25 configure deploy traefik

.gitignore

@@ -1,7 +1,7 @@
 .idea
 zenika-labs-sa.json
-
-
+traefik-apply.yaml
+secrets
 ### Terraform ###
 # Local .terraform directories
 **/.terraform/*

ci-cd-platform-deployment/README.md

@@ -180,9 +180,12 @@ Fill the following placeholders in the [traefik descriptor](traefik.yaml):
 - `ACME_EMAIL_ADDRESS`: the contact email address to use to generate the TLS certificates
 - `GCE_PROJECT`: the name of the Google Cloud project
 
+> a script is at your disposal to create the taraefik-apply.yaml file from the traefik.yaml template, this script needs as input the values of the variables (below) and then it will take care of replacing everything
+
 Then apply it:
 ```shell script
-kubectl apply -f traefik.yaml
+sh scripts/traefik-apply.sh
+kubectl apply -f traefik-apply.yaml
 ```
 
 This will:

ci-cd-platform-deployment/namespace.yml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: [GCE_PROJECT]

ci-cd-platform-deployment/rbac.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: traefik-ingress-controller
@@ -26,26 +26,30 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
+      - traefik.io
       - traefik.containo.us
     resources:
       - middlewares
+      - middlewaretcps
       - ingressroutes
       - traefikservices
       - ingressroutetcps
       - ingressrouteudps
       - tlsoptions
       - tlsstores
+      - serverstransports
     verbs:
       - get
       - list
       - watch
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: traefik-ingress-controller

ci-cd-platform-deployment/traefik.yaml

@@ -39,7 +39,7 @@ spec:
       serviceAccountName: traefik-ingress-controller
       containers:
         - name: traefik
-          image: traefik:v2.3.5
+          image: traefik:v2.10.4
           args:
             - --ping
             - --api.dashboard
@@ -51,6 +51,9 @@ spec:
             - --certificatesResolvers.letsencrypt.acme.storage=/acme/acme.json
             - --certificatesResolvers.letsencrypt.acme.email=[ACME_EMAIL_ADDRESS]
             - --certificatesResolvers.letsencrypt.acme.dnsChallenge.provider=gcloud
+            - --certificatesResolvers.letsencrypt-tls.acme.storage=/acme/acme-tls.json
+            - --certificatesResolvers.letsencrypt-tls.acme.email=[ACME_EMAIL_ADDRESS]
+            - --certificatesResolvers.letsencrypt-tls.acme.tlschallenge=true
           env:
             - name: GCE_PROJECT
               value: [GCE_PROJECT]
@@ -69,6 +72,13 @@ spec:
             - name: traefik-service-account
               mountPath: /service-account
               readOnly: true
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
+            limits:
+              cpu: 1000m
+              memory: 100Mi
           readinessProbe:
             httpGet:
               path: /ping

scripts/traefik-apply.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+GCE_PROJECT_VALUE="#########"
+DOMAIN_VALUE="#########"
+ACME_EMAIL_ADDRESS="#########"
+
+# Get the parent directory of the script
+PARENT_DIRECTORY=$(git rev-parse --show-toplevel)
+CI_CD_FOLDER_NAME=ci-cd-platform-deployment
+# Perform multiple replacements using a single sed command
+sed -e "s/\[GCE_PROJECT\]/$GCE_PROJECT_VALUE/g" \
+    -e "s/\[DOMAIN\]/$DOMAIN_VALUE/g" \
+    -e "s/\[ACME_EMAIL_ADDRESS\]/$ACME_EMAIL_ADDRESS/g" \
+    "$PARENT_DIRECTORY/$CI_CD_FOLDER_NAME/traefik.yaml" > "$PARENT_DIRECTORY/$CI_CD_FOLDER_NAME/traefik-apply.yaml"