Просмотр исходного кода

Merge pull request #607 from ChristianLempa/604-update-traefik-helm-chart-to-support-dashboard-secure-exposure

traefik kubernetes updates and reorganization
Christian Lempa 1 год назад
Родитель
Сommit
84f718d79b

+ 0 - 0
github-actions/kubectl/kubernetes-deploy.yml → actions/github/kubectl/kubernetes-deploy.yml


+ 0 - 0
github-actions/scp-action/copy-config-files.yml → actions/github/scp-action/copy-config-files.yml


+ 0 - 0
github-actions/ssh-action/restart-docker.yml → actions/github/ssh-action/restart-docker.yml


+ 0 - 0
docker-compose/traefik/config/conf.d/externalservice.yaml.example → docker-compose/traefik/config/conf.d/externalservice.yaml


+ 20 - 0
docker-compose/traefik/config/conf.d/middleware-authentik.yaml

@@ -0,0 +1,20 @@
+# --> (Optional) Securely expose apps using the Traefik proxy outpost...
+# http:
+#   middlewares:
+#     authentik-middleware:
+#       forwardAuth:
+#         address: http://your-authentik-outpost-fqdn:9000/outpost.goauthentik.io/auth/traefik
+#         trustForwardHeader: true
+#         authResponseHeaders:
+#           - X-authentik-username
+#           - X-authentik-groups
+#           - X-authentik-email
+#           - X-authentik-name
+#           - X-authentik-uid
+#           - X-authentik-jwt
+#           - X-authentik-meta-jwks
+#           - X-authentik-meta-outpost
+#           - X-authentik-meta-provider
+#           - X-authentik-meta-app
+#           - X-authentik-meta-version
+# <--

+ 22 - 0
docker-compose/traefik/config/conf.d/middleware-passbolt.yaml

@@ -0,0 +1,22 @@
+# --> (Optional) When using Passbolt with Traefik...
+# http:
+#   middlewares:
+#     passbolt-middleware:
+#       headers:
+#         FrameDeny: true
+#         AccessControlAllowMethods: 'GET,OPTIONS,PUT'
+#         AccessControlAllowOriginList:
+#           - origin-list-or-null
+#         AccessControlMaxAge: 100
+#         AddVaryHeader: true
+#         BrowserXssFilter: true
+#         ContentTypeNosniff: true
+#         ForceSTSHeader: true
+#         STSIncludeSubdomains: true
+#         STSPreload: true
+#         ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
+#         CustomFrameOptionsValue: SAMEORIGIN
+#         ReferrerPolicy: same-origin
+#         PermissionsPolicy: vibrate 'self'
+#         STSSeconds: 315360000
+# <--

+ 0 - 0
docker-compose/traefik/config/conf.d/tls.yaml.example → docker-compose/traefik/config/conf.d/tls.yaml


+ 0 - 19
helm/traefik/values.yaml

@@ -1,19 +0,0 @@
-image:
-  repository: traefik
-  version: v3.2.3
-  pullPolicy: IfNotPresent
-
-# --> (Optional) Change log settings here...
-# logs:
-#   general:
-#     level: ERROR
-#   access:
-#     enabled: false
-# <--
-
-# --> (Optional) Redirect HTTP to HTTPs by default
-# ports:
-#   web:
-#     redirectTo: 
-#       port: websecure
-# <--

+ 0 - 0
kubernetes/cert-manager/certificate.yaml.example → kubernetes/cert-manager/examples/certificate.yaml


+ 0 - 0
helm/cert-manager/values.yaml → kubernetes/cert-manager/helm-values.yaml


+ 0 - 0
helm/longhorn/values.yaml → kubernetes/longhorn/helm-values.yaml


+ 0 - 0
helm/portainer/values.yaml → kubernetes/portainer/helm-values.yaml


+ 14 - 0
kubernetes/traefik/certificate.yaml

@@ -0,0 +1,14 @@
+# --> (Optional) Securely expose the Traefik dashboard...
+# apiVersion: cert-manager.io/v1
+# kind: Certificate
+# metadata:
+#   name: traefik-web-ui-cert
+#   namespace: traefik
+# spec:
+#   secretName: traefik-web-ui-tls
+#   dnsNames:
+#     - your-traefik-dashboard-fqdn
+#   issuerRef:
+#     name: cloudflare-clusterissuer  # <-- Replace with your issuer name
+#     kind: ClusterIssuer
+# <--

+ 0 - 0
kubernetes/traefik/ingressroute.yaml.example → kubernetes/traefik/examples/ingressroute.yaml


+ 0 - 0
kubernetes/traefik/ingressroutetcp.yaml.example → kubernetes/traefik/examples/ingressroutetcp.yaml


+ 32 - 0
kubernetes/traefik/helm-values.yaml

@@ -0,0 +1,32 @@
+image:
+  repository: traefik
+  tag: v3.2.3
+  pullPolicy: IfNotPresent
+
+# --> Change redirect HTTP to HTTPs by default here...
+ports:
+  web:
+    redirectTo: 
+      port: websecure
+# <--
+
+# --> (Optional) Securely expose the Traefik dashboard...
+# ingressRoute:
+#   dashboard:
+#     enabled: true
+#     entryPoints:
+#       - websecure
+#     matchRule: Host(`your-traefik-dashboard-fqdn`)  # <-- Replace with your FQDN
+#     middlewares:
+#       - name: traefik-web-ui-middleware  # <-- Replace with your authentication middleware
+#     tls:
+#       secretName: traefik-web-ui-tls  # <-- Replace with your TLS secret name
+# <--
+
+# --> (Optional) Change log settings here...
+# logs:
+#   general:
+#     level: ERROR
+#   access:
+#     enabled: false
+# <--

+ 23 - 0
kubernetes/traefik/middleware.yaml

@@ -0,0 +1,23 @@
+# --> (Optional) Securely expose the Traefik dashboard...
+# apiVersion: traefik.io/v1alpha1
+# kind: Middleware
+# metadata:
+#   name: traefik-web-ui-middleware
+#   namespace: traefik
+# spec:
+#   forwardAuth:
+#     address: "http://your-authentik-outpost-fqdn:9000/outpost.goauthentik.io/auth/traefik"
+#     trustForwardHeader: true
+#     authResponseHeaders:
+#       - X-authentik-username
+#       - X-authentik-groups
+#       - X-authentik-email
+#       - X-authentik-name
+#       - X-authentik-uid
+#       - X-authentik-jwt
+#       - X-authentik-meta-jwks
+#       - X-authentik-meta-outpost
+#       - X-authentik-meta-provider
+#       - X-authentik-meta-app
+#       - X-authentik-meta-version
+# <--