From b90eeb5f6c0fcb7438593e47a6cb818352e153fd Mon Sep 17 00:00:00 2001
From: Rob Kooper <kooper@illinois.edu>
Date: Thu, 1 Dec 2022 18:32:07 -0600
Subject: [PATCH] add nginx to ingress
clean up ingress controller
- add nginx
- remove traefik v1
- rename traefik2 to traefik
---
.../templates/ingresscontroller/nginx.yaml | 45 ++++++++++++
.../{traefik2.yaml => traefik.yaml} | 16 ++---
.../templates/ingresscontroller/traefik1.yaml | 69 -------------------
charts/apps/values.yaml | 14 ++--
terraform/modules/argocd/argocd.tf | 5 +-
.../modules/argocd/templates/argocd.yaml.tmpl | 25 ++++---
terraform/modules/argocd/variables.tf | 40 +++--------
7 files changed, 82 insertions(+), 132 deletions(-)
create mode 100644 charts/apps/templates/ingresscontroller/nginx.yaml
rename charts/apps/templates/ingresscontroller/{traefik2.yaml => traefik.yaml} (83%)
delete mode 100644 charts/apps/templates/ingresscontroller/traefik1.yaml
diff --git a/charts/apps/templates/ingresscontroller/nginx.yaml b/charts/apps/templates/ingresscontroller/nginx.yaml
new file mode 100644
index 0000000..b259f08
--- /dev/null
+++ b/charts/apps/templates/ingresscontroller/nginx.yaml
@@ -0,0 +1,45 @@
+{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "nginx") }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: {{ .Values.cluster.name }}-nginx
+ labels:
+ cluster: {{ .Values.cluster.name | quote }}
+ app: nginx
+ namespace: argocd
+ annotations:
+ {{- toYaml .Values.notifications | nindent 4 }}
+spec:
+ project: {{ .Values.cluster.name }}
+ destination:
+ server: {{ .Values.cluster.url }}
+ namespace: nginx
+ syncPolicy:
+ {{- if .Values.sync }}
+ automated:
+ prune: true
+ selfHeal: true
+ allowEmpty: false
+ {{- end }}
+ syncOptions:
+ - CreateNamespace=true
+ source:
+ repoURL: https://kubernetes.github.io/ingress-nginx
+ chart: ingress-nginx
+ targetRevision: {{ .Values.ingresscontroller.nginx.version | quote }}
+ helm:
+ version: v3
+ releaseName: nginx
+ values: |
+ controller:
+ extraArgs:
+ publish-status-address: {{ .Values.ingresscontroller.publicIP }}
+ publishService:
+ enabled: false
+ service:
+ externalTrafficPolicy: Local
+ loadBalancerIP: {{ .Values.ingresscontroller.privateIP | default .Values.ingresscontroller.publicIP }}
+ watchIngressWithoutClass: true
+ ingressClassResource:
+ default: true
+{{- end }}
diff --git a/charts/apps/templates/ingresscontroller/traefik2.yaml b/charts/apps/templates/ingresscontroller/traefik.yaml
similarity index 83%
rename from charts/apps/templates/ingresscontroller/traefik2.yaml
rename to charts/apps/templates/ingresscontroller/traefik.yaml
index fe0f162..169d3de 100644
--- a/charts/apps/templates/ingresscontroller/traefik2.yaml
+++ b/charts/apps/templates/ingresscontroller/traefik.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "traefik2") }}
+{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "traefik") }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
@@ -26,7 +26,7 @@ spec:
source:
repoURL: https://helm.traefik.io/traefik
chart: traefik
- targetRevision: {{ .Values.ingresscontroller.traefik2.version | quote }}
+ targetRevision: {{ .Values.ingresscontroller.traefik.version | quote }}
helm:
version: v3
releaseName: traefik
@@ -44,20 +44,20 @@ spec:
tls:
enabled: true
certResolver: letsencrypt
- {{- if .Values.ingresscontroller.traefik2.ports }}
- {{- .Values.ingresscontroller.traefik2.ports | toYaml | nindent 10 }}
+ {{- if .Values.ingresscontroller.traefik.ports }}
+ {{- .Values.ingresscontroller.traefik.ports | toYaml | nindent 10 }}
{{- end }}
additionalArguments:
- --providers.kubernetesingress.ingressendpoint.ip={{ .Values.ingresscontroller.publicIP }}
- {{- if .Values.ingresscontroller.acme }}
- - --certificatesresolvers.letsencrypt.acme.caserver={{ .Values.ingresscontroller.acme.server | default "https://acme-v02.api.letsencrypt.org/directory" }}
- - --certificatesresolvers.letsencrypt.acme.email={{ .Values.ingresscontroller.acme.email }}
+ {{- if .Values.ingresscontroller.traefik.acme }}
+ - --certificatesresolvers.letsencrypt.acme.caserver={{ .Values.ingresscontroller.traefik.acme.server | default "https://acme-v02.api.letsencrypt.org/directory" }}
+ - --certificatesresolvers.letsencrypt.acme.email={{ .Values.ingresscontroller.traefik.acme.email }}
- --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
- --certificatesresolvers.letsencrypt.acme.tlschallenge=true
{{- end }}
persistence:
enabled: true
- storageClass: {{ .Values.ingresscontroller.storageClass | quote}}
+ storageClass: {{ .Values.ingresscontroller.traefik.storageClass | quote}}
deployment:
initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
diff --git a/charts/apps/templates/ingresscontroller/traefik1.yaml b/charts/apps/templates/ingresscontroller/traefik1.yaml
deleted file mode 100644
index 4e2041c..0000000
--- a/charts/apps/templates/ingresscontroller/traefik1.yaml
+++ /dev/null
@@ -1,69 +0,0 @@
-{{- if and .Values.ingresscontroller.enabled (eq .Values.ingresscontroller.class "traefik1") }}
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
- name: {{ .Values.cluster.name }}-traefik
- labels:
- cluster: {{ .Values.cluster.name | quote }}
- app: traefik
- namespace: argocd
- annotations:
- {{- toYaml .Values.notifications | nindent 4 }}
-spec:
- project: {{ .Values.cluster.name }}
- destination:
- server: {{ .Values.cluster.url }}
- namespace: traefik
- syncPolicy:
- {{- if .Values.sync }}
- automated:
- prune: true
- selfHeal: true
- allowEmpty: false
- {{- end }}
- syncOptions:
- - CreateNamespace=true
- source:
- repoURL: https://charts.helm.sh/stable
- chart: traefik
- targetRevision: {{ .Values.ingresscontroller.traefik1.version | quote }}
- helm:
- version: v3
- releaseName: traefik
- values: |
- loadBalancerIP: {{ .Values.ingresscontroller.privateIP | default .Values.ingresscontroller.publicIP }}
- externalIP: {{ .Values.ingresscontroller.publicIP }}
- externalTrafficPolicy: Local
- kubernetes:
- ingressEndpoint:
- ip: {{ .Values.ingresscontroller.publicIP }}
- rbac:
- enabled: true
- dashboard:
- enabled: {{ .Values.ingresscontroller.dashboard }}
- domain: traefik.{{ .Values.ingresscontroller.publicIP }}.xip.io
- ingress:
- annotations:
- acme:
- enabled: {{ .Values.ingresscontroller.acme }}
- {{- if .Values.ingresscontroller.acme }}
- challengeType: http-01
- email: {{ .Values.ingresscontroller.acme.email }}
- staging: {{ .Values.ingresscontroller.acme.staging }}
- logging: true
- persistence:
- enabled: true
- {{- end }}
- ssl:
- enabled: true
- enforced: true
- insecureSkipVerify: true
- tlsMinVersion: VersionTLS12
- cipherSuites:
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-{{- end }}
diff --git a/charts/apps/values.yaml b/charts/apps/values.yaml
index add4865..134b44b 100644
--- a/charts/apps/values.yaml
+++ b/charts/apps/values.yaml
@@ -26,16 +26,16 @@ healthmonitor:
ingresscontroller:
enabled: false
- class: traefik2
+ class: traefik
publicIP: 1.1.1.1
#privateIP: 1.1.1.2
- #acme:
- # email: devops.isda@lists.illinois.edu
- storageClass: ""
- traefik1:
- version: "1.*"
- traefik2:
+ nginx:
+ version: "4.*"
+ traefik:
version: "*"
+ storageClass: ""
+ #acme:
+ # email: devops.isda@lists.illinois.edu
ports: {}
# postgres:
# port: 5432
diff --git a/terraform/modules/argocd/argocd.tf b/terraform/modules/argocd/argocd.tf
index b00e008..3faaa5f 100644
--- a/terraform/modules/argocd/argocd.tf
+++ b/terraform/modules/argocd/argocd.tf
@@ -37,9 +37,8 @@ locals {
floating_ip = var.floating_ip
ingress_controller_enabled = var.ingress_controller_enabled
ingress_controller = var.ingress_controller
- ingress_storageclass = var.ingress_storageclass
- traefik_dashboard = var.traefik_dashboard
- traefik2_ports = indent(14, yamlencode(var.traefik2_ports))
+ traefik_storageclass = var.traefik_storageclass
+ traefik_ports = indent(14, yamlencode(var.traefik_ports))
acme_staging = var.acme_staging
acme_email = var.acme_email
sealedsecrets_enabled = var.sealedsecrets_enabled
diff --git a/terraform/modules/argocd/templates/argocd.yaml.tmpl b/terraform/modules/argocd/templates/argocd.yaml.tmpl
index 24e89ff..bc3929d 100644
--- a/terraform/modules/argocd/templates/argocd.yaml.tmpl
+++ b/terraform/modules/argocd/templates/argocd.yaml.tmpl
@@ -65,26 +65,25 @@ spec:
ingresscontroller:
enabled: ${ingress_controller_enabled}
%{~ if ingress_controller_enabled ~}
- dashboard: true
class: ${ingress_controller}
%{~ if length(floating_ip) > 0 ~}
publicIP: ${floating_ip[0].public_ip}
privateIP: ${floating_ip[0].private_ip}
%{~ endif ~}
- storageClass: "${ingress_storageclass}"
- %{~ if ingress_controller == "traefik2" ~}
- traefik2:
+ %{~ if ingress_controller == "traefik" || ingress_controller == "traefik2" ~}
+ traefik:
+ storageClass: "${traefik_storageclass}"
+ acme:
+ staging: ${acme_staging}
+ %{~ if (acme_staging) ~}
+ server: https://acme-staging-v02.api.letsencrypt.org/directory
+ %{~ else ~}
+ server: https://acme-v02.api.letsencrypt.org/directory
+ %{~ endif ~}
+ email: ${acme_email}
ports:
- ${traefik2_ports}
+ ${traefik_ports}
%{~ endif ~}
- acme:
- staging: ${acme_staging}
- %{~ if (acme_staging) ~}
- server: https://acme-staging-v02.api.letsencrypt.org/directory
- %{~ else ~}
- server: https://acme-v02.api.letsencrypt.org/directory
- %{~ endif ~}
- email: ${acme_email}
%{~ endif ~}
healthmonitor:
diff --git a/terraform/modules/argocd/variables.tf b/terraform/modules/argocd/variables.tf
index 27ad7f1..fa068b1 100644
--- a/terraform/modules/argocd/variables.tf
+++ b/terraform/modules/argocd/variables.tf
@@ -190,12 +190,6 @@ variable "member_groups" {
# ----------------------------------------------------------------------
# INGRESS
-# working:
-# - traefik1
-# - traefik2
-# work in progress
-# - nginx
-# - nginxinc
# ----------------------------------------------------------------------
variable "ingress_controller_enabled" {
@@ -206,49 +200,31 @@ variable "ingress_controller_enabled" {
variable "ingress_controller" {
type = string
- description = "Desired ingress controller (traefik1, traefik2, nginxinc, nginx, none)"
- default = "traefik2"
+ description = "Desired ingress controller (traefik, traefik2 (same as traefik), nginx, none)"
+ default = "traefik"
validation {
- condition = var.ingress_controller == "traefik1" || var.ingress_controller == "traefik2"
+ condition = var.ingress_controller == "nginx" || var.ingress_controller == "traefik" || var.ingress_controller == "traefik2" || var.ingress_controller == "none"
error_message = "Invalid ingress controller."
}
}
-variable "ingress_storageclass" {
- type = string
- description = "storageclass used by ingress controller"
- default = ""
-}
-
# ----------------------------------------------------------------------
# TRAEFIK
# ----------------------------------------------------------------------
-variable "traefik_dashboard" {
- type = bool
- description = "Should dashboard ingress rule be added as /traefik"
- default = true
-}
-
-variable "traefik_server" {
- type = string
- description = "Desired hostname to be used for cluster, nip.io will use ip address"
- default = ""
-}
-
variable "traefik_access_log" {
type = bool
description = "Should traefik enable access logs"
default = false
}
-variable "traefik_use_certmanager" {
- type = bool
- description = "Should traefik v2 use cert manager"
- default = false
+variable "traefik_storageclass" {
+ type = string
+ description = "storageclass used by ingress controller"
+ default = ""
}
-variable "traefik2_ports" {
+variable "traefik_ports" {
type = map
description = "Additional ports to add to traefik"
default = {}
--
GitLab