feat: add traefik

2025-12-28 09:48:42 +01:00
parent 292dcbe909
commit bbd8b8dcb6
1 changed files with 100 additions and 0 deletions
--- a/traefik/traefik-config.yaml
+++ b/traefik/traefik-config.yaml
@@ -0,0 +1,100 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    nodeSelector:
+      kubernetes.io/hostname: k3sh0
+    providers:
+      kubernetesCRD:
+        allowCrossNamespace: true
+    certResolvers:
+      letsencrypt:
+        email: admin@t00n.de
+        dnsChallenge:
+          provider: ionos
+          delayBeforeCheck: 60
+          resolvers:
+            - 1.1.1.1
+        storage: /data/acme-ionos.json
+    ingressRoute:
+      dashboard:
+         enabled: true
+         matchRule: Host(`traefik.monitor.k8s.t000-n.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+         middlewares:
+           - name: localipfilter
+         entryPoints: ["websecure"]
+    env:
+      - name: IONOS_API_KEY
+        valueFrom:
+          secretKeyRef:
+            key: apiKey
+            name: ionos-api-credentials
+      - name: CROWDSEC_BOUNCER_API_KEY
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-bouncer-api-key
+            key: api-key
+    ports:
+      web:
+        port: 8000
+        expose: true
+        exposedPort: 80
+        nodePort: 32080
+      websecure:
+        port: 8443
+        expose: true
+        exposedPort: 443
+        nodePort: 32443
+        tls:
+          enabled: true
+          certResolver: "letsencrypt"
+    service:
+      enabled: true
+      single: true
+      type: LoadBalancer
+      spec:
+        externalTrafficPolicy: Local
+      externalIPs:
+        - 192.168.0.50
+        - 192.168.0.51
+        - 192.168.0.52
+        - 192.168.0.53
+    persistence:
+      enabled: true
+      name: data
+      accessMode: ReadWriteMany
+      size: 1Gi
+      storageClass: longhorn
+      path: /data
+    extraObjects:
+      - apiVersion: traefik.containo.us/v1alpha1
+        kind: Middleware
+        metadata:
+          name: localipfilter
+          namespace: kube-system
+        spec:
+          ipWhiteList:
+            sourceRange:
+              - 192.168.0.0/24
+              - 172.16.0.0/16
+              - 10.0.0.0/8
+      - apiVersion: traefik.containo.us/v1alpha1
+        kind: Middleware
+        metadata:
+          name: adminbasicauth
+          namespace: kube-system
+        spec:
+          basicAuth:
+            secret: adminbasicauthsecret
+    experimental:
+      plugins:
+        crowdsec-bouncer-traefik-plugin:
+          moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+          version: v1.4.6
+    additionalArguments:
+      - "--providers.kubernetescrd"
+      - "--entrypoints.web.http.middlewares=crowdsec-bouncer@kubernetescrd"
+      - "--entrypoints.websecure.http.middlewares=internal-crowdsec-bouncer@kubernetescrd"