add nginx to ingress

clean up ingress controller
- add nginx
- remove traefik v1
- rename traefik2 to traefik

charts/apps/templates/ingresscontroller/nginx.yaml

+{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "nginx") }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.cluster.name }}-nginx
+  labels:
+    cluster: {{ .Values.cluster.name | quote }}
+    app: nginx
+  namespace: argocd
+  annotations:
+    {{- toYaml .Values.notifications | nindent 4 }}
+spec:
+  project: {{ .Values.cluster.name }}
+  destination:
+    server: {{ .Values.cluster.url }}
+    namespace: nginx
+  syncPolicy:
+    {{- if .Values.sync }}
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    {{- end }}
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    chart: ingress-nginx
+    targetRevision: {{ .Values.ingresscontroller.nginx.version | quote }}
+    helm:
+      version: v3
+      releaseName: nginx
+      values: |
+        controller:
+          extraArgs:
+            publish-status-address: {{ .Values.ingresscontroller.publicIP }}
+          publishService:
+            enabled: false
+          service:
+            externalTrafficPolicy: Local
+            loadBalancerIP: {{ .Values.ingresscontroller.privateIP | default .Values.ingresscontroller.publicIP }}
+          watchIngressWithoutClass: true
+          ingressClassResource:
+            default: true
+{{- end }}

charts/apps/templates/ingresscontroller/traefik2.yaml → charts/apps/templates/ingresscontroller/traefik.yaml

-{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "traefik2") }}
+{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "traefik") }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -26,7 +26,7 @@ spec:
   source:
     repoURL: https://helm.traefik.io/traefik
     chart: traefik
-    targetRevision: {{ .Values.ingresscontroller.traefik2.version | quote }}
+    targetRevision: {{ .Values.ingresscontroller.traefik.version | quote }}
     helm:
       version: v3
       releaseName: traefik
@@ -44,20 +44,20 @@ spec:
             tls:
               enabled: true
               certResolver: letsencrypt
-          {{- if .Values.ingresscontroller.traefik2.ports }}
-          {{- .Values.ingresscontroller.traefik2.ports | toYaml | nindent 10 }}
+          {{- if .Values.ingresscontroller.traefik.ports }}
+          {{- .Values.ingresscontroller.traefik.ports | toYaml | nindent 10 }}
           {{- end }}
         additionalArguments:
           - --providers.kubernetesingress.ingressendpoint.ip={{ .Values.ingresscontroller.publicIP }}
-          {{- if .Values.ingresscontroller.acme }}
-          - --certificatesresolvers.letsencrypt.acme.caserver={{ .Values.ingresscontroller.acme.server | default "https://acme-v02.api.letsencrypt.org/directory" }}
-          - --certificatesresolvers.letsencrypt.acme.email={{ .Values.ingresscontroller.acme.email }}
+          {{- if .Values.ingresscontroller.traefik.acme }}
+          - --certificatesresolvers.letsencrypt.acme.caserver={{ .Values.ingresscontroller.traefik.acme.server | default "https://acme-v02.api.letsencrypt.org/directory" }}
+          - --certificatesresolvers.letsencrypt.acme.email={{ .Values.ingresscontroller.traefik.acme.email }}
           - --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
           - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
           {{- end }}
         persistence:
           enabled: true
-          storageClass: {{ .Values.ingresscontroller.storageClass | quote}}
+          storageClass: {{ .Values.ingresscontroller.traefik.storageClass | quote}}
         deployment:
           initContainers:
           # The "volume-permissions" init container is required if you run into permission issues.

charts/apps/templates/ingresscontroller/traefik1.yaml

-{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "traefik1") }}
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: {{ .Values.cluster.name }}-traefik
-  labels:
-    cluster: {{ .Values.cluster.name | quote }}
-    app: traefik
-  namespace: argocd
-  annotations:
-    {{- toYaml .Values.notifications | nindent 4 }}
-spec:
-  project: {{ .Values.cluster.name }}
-  destination:
-    server: {{ .Values.cluster.url }}
-    namespace: traefik
-  syncPolicy:
-    {{- if .Values.sync }}
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    {{- end }}
-    syncOptions:
-      - CreateNamespace=true
-  source:
-    repoURL: https://charts.helm.sh/stable
-    chart: traefik
-    targetRevision: {{ .Values.ingresscontroller.traefik1.version | quote }}
-    helm:
-      version: v3
-      releaseName: traefik
-      values: |
-        loadBalancerIP: {{ .Values.ingresscontroller.privateIP | default .Values.ingresscontroller.publicIP }}
-        externalIP: {{ .Values.ingresscontroller.publicIP }}
-        externalTrafficPolicy: Local
-        kubernetes:
-          ingressEndpoint:
-            ip: {{ .Values.ingresscontroller.publicIP }}
-        rbac:
-          enabled: true
-        dashboard:
-          enabled: {{ .Values.ingresscontroller.dashboard }}
-          domain: traefik.{{ .Values.ingresscontroller.publicIP }}.xip.io
-          ingress:
-            annotations:
-        acme:
-          enabled: {{ .Values.ingresscontroller.acme }}
-          {{- if .Values.ingresscontroller.acme }}
-          challengeType: http-01
-          email: {{ .Values.ingresscontroller.acme.email }}
-          staging: {{ .Values.ingresscontroller.acme.staging }}
-          logging: true
-          persistence:
-            enabled: true
-          {{- end }}
-        ssl:
-          enabled: true
-          enforced: true
-          insecureSkipVerify: true
-          tlsMinVersion: VersionTLS12
-          cipherSuites:
-            - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-{{- end }}

charts/apps/values.yaml

@@ -26,16 +26,16 @@ healthmonitor:
 
 ingresscontroller:
   enabled: false
-  class: traefik2
+  class: traefik
   publicIP: 1.1.1.1
   #privateIP: 1.1.1.2
-  #acme:
-  #  email: devops.isda@lists.illinois.edu
-  storageClass: ""
-  traefik1:
-    version: "1.*"
-  traefik2:
+  nginx:
+    version: "4.*"
+  traefik:
     version: "*"
+    storageClass: ""
+    #acme:
+    #  email: devops.isda@lists.illinois.edu
     ports: {}
       # postgres:
       #   port: 5432

terraform/modules/argocd/argocd.tf

@@ -37,9 +37,8 @@ locals {
     floating_ip                 = var.floating_ip
     ingress_controller_enabled  = var.ingress_controller_enabled
     ingress_controller          = var.ingress_controller
-    ingress_storageclass        = var.ingress_storageclass
-    traefik_dashboard           = var.traefik_dashboard
-    traefik2_ports              = indent(14, yamlencode(var.traefik2_ports))
+    traefik_storageclass        = var.traefik_storageclass
+    traefik_ports               = indent(14, yamlencode(var.traefik_ports))
     acme_staging                = var.acme_staging
     acme_email                  = var.acme_email
     sealedsecrets_enabled       = var.sealedsecrets_enabled

terraform/modules/argocd/templates/argocd.yaml.tmpl

@@ -65,26 +65,25 @@ spec:
         ingresscontroller:
           enabled: ${ingress_controller_enabled}
           %{~ if ingress_controller_enabled ~}
-          dashboard: true
           class: ${ingress_controller}
           %{~ if length(floating_ip) > 0 ~}
           publicIP: ${floating_ip[0].public_ip}
           privateIP: ${floating_ip[0].private_ip}
           %{~ endif ~}
-          storageClass: "${ingress_storageclass}"
-          %{~ if ingress_controller == "traefik2" ~}
-          traefik2:
+          %{~ if ingress_controller == "traefik" ||  ingress_controller == "traefik2" ~}
+          traefik:
+            storageClass: "${traefik_storageclass}"
+            acme:
+              staging: ${acme_staging} 
+              %{~ if (acme_staging) ~}
+              server: https://acme-staging-v02.api.letsencrypt.org/directory
+              %{~ else ~}
+              server: https://acme-v02.api.letsencrypt.org/directory
+              %{~ endif ~}
+              email: ${acme_email}
             ports:
-              ${traefik2_ports}
+              ${traefik_ports}
           %{~ endif ~}
-          acme:
-            staging: ${acme_staging} 
-            %{~ if (acme_staging) ~}
-            server: https://acme-staging-v02.api.letsencrypt.org/directory
-            %{~ else ~}
-            server: https://acme-v02.api.letsencrypt.org/directory
-            %{~ endif ~}
-            email: ${acme_email}
           %{~ endif ~}
 
         healthmonitor:

terraform/modules/argocd/variables.tf

@@ -190,12 +190,6 @@ variable "member_groups" {
 
 # ----------------------------------------------------------------------
 # INGRESS
-# working:
-# - traefik1
-# - traefik2
-# work in progress
-# - nginx
-# - nginxinc
 # ----------------------------------------------------------------------
 
 variable "ingress_controller_enabled" {
@@ -206,49 +200,31 @@ variable "ingress_controller_enabled" {
 
 variable "ingress_controller" {
   type        = string
-  description = "Desired ingress controller (traefik1, traefik2, nginxinc, nginx, none)"
-  default     = "traefik2"
+  description = "Desired ingress controller (traefik, traefik2 (same as traefik), nginx, none)"
+  default     = "traefik"
   validation {
-    condition = var.ingress_controller == "traefik1" || var.ingress_controller == "traefik2"
+    condition = var.ingress_controller == "nginx" || var.ingress_controller == "traefik" || var.ingress_controller == "traefik2" || var.ingress_controller == "none"
     error_message = "Invalid ingress controller."
   }
 }
 
-variable "ingress_storageclass" {
-  type        = string
-  description = "storageclass used by ingress controller"
-  default     = ""
-}
-
 # ----------------------------------------------------------------------
 # TRAEFIK
 # ----------------------------------------------------------------------
 
-variable "traefik_dashboard" {
-  type        = bool
-  description = "Should dashboard ingress rule be added as /traefik"
-  default     = true
-}
-
-variable "traefik_server" {
-  type        = string
-  description = "Desired hostname to be used for cluster, nip.io will use ip address"
-  default     = ""
-}
-
 variable "traefik_access_log" {
   type        = bool
   description = "Should traefik enable access logs"
   default     = false
 }
 
-variable "traefik_use_certmanager" {
-  type        = bool
-  description = "Should traefik v2 use cert manager"
-  default     = false
+variable "traefik_storageclass" {
+  type        = string
+  description = "storageclass used by ingress controller"
+  default     = ""
 }
 
-variable "traefik2_ports" {
+variable "traefik_ports" {
   type        = map
   description = "Additional ports to add to traefik"
   default     = {}