Merge traefik values + explicit cert dates

Author: YuryHrytsuk

charts/cert-manager/templates/certificates.yaml

@@ -11,6 +11,8 @@ spec:
       reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "traefik"
       reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
       reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "traefik"
+  duration: 2160h # 90 days
+  renewBefore: 720h # 30 days
   secretName: {{ .secretName }}
   dnsNames:
 {{- range .dnsNames }}

charts/traefik/values.common.yaml.gotmpl

@@ -20,6 +20,9 @@ service:
 ports:
   web:
     nodePort: 32080
+    redirectTo:
+       port: websecure
+       permanent: true
   websecure:
     nodePort: 32443
 
@@ -41,3 +44,123 @@ tlsStore:
     certificates:
       # generated by cert manager and copied by reflector
       - secretName: {{ requiredEnv "MACHINE_FQDN" | replace "." "-" }}-tls
+
+extraObjects:
+
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: traefik-api
+    namespace: {{.Release.Namespace}}
+  spec:
+    type: ClusterIP
+    selector:
+      app.kubernetes.io/name: traefik
+      app.kubernetes.io/instance: {{.Release.Namespace}}-traefik
+    ports:
+    - port: 8080
+      name: traefik
+      targetPort: 9000
+      protocol: TCP
+
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: traefik-authorized-users
+    namespace: {{.Release.Namespace}}
+  data:
+    users: |2
+      {{ requiredEnv "TRAEFIK_K8S_AUTHORIZED_USER" }}
+
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: traefik-basic-auth
+    namespace: {{.Release.Namespace}}
+  spec:
+    basicAuth:
+      secret: traefik-authorized-users  # https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
+
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: portainer-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /portainer
+
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: longhorn-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /longhorn
+
+  # a (href) links do not work properly without trailing slash
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: logs-append-slash
+    namespace: {{ .Release.Namespace }}
+  spec:
+    redirectRegex:
+      regex: "^(https?://[^/]+/logs)$"
+      replacement: "${1}/"
+
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: logs-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /logs
+
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: internal-ipallowlist
+  spec:
+    ipAllowList:
+      sourceRange:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/16
+
+- apiVersion: networking.k8s.io/v1
+  kind: Ingress
+  metadata:
+    name: traefik-dashboard
+    namespace: {{.Release.Namespace}}
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      traefik.ingress.kubernetes.io/router.middlewares: {{.Release.Namespace}}-traefik-basic-auth@kubernetescrd # namespace + middleware name
+      traefik.ingress.kubernetes.io/router.tls: "true"
+  spec:
+    rules:
+    - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
+      http:
+        paths:
+        - path: /dashboard
+          pathType: Prefix
+          backend:
+            service:
+              name: traefik-api
+              port:
+                name: traefik
+    - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
+      http:
+        paths:
+        - path: /api
+          pathType: Prefix
+          backend:
+            service:
+              name: traefik-api
+              port:
+                name: traefik