feat(traefik): add Traefik configuration files and resources (#941)

* feat(traefik): add Traefik configuration files and resources

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix(traefik): correct web port redirection configuration

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix(traefik): remove unnecessary redirection scheme and permanence settings

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix(policyignore): expand ignored patterns for various resources

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix(traefik): update redirection configuration to use HTTPS scheme and remove deprecated HelmRelease

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix(traefik): update dashboard ingress route match rule to include API path prefix

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix(traefik): simplify dashboard ingress route match rule by removing API path prefix

Signed-off-by: Nikolai Emil Damm <[email protected]>

* chore(cloudflared): remove obsolete HelmRelease, HelmRepository, and related configurations

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix(traefik): update service type to LoadBalancer in helm-release configuration

Signed-off-by: Nikolai Emil Damm <[email protected]>

* feat(cloudflared): add HelmRelease, HelmRepository, and related configurations for Cloudflared

Signed-off-by: Nikolai Emil Damm <[email protected]>

* feat(variables): add traefik_service_type to ConfigMap and cloudflared_tunnel_token to Secret

Signed-off-by: Nikolai Emil Damm <[email protected]>

* refactor(dex): remove deprecated HelmRelease and related resources; update namespace labels

Signed-off-by: Nikolai Emil Damm <[email protected]>

---------

Signed-off-by: Nikolai Emil Damm <[email protected]>

Author: devantler

.policyignore

@@ -6,13 +6,34 @@
 *README.md
 argo*
 aws*
+best-practices-cel*
+best-practices*
 castai*
+cert-manager*
+cleanup*
 consul*
+external-secret-operator*
+flux-cel*
+flux*
 istio*
+karpenter*
 kasten*
+kubecost-cel*
+kubecost*
+kubevirt*
 linkerd*
 nginx*
 openshift*
+other-cel*
+other*
+pod-security-cel*
+pod-security*
+psa-cel*
+psa*
+psp-migration-cel*
+psp-migration*
 tekton*
+traefik-cel*
+traefik*
 velero*
 windows-security*

k8s/bases/infrastructure/cloudflared/namespace.yaml

@@ -3,10 +3,6 @@ kind: HelmRelease
 metadata:
   name: dex
   namespace: dex
-  labels:
-    helm.toolkit.fluxcd.io/crds: enabled
-    helm.toolkit.fluxcd.io/helm-test: enabled
-    helm.toolkit.fluxcd.io/remediation: enabled
 spec:
   interval: 10m
   chart:
@@ -22,12 +18,12 @@ spec:
       enabled: true
       className: ${ingress_class_name:=}
       hosts:
-        - host: dex.${cluster_domain}
+        - host: dex.${domain}
           paths:
             - path: /
               pathType: ImplementationSpecific
     config:
-      issuer: https://dex.${cluster_domain}
+      issuer: https://dex.${domain}
       storage:
         type: kubernetes
         config:
@@ -38,17 +34,15 @@ spec:
         - name: GitHub
           id: github
           secret: ${dex_client_secret}
-          redirectURIs:
-            - https://headlamp.${cluster_domain}/oidc-callback
-            - https://grafana.${cluster_domain}/login/generic_oauth
+          redirectURIs: []
       connectors:
         - name: GitHub
           type: github
           id: github
           config:
-            clientID: ${github_client_id}
-            clientSecret: ${github_client_secret}
+            clientID: ${github_app_client_id}
+            clientSecret: ${github_app_client_secret}
             teamNameField: slug
-            redirectURI: https://dex.${cluster_domain}/callback
+            redirectURI: https://dex.${domain}/callback
             orgs:
-              - name: devantlerware
+              - name: devantler-tech

k8s/bases/infrastructure/controllers/dex/helm-release.yaml

@@ -5,4 +5,4 @@ metadata:
   labels:
     goldilocks.fairwinds.com/enabled: "true"
     goldilocks.fairwinds.com/vpa-update-mode: "auto"
-    goldilocks.fairwinds.com/vpa-min-replicas: "1"
+    goldilocks.fairwinds.com/vpa-min-replicas: "2"

k8s/bases/infrastructure/controllers/dex/namespace.yaml

@@ -4,4 +4,6 @@ kind: Kustomization
 resources:
   - cert-manager/
   - cilium/
+  - dex/
   - reloader/
+  - traefik/

k8s/bases/infrastructure/controllers/kustomization.yaml

@@ -0,0 +1,45 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: traefik
+      version: 35.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+  # https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml
+  values:
+    ports:
+      web:
+        redirections:
+          entryPoint:
+            to: websecure
+            scheme: https
+      # websecure:
+      #   middlewares:
+      #     - traefik-auth-headers@kubernetescrd
+    # tlsStore:
+    #   default:
+    #     defaultCertificate:
+    #       secretName: cluster-issuer-certificate-tls
+    service:
+      type: ${traefik_service_type:=LoadBalancer}
+    ingressRoute:
+      dashboard:
+        enabled: true
+        matchRule: Host(`traefik.${domain}`)
+        entryPoints:
+          - websecure
+        # middlewares:
+        #   - name: traefik-forward-auth
+        # annotations:
+        #   gethomepage.dev/enabled: "true"
+        #   gethomepage.dev/name: Traefik
+        #   gethomepage.dev/description: Dashboard for monitoring the traefik reverse proxy.
+        #   gethomepage.dev/group: Monitoring
+        #   gethomepage.dev/icon: traefik

k8s/bases/infrastructure/traefik/README.md renamed to k8s/bases/infrastructure/controllers/traefik/README.md

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  # labels:
+  #   goldilocks.fairwinds.com/enabled: "true"
+  #   goldilocks.fairwinds.com/vpa-update-mode: "auto"
+  #   goldilocks.fairwinds.com/vpa-min-replicas: "1"