migrate

clusters/cl01tl/helm/traefik/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: traefik
+  repository: https://traefik.github.io/charts
+  version: 37.4.0
+digest: sha256:a57ac6ebc6f83940e5e088f612272b924977b0035fb33ba350185fd75702d2b7
+generated: "2025-12-01T20:27:45.085746-06:00"

clusters/cl01tl/helm/traefik/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: traefik
+version: 1.0.0
+description: Traefik
+keywords:
+  - traefik
+  - reverse-proxy
+  - tls
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/541ec45c-6cf7-4be6-bb08-63cab175e7cb
+sources:
+  - https://github.com/traefik/traefik
+  - https://github.com/traefik/traefik-helm-chart
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: traefik
+    version: 37.4.0
+    repository: https://traefik.github.io/charts
+  # enable pending:
+  # https://github.com/traefik/traefik-helm-chart/pull/1340
+  # - name: traefik-crds
+  #   version: 1.8.0
+  #   repository: https://traefik.github.io/charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/traefik.webp
+appVersion: v3.4.0

clusters/cl01tl/helm/traefik/templates/certificate.yaml

@@ -0,0 +1,17 @@
+# apiVersion: cert-manager.io/v1
+# kind: Certificate
+# metadata:
+#   name: traefik-certificate
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: traefik-certificate
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   secretName: traefik-secret-tls
+#   dnsNames:
+#     - "alexlebens.net"
+#     - "*.alexlebens.net"
+#   issuerRef:
+#     name: letsencrypt-issuer
+#     kind: ClusterIssuer

clusters/cl01tl/helm/traefik/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/traefik/values.yaml

@@ -0,0 +1,148 @@
+traefik:
+  crds:
+    enabled: true
+    deleteOnUninstall: false
+  deployment:
+    kind: DaemonSet
+  ingressClass:
+    enabled: false
+  kubernetesGateway:
+    enabled: true
+  gateway:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-issuer
+    listeners:
+      web:
+        port: 8000
+        hostname: "*.alexlebens.net"
+        protocol: HTTP
+        namespacePolicy:
+          from: All
+      websecure:
+        port: 8443
+        hostname: "*.alexlebens.net"
+        protocol: HTTPS
+        namespacePolicy:
+          from: All
+        certificateRefs:
+          - group: ''
+            kind: Secret
+            name: websecure-gateway-cert
+            namespace: traefik
+        mode: Terminate
+      ssh:
+        port: 22
+        protocol: TCP
+        namespacePolicy:
+          from: All
+        allowedRoutes:
+          kinds:
+            - kind: TCPRoute
+  ingressRoute:
+    dashboard:
+      enabled: true
+      matchRule: (Host(`traefik-cl01tl.alexlebens.net`) && (PathPrefix(`/api/`) || PathPrefix(`/dashboard/`)))
+      entryPoints: ["websecure"]
+  providers:
+    kubernetesCRD:
+      allowCrossNamespace: true
+      allowEmptyServices: true
+    kubernetesIngress:
+      enabled: false
+    kubernetesGateway:
+      enabled: true
+      experimentalChannel: true
+      statusAddress:
+        ip: 10.232.1.21
+  metrics:
+    prometheus:
+      service:
+        enabled: true
+      disableAPICheck: true
+      serviceMonitor:
+        enabled: true
+      prometheusRule:
+        enabled: false
+  globalArguments: []
+  ports:
+    web:
+      port: 8000
+      expose:
+        default: true
+      exposedPort: 80
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+      forwardedHeaders:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      proxyProtocol:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+    websecure:
+      port: 8443
+      expose:
+        default: true
+      exposedPort: 443
+      forwardedHeaders:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      proxyProtocol:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      tls:
+        enabled: true
+    ssh:
+      port: 22
+      expose:
+        default: true
+      exposedPort: 22
+      forwardedHeaders:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      proxyProtocol:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      tls:
+        enabled: true
+    metrics:
+      expose:
+        default: false
+  service:
+    enabled: true
+    type: LoadBalancer
+    externalIPs:
+      - 10.232.1.21
+# traefik-crds:
+#   enabled: true
+#   traefik: true
+#   gatewayAPI: true
+#   hub: false
+#   deleteOnUninstall: false