From 5e87ddfc0845893a54895ee59fec287fcefbb15d Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Fri, 9 Jan 2026 05:35:37 +0000 Subject: [PATCH] Update lab-rke2-001/values.yaml --- {test-rke2-001 => lab-rke2-001}/values.yaml | 172 ++++++++++++++++++-- 1 file changed, 161 insertions(+), 11 deletions(-) rename {test-rke2-001 => lab-rke2-001}/values.yaml (56%) diff --git a/test-rke2-001/values.yaml b/lab-rke2-001/values.yaml similarity index 56% rename from test-rke2-001/values.yaml rename to lab-rke2-001/values.yaml index f714c8e..9ba7010 100644 --- a/test-rke2-001/values.yaml +++ b/lab-rke2-001/values.yaml @@ -24,17 +24,167 @@ cluster: enableNetworkPolicy: true localClusterAuthEndpoint: enabled: false - # additionalManifests: |- - # apiVersion: v1 - # kind: Pod - # metadata: - # name: example-manifest - # spec: - # containers: - # - name: example - # image: example:1.0.0 - # ports: - # - containerPort: 80 + additionalManifests: |- + apiVersion: helm.cattle.io/v1 + kind: HelmChart + metadata: + name: traefik + namespace: kube-system + spec: + chart: traefik + repo: https://traefik.github.io/charts + set: + global.clusterCIDR: 10.42.0.0/16 + global.clusterCIDRv4: 10.42.0.0/16 + global.clusterDNS: 10.43.0.10 + global.clusterDomain: cluster.local + global.rke2DataDir: /var/lib/rancher/rke2 + global.serviceCIDR: 10.43.0.0/16 + global.systemDefaultIngressClass: ingress-nginx + targetNamespace: kube-system + valuesContent: |- + core: + defaultRuleSyntax: v2 + additionalArguments: + - "--providers.file.directory=/etc/traefik/dynamic" + - "--providers.file.watch=true" + - "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=300s" + certificatesResolvers: + default: + acme: + email: letsencrypt.org.danny@spamasaurus.com + storage: /data/acme.json + dnsChallenge: + provider: cloudflare + delayBeforeCheck: 5m0s + resolvers: + - 1.1.1.1:53 + - 1.0.0.1:53 + deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: + [ + "sh", + "-c", + "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json", + ] + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + volumeMounts: + - name: traefik-data + mountPath: /data + env: + - name: CF_API_EMAIL + valueFrom: + secretKeyRef: + name: traefik-cloudflare + key: CF_API_EMAIL + - name: CF_API_KEY + valueFrom: + secretKeyRef: + name: traefik-cloudflare + key: CF_API_KEY + extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: traefik-file-provider + namespace: kube-system + data: + config.yml: | + http: + middlewares: + 2fa-authentication: + forwardAuth: + address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/" + trustForwardHeader: true + security-headers: + headers: + forceSTSHeader: true + stsSeconds: 315360000 + stsIncludeSubdomains: true + stsPreload: true + tls: + options: + defaults: + minVersion: VersionTLS12 + sniStrict: false + curvePreferences: + - secp521r1 + - secp384r1 + - secp256r1 + cipherSuites: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_FALLBACK_SCSV + ingressRoute: + dashboard: + enabled: true + entryPoints: + - websecure + matchRule: Host(`ingress.lab.spamasaurus.com`) + middlewares: + - name: 2fa-authentication@file + - name: security-headers@file + logs: + general: + level: INFO + persistence: + enabled: true + name: traefik-data + path: /data + ports: + web: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + websecure: + forwardedHeaders: + insecure: true + tls: + options: defaults@file + certResolver: default + domains: + - main: '*.pvr.spamasaurus.com' + - main: '*.lab.spamasaurus.com' + - main: '*.spamasaurus.com' + sans: + - 'spamasaurus.com' + - main: '*.bessems.com' + sans: + - 'bessems.com' + - main: '*.bessems.eu' + sans: + - 'bessems.eu' + - main: '*.gabaldon.eu' + sans: + - 'gabaldon.eu' + - main: '*.gabaldon.nl' + sans: + - 'gabaldon.nl' + - main: '*.itch.fyi' + sans: + - 'itch.fyi' + updateStrategy: + type: Recreate + rollingUpdate: null + volumes: + - name: traefik-file-provider + type: configMap + mountPath: /etc/traefik/dynamic # agentEnvVars: # - name: A # value: B