171 lines
6.4 KiB
YAML
171 lines
6.4 KiB
YAML
apiVersion: helm.cattle.io/v1
|
|
kind: HelmChartConfig
|
|
metadata:
|
|
name: traefik
|
|
namespace: kube-system
|
|
spec:
|
|
valuesContent: |-
|
|
core:
|
|
defaultRuleSyntax: v2
|
|
additionalArguments:
|
|
- "--providers.file.directory=/etc/traefik/dynamic"
|
|
- "--providers.file.watch=true"
|
|
certificatesResolvers:
|
|
default:
|
|
acme:
|
|
email: letsencrypt.org.danny@spamasaurus.com
|
|
storage: /data/acme.json
|
|
dnsChallenge:
|
|
provider: cloudflare
|
|
delayBeforeCheck: 5m0s
|
|
resolvers:
|
|
- 1.1.1.1:53
|
|
- 1.0.0.1:53
|
|
deployment:
|
|
initContainers:
|
|
- name: volume-permissions
|
|
image: busybox:latest
|
|
command:
|
|
[
|
|
"sh",
|
|
"-c",
|
|
"touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json",
|
|
]
|
|
securityContext:
|
|
runAsNonRoot: false
|
|
runAsGroup: 0
|
|
runAsUser: 0
|
|
volumeMounts:
|
|
- name: traefik-data
|
|
mountPath: /data
|
|
env:
|
|
- name: CF_API_EMAIL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: traefik-cloudflare
|
|
key: CF_API_EMAIL
|
|
- name: CF_API_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: traefik-cloudflare
|
|
key: CF_API_KEY
|
|
extraObjects:
|
|
- apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: traefik-file-provider
|
|
namespace: kube-system
|
|
data:
|
|
config.yml: |
|
|
http:
|
|
middlewares:
|
|
2fa-authentication:
|
|
forwardAuth:
|
|
address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
|
|
trustForwardHeader: true
|
|
security-headers:
|
|
headers:
|
|
forceSTSHeader: true
|
|
stsSeconds: 315360000
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
# compression:
|
|
# compress: {}
|
|
tls:
|
|
options:
|
|
defaults:
|
|
minVersion: VersionTLS12
|
|
sniStrict: true
|
|
curvePreferences:
|
|
- secp521r1
|
|
- secp384r1
|
|
- secp256r1
|
|
cipherSuites:
|
|
- TLS_AES_128_GCM_SHA256
|
|
- TLS_AES_256_GCM_SHA384
|
|
- TLS_CHACHA20_POLY1305_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
- TLS_FALLBACK_SCSV
|
|
- apiVersion: bitnami.com/v1alpha1
|
|
kind: SealedSecret
|
|
metadata:
|
|
creationTimestamp: null
|
|
name: traefik-cloudflare
|
|
namespace: kube-system
|
|
spec:
|
|
encryptedData:
|
|
CF_API_EMAIL: AgCeBTkyKJ2iOEug2JLlnSt7nsR+UZDiCz+vYyUsk4HRmvPj2j6Vy46jzF3N26eDXA5glaL95OVIfrakAZ6StEe2tfb0PwQJcHxLsrzS95WN/9EqMpPz3PtoOFhqtLrOj9T05Q92RlY5E8nY5CEHAO0pdMUN8WR+mAm5coL4Cd5MFg54f+Y3U4NTG3DgeED5sE3O9u6kBMenSYsvD/9Bn3crigK/imE7NtDYn/cDLkxDPyL05gGzLScp9pzhChHe303vdLFy+NbXrVKB2p2PXxz/4aB48CIN/e8mdUGb/DTPakSbG1x4EKea+5N5FtxnZx+0mCmSiYwAH+kYvg25Wnf08+2CQsiaFbbTBWYjO9pkvrADOZ0IV/66fOIOaAQIxh2hztLgM/AAuuWsMV5CLSNG4JfnEMVwztWLxj/lz3vKpSQnzzh9DfX/Yzz4QtZlneCooc9TvhUn9UxPqB4ydXEyUUw8DAKQjVxVs0MmnVwp+tKY+xCUSRPPQ9Z1PvGS+i0m6L7Fm5WVXEUZT2jFSeBCHm+UBkY7COvm1VHinTviNZYXtP0tWCty8eg2AvbOl5vxoV2MJRkqYy8mfnRRlxY5zvKSdDjWgFQoHQgHjjKZqV2RE/PEaEfoQ+PLZSigkr2vFf6uFQ5P5riS69MaqvcwvBhYj5AnB3Ev8NW/kljRx6HeJWijEiLFuUmXqgHhtjoNfhRUjrGH25/XIXokAPA+McxCVbwFEQkiGAj69Wb6LQ/tu90=
|
|
CF_API_KEY: AgBMs0EeSS9OW2zHjxIZqzEuvVf09phrzsD+5L90DKWsnQVUsV1kmSYk7fun6A76vlR5gnSlWLVl1n2EezNHnViXKyIwu1s01vJ+rTPvNcTdkGWGYB8ZYnqvIe7PB3L4pzaSjOcHJ6jazByz1GFHf5hQC9AdaFtPX6ie8EGV7vOD8fic35BMRV/Y3Qc77W1U0mmA22hgHyvTCqdvlObbkHd23a3ArFXk+ELdPM4E3sPefFWjF2nZOJ/4ltouKs/O4+D2RXc1Am3N8cxKyMc7rTBtz69BLJppyTj4DaAbwq+hN8A328wi9oAuu6ifY7zpd2w0exw3uOfAGoksQZrldYDnTc2w/ecrijcBmcVGQb2AoBS1m+ZXJIdii6E3oyW3wpTcPsgdS+z+xviBnQMtScr+KMHTRlayaQXfEc9kFPp+qqAlf+mIq+dB8xFtNCT2qICWThh3LKZh6i6SkYpR+kFBzqd2wqpjyBLIRAwkAKF1NvR1KQtYsMYNAMlchJ6nhcLz2GmmHqTG9L+NmSafEdLbOhy7lnofpHZ94xCvs75+AISobYVxSXPTERff4NOcb492JT7ojYBfSjD9aZq5B1KU0A6r8+gErK3SKfKh9DkT1lotIV/giOvKfAfJhecUFRRqeCrJPXJVeKJxbLRhDL2i3lEvQqIru/bxebuw5t83rU/2SD+fANgmjRvsz5w9x+pbeg9VyRMJerx9bLb+Gw+enDBqq+s5QIyNK1t5b5J+H+ta1uZO
|
|
template:
|
|
metadata:
|
|
creationTimestamp: null
|
|
name: traefik-cloudflare
|
|
namespace: kube-system
|
|
type: Opaque
|
|
ingressRoute:
|
|
dashboard:
|
|
enabled: true
|
|
entryPoints:
|
|
- websecure
|
|
matchRule: Host(`ingress.spamasaurus.com`)
|
|
middlewares:
|
|
- name: 2fa-authentication@file
|
|
- name: security-headers@file
|
|
# - name: compression@file
|
|
logs:
|
|
general:
|
|
level: DEBUG
|
|
persistence:
|
|
enabled: true
|
|
name: traefik-data
|
|
path: /data
|
|
storageClass: longhorn
|
|
ports:
|
|
web:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
permanent: true
|
|
websecure:
|
|
forwardedHeaders:
|
|
insecure: true
|
|
tls:
|
|
options: defaults@file
|
|
certResolver: default
|
|
domains:
|
|
- main: '*.pvr.spamasaurus.com'
|
|
- main: '*.spamasaurus.com'
|
|
sans:
|
|
- 'spamasaurus.com'
|
|
- main: '*.bessems.com'
|
|
sans:
|
|
- 'bessems.com'
|
|
- main: '*.bessems.eu'
|
|
sans:
|
|
- 'bessems.eu'
|
|
- main: '*.gabaldon.eu'
|
|
sans:
|
|
- 'gabaldon.eu'
|
|
- main: '*.gabaldon.nl'
|
|
sans:
|
|
- 'gabaldon.nl'
|
|
- main: '*.itch.fyi'
|
|
sans:
|
|
- 'itch.fyi'
|
|
service:
|
|
spec:
|
|
loadBalancerIP: "192.168.154.240"
|
|
updateStrategy:
|
|
type: Recreate
|
|
rollingUpdate: null
|
|
volumes:
|
|
- name: traefik-file-provider
|
|
type: configMap
|
|
mountPath: /etc/traefik/dynamic
|