From 53553ddcfd6ad89486317e4252046f064aecd105 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 17 May 2026 23:44:50 +1000 Subject: [PATCH] feat: deploy internal/external traefik routers (#119) deploy traefik for internal and external applications. port forwarding from the external routers will only occur to the IP of the traefik-external service. - traefik-internal and traefik-external added - each is a different deployment Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/119 --- .../traefik-system/gatewayclass-external.yaml | 7 ++ .../traefik-system/gatewayclass-internal.yaml | 7 ++ apps/base/traefik-system/kustomization.yaml | 8 ++ apps/base/traefik-system/namespace.yaml | 5 ++ .../au-syd1/traefik-system/kustomization.yaml | 24 ++++++ .../traefik-system/values-external.yaml | 86 +++++++++++++++++++ .../traefik-system/values-internal.yaml | 86 +++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + 8 files changed, 224 insertions(+) create mode 100644 apps/base/traefik-system/gatewayclass-external.yaml create mode 100644 apps/base/traefik-system/gatewayclass-internal.yaml create mode 100644 apps/base/traefik-system/kustomization.yaml create mode 100644 apps/base/traefik-system/namespace.yaml create mode 100644 apps/overlays/au-syd1/traefik-system/kustomization.yaml create mode 100644 apps/overlays/au-syd1/traefik-system/values-external.yaml create mode 100644 apps/overlays/au-syd1/traefik-system/values-internal.yaml diff --git a/apps/base/traefik-system/gatewayclass-external.yaml b/apps/base/traefik-system/gatewayclass-external.yaml new file mode 100644 index 0000000..e6693e4 --- /dev/null +++ b/apps/base/traefik-system/gatewayclass-external.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: traefik-external +spec: + controllerName: traefik.io/gateway-controller-external diff --git a/apps/base/traefik-system/gatewayclass-internal.yaml b/apps/base/traefik-system/gatewayclass-internal.yaml new file mode 100644 index 0000000..86de860 --- /dev/null +++ b/apps/base/traefik-system/gatewayclass-internal.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: traefik-internal +spec: + controllerName: traefik.io/gateway-controller-internal diff --git a/apps/base/traefik-system/kustomization.yaml b/apps/base/traefik-system/kustomization.yaml new file mode 100644 index 0000000..057ce95 --- /dev/null +++ b/apps/base/traefik-system/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - gatewayclass-internal.yaml + - gatewayclass-external.yaml diff --git a/apps/base/traefik-system/namespace.yaml b/apps/base/traefik-system/namespace.yaml new file mode 100644 index 0000000..914f6b9 --- /dev/null +++ b/apps/base/traefik-system/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: traefik-system diff --git a/apps/overlays/au-syd1/traefik-system/kustomization.yaml b/apps/overlays/au-syd1/traefik-system/kustomization.yaml new file mode 100644 index 0000000..4639b51 --- /dev/null +++ b/apps/overlays/au-syd1/traefik-system/kustomization.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/traefik-system + +helmCharts: + - name: traefik + repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm + version: "40.0.0" + releaseName: traefik-internal + namespace: traefik-system + valuesFile: values-internal.yaml + apiVersions: + - policy/v1/PodDisruptionBudget + - name: traefik + repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm + version: "40.0.0" + releaseName: traefik-external + namespace: traefik-system + valuesFile: values-external.yaml + apiVersions: + - policy/v1/PodDisruptionBudget diff --git a/apps/overlays/au-syd1/traefik-system/values-external.yaml b/apps/overlays/au-syd1/traefik-system/values-external.yaml new file mode 100644 index 0000000..e063b71 --- /dev/null +++ b/apps/overlays/au-syd1/traefik-system/values-external.yaml @@ -0,0 +1,86 @@ +image: + tag: v3.7.0 + +additionalArguments: + - "--providers.kubernetesgateway.controllername=traefik.io/gateway-controller-external" + +podDisruptionBudget: + enabled: true + maxUnavailable: 1 + +gateway: + enabled: false + +gatewayClass: + enabled: false + +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + +providers: + kubernetesCRD: + enabled: false + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: true + experimentalChannel: false + namespaces: [] + nativeLBByDefault: false + +logs: + access: + enabled: true + +global: + checkNewVersion: true + sendAnonymousUsage: false + notAppendXForwardedFor: false + +service: + enabled: true + single: true + annotations: + purelb.io/service-group: "dmz" + purelb.io/addresses: 198.18.199.0 + annotationsTCP: {} + annotationsUDP: {} + labels: {} + spec: + type: LoadBalancer + loadBalancerIP: "198.18.199.0" + additionalServices: {} + +autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + metrics: [] + behavior: {} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: "{{ template \"traefik.fullname\" . }}" + +persistence: + enabled: false + +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ template "traefik.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}' + topologyKey: kubernetes.io/hostname + +podSecurityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + +enabled: true diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml new file mode 100644 index 0000000..bbfeace --- /dev/null +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -0,0 +1,86 @@ +image: + tag: v3.7.0 + +additionalArguments: + - "--providers.kubernetesgateway.controllername=traefik.io/gateway-controller-internal" + +podDisruptionBudget: + enabled: true + maxUnavailable: 1 + +gateway: + enabled: false + +gatewayClass: + enabled: false + +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + +providers: + kubernetesCRD: + enabled: false + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: true + experimentalChannel: false + namespaces: [] + nativeLBByDefault: false + +logs: + access: + enabled: true + +global: + checkNewVersion: true + sendAnonymousUsage: false + notAppendXForwardedFor: false + +service: + enabled: true + single: true + annotations: + purelb.io/service-group: "common" + purelb.io/addresses: 198.18.200.4 + annotationsTCP: {} + annotationsUDP: {} + labels: {} + spec: + type: LoadBalancer + loadBalancerIP: "198.18.200.4" + additionalServices: {} + +autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + metrics: [] + behavior: {} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: "{{ template \"traefik.fullname\" . }}" + +persistence: + enabled: false + +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ template "traefik.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}' + topologyKey: kubernetes.io/hostname + +podSecurityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + +enabled: true diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 3a8bc18..218d5ea 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -25,6 +25,7 @@ spec: - path: apps/overlays/*/reflector-system - path: apps/overlays/*/reloader-system - path: apps/overlays/*/reposync + - path: apps/overlays/*/traefik-system - path: apps/overlays/*/vm-system - path: apps/overlays/*/vso-system - path: apps/overlays/*/woodpecker