apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-24.0.0-d2iq-defaults
namespace: ${releaseNamespace}
data:
values.yaml: |
---
priorityClassName: "dkp-critical-priority"
podDisruptionBudget:
minAvailable: 1
# Distribute pods to tolerate node or zone failure.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: kommander.mesosphere.io/name
operator: In
values:
- traefik
topologyKey: kubernetes.io/hostname
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: kommander.mesosphere.io/name
operator: In
values:
- traefik
topologyKey: failure-domain.beta.kubernetes.io/zone
deployment:
# Configure Traefik for HA.
replicas: 2
podLabels:
kommander.mesosphere.io/name: traefik
app: traefik
initContainers:
- name: initialize-middleware
image: "${kubetoolsImageRepository:=bitnami/kubectl}:${kubetoolsImageTag:=1.27.9}"
command:
- bash
args:
- -c
- |
cat << EOF | kubectl -n ${releaseNamespace} apply -f -
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: stripprefixes
namespace: ${releaseNamespace}
spec:
stripPrefix:
prefixes:
- /dkp/alertmanager
- /dkp/api-server
- /dkp/kommander/ceph-dashboard
- /dkp/kommander/dashboard
- /dkp/kommander/gitserver
- /dkp/kommander/git
- /dkp/kommander/helm-mirror
- /dkp/kommander/kubecost/frontend
- /dkp/kommander/kubecost/query
- /dkp/kommander/monitoring/query
- /dkp/kubecost/frontend
- /dkp/kubecost/grafana
- /dkp/kubernetes
- /dkp/prometheus
- /dkp/traefik
---
# Create stripprefix middleware for kubetunnel exposed services.
# This expects that every TunnelGateway will be launched with
# `urlPathPrefix: /dkp/tunnel` configuration.
# If there is a need for creating TunnelGateway objects with
# different `urlPathPrefix` then this middleware needs to be
# extended or new must be created.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: stripprefixes-kubetunnel
namespace: ${releaseNamespace}
spec:
stripPrefixRegex:
regex:
# <route_prefix>/<namespace>/<connector_name>/kubeconfig
- /dkp/tunnel/[^/]+/[^/]+/kubeconfig
# <route_prefix>/<namespace>/<connector_name>/tunnel-server
- /dkp/tunnel/[^/]+/[^/]+/tunnel-server
---
# Used by components such as kube-prometheus-stack's Grafana
# that rely on X-Forwarded-User but break when `Authorization:` header
# is set as well. See https://jira.d2iq.com/browse/D2IQ-77423.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: forwardauth
namespace: ${releaseNamespace}
spec:
forwardAuth:
address: http://${tfaName}.${releaseNamespace}.svc.cluster.local:4181/
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
- Impersonate-User
- Impersonate-Group
---
# Used by apps such as Kuberentes-Dashboard and Kiali
# that obtain the K8S API Bearer token via
# the `Authorization:` header and Impersonate the user.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: forwardauth-full
namespace: ${releaseNamespace}
spec:
forwardAuth:
address: http://${tfaName}.${releaseNamespace}.svc.cluster.local:4181/
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
- Impersonate-User
- Impersonate-Group
- Authorization
---
# Traefik's dashboard assumes its API is hosted at /api. This rewrites dashboard responses to fix URLs.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rewrite-api
namespace: ${releaseNamespace}
spec:
plugin:
plugin-rewritebody:
rewrites:
- regex: "/api"
replacement: "/dkp/traefik/api"
EOF
resources:
limits:
cpu: 1000m
requests:
cpu: 500m
access:
enabled: true
logs:
general:
level: WARNING
access:
enabled: true
# TODO: with Traefik 2 we should be able to validate against the proper CA
# https://jira.d2iq.com/browse/D2IQ-75866
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
- "--metrics.prometheus=true"
- "--providers.kubernetesingress.ingressendpoint.publishedservice=${releaseNamespace}/kommander-traefik"
- "--providers.kubernetesingress.ingressclass=kommander-traefik"
- "--api.insecure=true"
- "--experimental.localPlugins.plugin-rewritebody.moduleName=plugin-rewritebody"
- "--entrypoints.web.http.redirections.entryPoint.to=:443"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
volumes:
- type: configMap
name: traefik-plugin-rewritebody
mountPath: /plugins-local/src/plugin-rewritebody
# Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
enabled: true
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations:
kubernetes.io/ingress.class: kommander-traefik
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
#
# Configure providers
#
providers:
kubernetesCRD:
enabled: true
namespaces: []
# - "default"
kubernetesIngress:
enabled: true
# labelSelector: environment=production,method=traefik
namespaces: []
# - "default"
# IP used for Kubernetes Ingress endpoints
publishedService:
enabled: false
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: "${releaseNamespace}/kommander-traefik"
pilot:
dashboard: false
# This value should be equal to release name. Justification with timeline of changes:
# 1. This was set to `kommander-treafik` in an old chart version - https://github.com/traefik/traefik-helm-chart/blob/v10.30.1/traefik/templates/deployment.yaml#L42 (Shipped in DKP 2.4)
# 2. A breaking change was made in traefik 17.0.1 https://github.com/traefik/traefik-helm-chart/blob/v17.0.1/traefik/templates/deployment.yaml#L38 which caused it to be renamed to `kommander-treafik-${releaseNamespace}`
# 3. Another change was made in 20.3.0 for backwards compatibility thats lets a user override the label value - https://github.com/traefik/traefik-helm-chart/blob/v20.3.0/traefik/templates/_helpers.tpl#L42-L47
instanceLabelOverride: "kommander-traefik"
ports:
velero-ceph:
port: 8080
expose: true
exposedPort: 8085 # Velero is configured to use this value
protocol: TCP