fix: Enable ssh
This commit is contained in:
Lino Silva
@@ -0,0 +1,48 @@
|
||||
---
|
||||
# From repository
|
||||
- name: Add traefik helm repo
|
||||
kubernetes.core.helm_repository:
|
||||
name: traefik
|
||||
repo_url: "https://helm.traefik.io/traefik"
|
||||
|
||||
- name: Update the repository cache
|
||||
kubernetes.core.helm:
|
||||
kubeconfig: /Users/lino.silva/.kube/config
|
||||
name: dummy
|
||||
namespace: kube-system
|
||||
state: absent
|
||||
update_repo_cache: true
|
||||
|
||||
- name: Deploy latest version of Traefik chart inside traefik namespace (and create it)
|
||||
kubernetes.core.helm:
|
||||
kubeconfig: /Users/lino.silva/.kube/config
|
||||
name: traefik
|
||||
chart_ref: traefik/traefik
|
||||
release_namespace: traefik
|
||||
create_namespace: true
|
||||
values: "{{ lookup('template', 'values.yml') | from_yaml }}"
|
||||
|
||||
- name: Deploy traefik default headers
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /Users/lino.silva/.kube/config
|
||||
state: present
|
||||
definition: "{{ lookup('template', 'default-headers.yml') | from_yaml }}"
|
||||
|
||||
- name: Deploy secret for traefik dashboard
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /Users/lino.silva/.kube/config
|
||||
state: present
|
||||
definition: "{{ lookup('template', 'secret-dashboard.yml') | from_yaml }}"
|
||||
|
||||
- name: Deploy forwardauth middleware
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /Users/lino.silva/.kube/config
|
||||
state: present
|
||||
namespace: traefik
|
||||
definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
|
||||
|
||||
- name: Create dashboard ingress
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /Users/lino.silva/.kube/config
|
||||
state: present
|
||||
definition: "{{ lookup('template', 'dashboard-ingress.yml') | from_yaml }}"
|
||||
@@ -0,0 +1,30 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: traefik-dashboard
|
||||
namespace: traefik
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik-external
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`traefik-dash.lino.cooking`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: traefik-dash-middleware-forwardauth
|
||||
namespace: traefik
|
||||
services:
|
||||
- name: api@internal
|
||||
kind: TraefikService
|
||||
- match: "Host(`traefik-dash.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||
kind: Rule
|
||||
priority: 15
|
||||
services:
|
||||
- kind: Service
|
||||
# Or, to use an external Outpost, create an ExternalName service and reference that here.
|
||||
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
|
||||
name: authentik
|
||||
port: 9000
|
||||
# tls:
|
||||
# secretName: lino-cooking-staging-tls
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: default-headers
|
||||
namespace: default
|
||||
spec:
|
||||
headers:
|
||||
browserXssFilter: true
|
||||
contentTypeNosniff: true
|
||||
forceSTSHeader: true
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
stsSeconds: 15552000
|
||||
customFrameOptionsValue: SAMEORIGIN
|
||||
customRequestHeaders:
|
||||
X-Forwarded-Proto: https
|
||||
@@ -0,0 +1,20 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: traefik-dash-middleware-forwardauth
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: https://traefik-dash.lino.cooking/outpost.goauthentik.io/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-authentik-username
|
||||
- X-authentik-groups
|
||||
- X-authentik-email
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
- X-authentik-jwt
|
||||
- X-authentik-meta-jwks
|
||||
- X-authentik-meta-outpost
|
||||
- X-authentik-meta-provider
|
||||
- X-authentik-meta-app
|
||||
- X-authentik-meta-version
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: traefik-dashboard-auth
|
||||
namespace: traefik
|
||||
type: Opaque
|
||||
data:
|
||||
users: "{{ traefik_http_auth_user }}"
|
||||
@@ -0,0 +1,51 @@
|
||||
globalArguments:
|
||||
- "--global.sendanonymoususage=false"
|
||||
- "--global.checknewversion=false"
|
||||
|
||||
additionalArguments:
|
||||
- "--serversTransport.insecureSkipVerify=true"
|
||||
- "--log.level=INFO"
|
||||
|
||||
deployment:
|
||||
enabled: true
|
||||
replicas: 3
|
||||
annotations: {}
|
||||
podAnnotations: {}
|
||||
additionalContainers: []
|
||||
initContainers: []
|
||||
|
||||
ports:
|
||||
web:
|
||||
redirectTo: websecure
|
||||
websecure:
|
||||
tls:
|
||||
enabled: true
|
||||
|
||||
ingressRoute:
|
||||
dashboard:
|
||||
enabled: false
|
||||
|
||||
providers:
|
||||
kubernetesCRD:
|
||||
enabled: true
|
||||
ingressClass: traefik-external
|
||||
allowExternalNameServices: true
|
||||
allowCrossNamespace: true
|
||||
kubernetesIngress:
|
||||
enabled: true
|
||||
publishedService:
|
||||
enabled: false
|
||||
allowExternalNameServices: true
|
||||
|
||||
rbac:
|
||||
enabled: true
|
||||
|
||||
service:
|
||||
enabled: true
|
||||
type: LoadBalancer
|
||||
annotations: {}
|
||||
labels: {}
|
||||
spec:
|
||||
loadBalancerIP: 10.0.4.1 # this should be an IP in the MetalLB range
|
||||
loadBalancerSourceRanges: []
|
||||
externalIPs: []
|
||||
Reference in New Issue
Block a user