Refactor Authelia,Longhorn,Traefik; Enable ingress middlewares; Update docs

ingress/Traefik2.x/chart-values.yml

@@ -1,46 +0,0 @@
-image:
-  name: bv11-cr01.bessems.eu/proxy/library/traefik
-#  tag: '2.4.8'
-
-ports:
-  web:
-    redirectTo: websecure
-
-service:
-  spec:
-    externalTrafficPolicy: Local
-    loadBalancerIP: 192.168.11.248
-
-volumes:
-  - name: traefik-configmap
-    mountPath: /etc/traefik
-    type: configMap
-
-persistence:
-  enabled: true
-  accessMode: ReadWriteMany
-  path: /data
-  existingClaim: "traefik"
-
-env:
-  - name: CF_API_EMAIL
-    valueFrom:
-      secretKeyRef:
-        name: traefik-cloudflare
-        key: CF_API_EMAIL
-  - name: CF_API_KEY
-    valueFrom:
-      secretKeyRef:
-        name: traefik-cloudflare
-        key: CF_API_KEY
-
-securityContext:
-  capabilities:
-    drop: []
-  readOnlyRootFilesystem: true
-  runAsGroup: 0
-  runAsNonRoot: false
-  runAsUser: 0
-
-podSecurityContext:
-  fsGroup: 0

ingress/Traefik2.x/configMap-Traefik.yml

@@ -1,119 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: traefik-configmap
-  namespace: kube-system
-data:
-  traefik.yml: |
-    global:
-      checkNewVersion: true
-      sendAnonymousUsage: true
-    entryPoints:
-      web:
-        address: :8000
-      websecure:
-        address: :8443
-        forwardedHeaders:
-          insecure: true
-        http:
-          tls:
-            options: defaults@file
-            certResolver: default
-            domains:
-              - main: '*.spamasaurus.com'
-                sans:
-                  - 'spamasaurus.com'
-              - main: '*.chat.spamasaurus.com'
-              - main: '*.bessems.com'
-                sans:
-                  - 'bessems.com'
-              - main: '*.bessems.eu'
-                sans:
-                  - 'bessems.eu'
-              - main: '*.gabaldon.eu'
-                sans:
-                  - 'gabaldon.eu'
-              - main: '*.gabaldon.nl'
-                sans:
-                  - 'gabaldon.nl'
-              - main: '*.itch.fyi'
-                sans:
-                  - 'itch.fyi'
-              - main: '*.oneup.town'
-                sans:
-                  - 'oneup.town'
-    #      trustedIPs:
-    #        - "127.0.0.0/8"
-    #        - "192.168.5.0/24"
-    #        - "192.168.11.0/24"
-      traefik:
-        address: :9000
-    providers:
-      file:
-        filename: /etc/traefik/dynamic.yml
-      kubernetesCRD:
-        allowCrossNamespace: true
-    api:
-      dashboard: true
-    ping: {}
-    #accessLog: {}
-    log:
-      level: INFO
-    #  level: DEBUG
-    certificatesResolvers:
-      default:
-        acme:
-          email: letsencrypt.org.danny@spamasaurus.com
-          storage: /data/acme.json
-          dnsChallenge:
-            provider: cloudflare
-            delayBeforeCheck: 5m0s
-            resolvers:
-            - 1.1.1.1:53
-            - 1.0.0.1:53
-    serversTransport:
-      insecureSkipVerify: true
-  dynamic.yml: |
-    http:
-      middlewares:
-        force-tls:
-          redirectScheme:
-            scheme: https
-        2fa-authentication:
-          forwardAuth:
-            address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
-            trustForwardHeader: true
-        security-headers:
-          headers:
-            forceSTSHeader: true
-            stsSeconds: 315360000
-            stsIncludeSubdomains: true
-            stsPreload: true
-        compression:
-          compress: {}
-      routers:
-        force-tls:
-          entryPoints:
-            - "web"
-          rule: "HostRegexp(`{any:.+}`)"
-          middlewares:
-            - "force-tls"
-          service: noop@internal
-    tls:
-      options:
-        defaults:
-          minVersion: VersionTLS12
-          sniStrict: true
-          curvePreferences:
-            - secp521r1
-            - secp384r1
-          cipherSuites:
-            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-            - TLS_AES_128_GCM_SHA256
-            - TLS_AES_256_GCM_SHA384
-            - TLS_CHACHA20_POLY1305_SHA256
-            - TLS_FALLBACK_SCSV

ingress/Traefik2.x/helmchartconfig-traefik.yaml

@@ -0,0 +1,159 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    additionalArguments:
+      - "--providers.file.directory=/etc/traefik/dynamic"
+      - "--providers.file.watch=true"
+    certResolvers:
+      default:
+        email: letsencrypt.org.danny@spamasaurus.com
+        storage: /data/acme.json
+        dnsChallenge:
+          provider: cloudflare
+          delayBeforeCheck: 5m0s
+          resolvers:
+          - 1.1.1.1:53
+          - 1.0.0.1:53
+    deployment:
+      initContainers:
+        - name: volume-permissions
+          image: busybox:latest
+          command:
+            [
+              "sh",
+              "-c",
+              "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json",
+            ]
+          securityContext:
+            runAsNonRoot: false
+            runAsGroup: 0
+            runAsUser: 0
+          volumeMounts:
+            - name: traefik-data
+              mountPath: /data
+    env:
+      - name: CF_API_EMAIL
+        valueFrom:
+          secretKeyRef:
+            name: traefik-cloudflare
+            key: CF_API_EMAIL
+      - name: CF_API_KEY
+        valueFrom:
+          secretKeyRef:
+            name: traefik-cloudflare
+            key: CF_API_KEY
+    extraObjects:
+      - apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: traefik-file-provider
+          namespace: kube-system
+        data:
+          config.yml: |
+            http:
+              middlewares:
+                2fa-authentication:
+                  forwardAuth:
+                    address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
+                    trustForwardHeader: true
+                security-headers:
+                  headers:
+                    forceSTSHeader: true
+                    stsSeconds: 315360000
+                    stsIncludeSubdomains: true
+                    stsPreload: true
+                compression:
+                  compress: {}
+            tls:
+              options:
+                defaults:
+                  minVersion: VersionTLS12
+                  sniStrict: true
+                  curvePreferences:
+                    - secp521r1
+                    - secp384r1
+                  cipherSuites:
+                    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+                    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+                    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+                    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+                    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+                    - TLS_AES_128_GCM_SHA256
+                    - TLS_AES_256_GCM_SHA384
+                    - TLS_CHACHA20_POLY1305_SHA256
+                    - TLS_FALLBACK_SCSV
+      - apiVersion: bitnami.com/v1alpha1
+        kind: SealedSecret
+        metadata:
+          creationTimestamp: null
+          name: traefik-cloudflare
+          namespace: kube-system
+        spec:
+          encryptedData:
+            CF_API_EMAIL: AgCeBTkyKJ2iOEug2JLlnSt7nsR+UZDiCz+vYyUsk4HRmvPj2j6Vy46jzF3N26eDXA5glaL95OVIfrakAZ6StEe2tfb0PwQJcHxLsrzS95WN/9EqMpPz3PtoOFhqtLrOj9T05Q92RlY5E8nY5CEHAO0pdMUN8WR+mAm5coL4Cd5MFg54f+Y3U4NTG3DgeED5sE3O9u6kBMenSYsvD/9Bn3crigK/imE7NtDYn/cDLkxDPyL05gGzLScp9pzhChHe303vdLFy+NbXrVKB2p2PXxz/4aB48CIN/e8mdUGb/DTPakSbG1x4EKea+5N5FtxnZx+0mCmSiYwAH+kYvg25Wnf08+2CQsiaFbbTBWYjO9pkvrADOZ0IV/66fOIOaAQIxh2hztLgM/AAuuWsMV5CLSNG4JfnEMVwztWLxj/lz3vKpSQnzzh9DfX/Yzz4QtZlneCooc9TvhUn9UxPqB4ydXEyUUw8DAKQjVxVs0MmnVwp+tKY+xCUSRPPQ9Z1PvGS+i0m6L7Fm5WVXEUZT2jFSeBCHm+UBkY7COvm1VHinTviNZYXtP0tWCty8eg2AvbOl5vxoV2MJRkqYy8mfnRRlxY5zvKSdDjWgFQoHQgHjjKZqV2RE/PEaEfoQ+PLZSigkr2vFf6uFQ5P5riS69MaqvcwvBhYj5AnB3Ev8NW/kljRx6HeJWijEiLFuUmXqgHhtjoNfhRUjrGH25/XIXokAPA+McxCVbwFEQkiGAj69Wb6LQ/tu90=
+            CF_API_KEY: AgBMs0EeSS9OW2zHjxIZqzEuvVf09phrzsD+5L90DKWsnQVUsV1kmSYk7fun6A76vlR5gnSlWLVl1n2EezNHnViXKyIwu1s01vJ+rTPvNcTdkGWGYB8ZYnqvIe7PB3L4pzaSjOcHJ6jazByz1GFHf5hQC9AdaFtPX6ie8EGV7vOD8fic35BMRV/Y3Qc77W1U0mmA22hgHyvTCqdvlObbkHd23a3ArFXk+ELdPM4E3sPefFWjF2nZOJ/4ltouKs/O4+D2RXc1Am3N8cxKyMc7rTBtz69BLJppyTj4DaAbwq+hN8A328wi9oAuu6ifY7zpd2w0exw3uOfAGoksQZrldYDnTc2w/ecrijcBmcVGQb2AoBS1m+ZXJIdii6E3oyW3wpTcPsgdS+z+xviBnQMtScr+KMHTRlayaQXfEc9kFPp+qqAlf+mIq+dB8xFtNCT2qICWThh3LKZh6i6SkYpR+kFBzqd2wqpjyBLIRAwkAKF1NvR1KQtYsMYNAMlchJ6nhcLz2GmmHqTG9L+NmSafEdLbOhy7lnofpHZ94xCvs75+AISobYVxSXPTERff4NOcb492JT7ojYBfSjD9aZq5B1KU0A6r8+gErK3SKfKh9DkT1lotIV/giOvKfAfJhecUFRRqeCrJPXJVeKJxbLRhDL2i3lEvQqIru/bxebuw5t83rU/2SD+fANgmjRvsz5w9x+pbeg9VyRMJerx9bLb+Gw+enDBqq+s5QIyNK1t5b5J+H+ta1uZO
+          template:
+            metadata:
+              creationTimestamp: null
+              name: traefik-cloudflare
+              namespace: kube-system
+            type: Opaque
+    ingressRoute:
+      dashboard:
+        enabled: true
+        entryPoints:
+          - websecure
+        matchRule: Host(`ingress.spamasaurus.com`)
+        middlewares:
+          # - name: 2fa-authentication@file
+          - name: security-headers@file
+          - name: compression@file
+    logs:
+      general:
+        level: DEBUG
+    persistence:
+      enabled: true
+      name: traefik-data
+      path: /data
+      storageClass: longhorn
+    ports:
+      web:
+        redirectTo:
+          port: websecure
+      websecure:
+        tls:
+          options: defaults@file
+          certResolver: default
+          domains:
+            - main: '*.spamasaurus.com'
+              sans:
+                - 'spamasaurus.com'
+            - main: '*.bessems.com'
+              sans:
+                - 'bessems.com'
+            - main: '*.bessems.eu'
+              sans:
+                - 'bessems.eu'
+            - main: '*.gabaldon.eu'
+              sans:
+                - 'gabaldon.eu'
+            - main: '*.gabaldon.nl'
+              sans:
+                - 'gabaldon.nl'
+            - main: '*.itch.fyi'
+              sans:
+                - 'itch.fyi'
+    service:
+      spec:
+        loadBalancerIP: "192.168.154.240"
+    updateStrategy:
+      type: Recreate
+      rollingUpdate: null
+    volumes:
+      - name: traefik-file-provider
+        type: configMap
+        mountPath: /etc/traefik/dynamic

ingress/Traefik2.x/ingressRoute-Traefik.yml

@@ -1,18 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik
-  namespace: default
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`ingress.spamasaurus.com`)
-      kind: Rule
-      services:
-        - name: api@internal
-          kind: TraefikService
-      middlewares:
-        - name: 2fa-authentication@file
-        - name: security-headers@file
-        - name: compression@file

ingress/Traefik2.x/persistentVolumeClaim-Traefik.yml

@@ -1,33 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: flexvolsmb-traefik-data
-  namespace: kube-system
-spec:
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  storageClassName: flexvolsmb-traefik-data
-  flexVolume:
-    driver: mount/smb
-    secretRef:
-      name: smb-secret
-      namespace: default
-    options:
-      opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
-      server: 192.168.11.225
-      share: /K3s.Volumes/traefik/data
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: traefik
-  namespace: kube-system
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: flexvolsmb-traefik-data
-  resources:
-    requests:
-      storage: 1Gi

ingress/Traefik2.x/sealedSecret-Traefik-Cloudflare.yml

@@ -1,24 +0,0 @@
-{
-  "kind": "SealedSecret",
-  "apiVersion": "bitnami.com/v1alpha1",
-  "metadata": {
-    "name": "traefik-cloudflare",
-    "namespace": "kube-system",
-    "creationTimestamp": null
-  },
-  "spec": {
-    "template": {
-      "metadata": {
-        "name": "traefik-cloudflare",
-        "namespace": "kube-system",
-        "creationTimestamp": null
-      },
-      "type": "Opaque",
-      "data": null
-    },
-    "encryptedData": {
-      "CF_API_EMAIL": "AgClXlPfqjYUhRn4ssez5YiAN7pjR5PIeOaDhGrCI2QksjPVFhCbOhX8ijfSmurd8q/7TXTp1gQdh4SLzQy0jkOobZEDQSvDW2U3crQCRSel/4I5sXSbU5q6plbwuN0Z0BGbA2HxwIXN7t8Gb2PVCFT1HwrFAPxJiCPMFsvjUox7BHvhZAs8fFcSiZQpZ7Hz1+7up0CwjVXMNDkm+OYvirKR3lLWfiwJlCKpQoiQU5IX482EJAE1dqrIWthk1xkX12eXJ9FU+hL8X07a4HxDt461+sANOs9cOCDlRYs5zrqmxsVFeL3Kxgr1NRmQbRRD+pg7I4rwfYBeL9NPpKCGURytfkuwC5gNZOz16795L0liitFdgJ/5uZMywf370yI4bfcs3C1hi7kBGACLKxDeHuRwDqOqsXbpbo0+HENeiMosMOw35thmJJpb1zKBkjrja7HGzgLrzdvwOhz6JCxfLjfygjhoEgjpatPlRXY8+lK5ATaPh6hLvXz2+9l4p27MyV+VjM1UqQvHGvcI6VVkpgRU2e/nPfA+g58tVGO8eIflGRN3oA/H1a8GV7JEQmlH2e7xfuun1/CtPANNb5uAB3NijaBJajCWbF/1qBAdk09QNzkAxm0/m9gpNjmumG3UkasRfbai+2yNzwhScOBOjCWAa+SSOyAGrEcQ76augkcPT/TwoX4gF547+RW/nAcR7QSTViY7gBcuauCPpX8iDyJfe5NZ22XUTCocbvmYGXvw7Q3eVx4=",
-      "CF_API_KEY": "AgCHaCrShxGC+XVP64KcGuemFg+Z95hCxWsERjyxWNO6+RDCu7J26n2isVs4jG7VeJKO0Br0Of7vIdzAKqFm8DWVZBWwPzE0LZqDxujv3RPY0A9OO4EjHiJKZfaFUc6VNy3O0Re+6cBRz16WorFbdMnvForcJYTWih73yggq1n/ZnifAAQgoIkRLH36Rq0/47gUt/rubFtbGa0X9ka2zObX5SYgs2qKtfZx/m31tTe9WqyccEk4DKvdnbWocY0VnBfSndt+B1kM6PN7xNltiLxr/XLEyo04NseFFHiu0Qph3E2K7C4NijxwOOJdYywFZBP9oaq8HTjXKfU9uLz/pkF9+PEMGPdVni0NClasAleOCkbKOigxorKfQlOQlfNq3bGdMLZNfe5xkz5P2uHRIVIoiG7P9KXx+IIT0m453OfG28ttHmFf5HYn7VnVGZ9M2/1ipLTQja1Vg9mUiZcrDgZMzxfEWY6KJJwjVZE6JZkMlvNlnP/oWW4IFyKDNRRcu0ULzeyDUp0jAxXlbCDHMGZTV3M0qDkrEcnzPgQI8bW4+z26Q1XbgaiErb17mETobuNJuHakIgutHR1sJUbkHeAohYXUrAazu7TLVW+v0WrF7FDogyADBRWxYcLxqm4JHDwdaTdRefKcbRgVUKcQV6OUB5pgfNwkz/mU5ad4jUT7VvhSXR9hYfem4DeR1qEiluVtbvrI5XT7Fx6mkn9TNES6og1RLc2vtkA8JrfCCBBfIeAbWGrX+"
-    }
-  }
-}