${var.values_file}", var.traefik_template_values) : ""]
 
   set {
     name  = "deployment.replicas"
     value = var.replica_count
   }
 }
+
+resource "random_password" "traefik_dashboard_password" {
+  length           = 128
+  special          = true
+  override_special = "_%@"
+  upper            = true
+  lower            = true
+}
+
+resource "kubectl_manifest" "dashboard-ingress" {
+  depends_on = [helm_release.traefik]
+  yaml_body  = templatefile("${path.root}/${var.traefik_dashboard_ingress_file}", {
+    traefik_dashboard_username = base64encode("admin")
+    traefik_dashboard_password = base64encode(random_password.traefik_dashboard_password.result)
+  })
+}

oci-managed/nlb/variables.tf

@@ -34,5 +34,13 @@ variable "replica_count" {
 variable "values_file" {
   description = "The name of the traefik helmchart values file to use"
   type        = string
-  default     = "traefik-values.yml"
+}
+
+variable "traefik_template_values" {
+  default = {}
+}
+
+variable "traefik_dashboard_ingress_file" {
+  description = "The name of the kubernetes manifest file to use"
+  type        = string
 }

oci-managed/oke/provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    oci = {
+      source  = "oracle/oci"
+      version = ">= 5.30.0"
+    }
+  }
+}

oci-managed/output.tf

@@ -0,0 +1,9 @@
+output "traefik_dashboard_username" {
+    value = module.nlb.traefik_dashboard_username
+    sensitive = true
+}
+
+output "traefik_dashboard_password" {
+    value = module.nlb.traefik_dashboard_password
+    sensitive = true
+}

oci-managed/provider.tf

@@ -8,6 +8,10 @@ terraform {
       source  = "hashicorp/helm"
       version = ">= 2.12.1"
     }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14.0"
+    }
   }
 }
 
@@ -25,3 +29,7 @@ provider "helm" {
     config_path = "oke/kubeconfig"
   }
 }
+
+provider "kubectl" {
+  config_path = "oke/kubeconfig"
+}

oci-managed/snet/provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    oci = {
+      source  = "oracle/oci"
+      version = ">= 5.30.0"
+    }
+  }
+}

oci-managed/traefik-dashboard.tfpl.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dashboard-authsecret
+  namespace: traefik-loadbalancer
+type: kubernetes.io/basic-auth
+data:
+  username: ${traefik_dashboard_username}
+  password: ${traefik_dashboard_password}
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dashboard-auth
+  namespace: traefik-loadbalancer
+spec:
+  basicAuth:
+    secret: dashboard-authsecret
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik-loadbalancer
+spec:
+  routes:
+  - match: Host(`traefik.varghacsongor.hu`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: traefik-dashboard-auth

oci-managed/traefik-values.tfpl.yaml

@@ -870,30 +870,34 @@ persistence:
 
 # -- Certificates resolvers configuration
 certResolvers: {}
-#letsencrypt:
+
-#     # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
+%{ if letsencrypt }
-#    email: email@example.com
+letsencrypt:
-#    dnsChallenge:
+     # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
-#       # also add the provider's required configuration under env
+    email: ${certmanager_email_address}
-#       # or expand then from secrets/configmaps with envfrom
+    dnsChallenge:
-#       # cf. https://doc.traefik.io/traefik/https/acme/#providers
+       # also add the provider's required configuration under env
-#      provider: cloudflare
+       # or expand then from secrets/configmaps with envfrom
-#       # add futher options for the dns challenge as needed
+       # cf. https://doc.traefik.io/traefik/https/acme/#providers
-#       # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
+      provider: cloudflare   
+       # add futher options for the dns challenge as needed
+       # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
 #      delayBeforeCheck: 30
-#       resolvers:
+      resolvers:
-#         - 1.1.1.1
+         - 1.1.1.1
-#         - 8.8.8.8
+         - 1.0.0.2
-#      tlsChallenge: true
+
-#      httpChallenge:
+      tlsChallenge: true
-#       entryPoint: "web"
+      httpChallenge:
-#     # It has to match the path with a persistent volume
+       entryPoint: "web"
-#      storage: /data/acme.json
+     # It has to match the path with a persistent volume
-#      env:
+      storage: /data/acme.json
-#        - name: CLOUDFLARE_EMAIL
+      env:
-#          value: ""
+        - name: CLOUDFLARE_EMAIL
-#        - name: CLOUDFLARE_API_KEY
+          value: ${cloudflare_email_address}
-#          value: ""
+        - name: CLOUDFLARE_API_KEY
+          value: ${cloudflare_api_key}
+%{ endif }
 
 # -- If hostNetwork is true, runs traefik in the host network namespace
 # To prevent unschedulabel pods due to port collisions, if hostNetwork=true

oci-managed/variables.tf

@@ -4,11 +4,18 @@ variable "user_ocid" {}
 variable "fingerprint" {}
 variable "private_key_path" {}
 variable "availability_domain" {}
-variable "my_public_ip_cidr" {}
 variable "cluster_name" {}
-variable "agent_os_image_id" {}
+
-variable "server_os_image_id" {}
+variable "certmanager_email_address" {
-variable "certmanager_email_address" {}
+  type = string
+}
+variable "cloudflare_email_address" {
+  type = string
+}
+variable "cloudflare_api_key" {
+  type = string
+}
+
 variable "region" {}
 variable "public_key_path" {}