Add gateway-api application and update Traefik configuration; disable old ingress

2025-11-08 14:51:38 +01:00 · 2025-11-08 14:51:38 +01:00 · 8c8a56b9f6
commit 8c8a56b9f6
parent 88ac421c19
8 changed files with 91 additions and 69 deletions
--- a/apps/gateway-api/application.yaml
+++ b/apps/gateway-api/application.yaml
@ -0,0 +1,25 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: gateway-api
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "0"
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://github.com/kubernetes-sigs/gateway-api
    targetRevision: v1.4.0
    path: config/crd/standard
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: false
      selfHeal: false
    syncOptions:
      - CreateNamespace=true
      - Replace=true
      - ServerSideApply=true
--- a/apps/traefik/application.yaml
+++ b/apps/traefik/application.yaml
@ -27,4 +27,5 @@ spec:
    syncOptions:
      - CreateNamespace=true
      - PruneLast=true
-      - PrunePropagationPolicy=foreground
+      - PrunePropagationPolicy=foreground
      - Replace=true
--- a/apps/traefik/templates/dashboard-httproute.yaml
+++ b/apps/traefik/templates/dashboard-httproute.yaml
--- a/apps/traefik/templates/gateway.yaml
+++ b/apps/traefik/templates/gateway.yaml
--- a/apps/traefik/templates/reference-grant.yaml
+++ b/apps/traefik/templates/reference-grant.yaml
--- a/apps/traefik/values.yaml
+++ b/apps/traefik/values.yaml
@ -1,60 +1,30 @@
 traefik:
-  # Service configuration
+
  global:
    checkNewVersion: false
  installCRDs: true
  service:
    type: LoadBalancer
    annotations:
      io.cilium/lb-ipam-ips: "192.168.0.2"
  # Ports configuration
  ports:
    web:
      port: 80
      exposedPort: 80
      protocol: TCP
    websecure:
      port: 443
      exposedPort: 443
      protocol: TCP
      tls:
        enabled: true
    metrics:
      port: 9100
      expose:
        default: false
      protocol: TCP
-  # Enable dashboard
+  ports:
-  ingressRoute:
+    websecure:
-    dashboard:
+      asDefault: true
-      enabled: true
+
      matchRule: Host(`traefik.noxxos.nl`)
      entryPoints:
        - websecure
  # Global arguments
  globalArguments:
    - "--global.checknewversion=false"
    - "--global.sendanonymoususage=false"
  # Additional arguments
  additionalArguments:
    - "--api.dashboard=true"
    - "--log.level=INFO"
    - "--accesslog=true"
    - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
    - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
  # Providers
  providers:
    kubernetesCRD:
      enabled: true
      allowCrossNamespace: true
    kubernetesIngress:
      enabled: false
    kubernetesGateway:
      enabled: true
-      publishedService:
+
        enabled: true
  # Resource limits
  resources:
    requests:
      cpu: "100m"
@ -62,27 +32,36 @@ traefik:
    limits:
      cpu: "500m"
      memory: "512Mi"
-  
+
  # Replicas
  deployment:
    replicas: 2
-  
+
  # Metrics (Prometheus)
  metrics:
    prometheus:
      enabled: true
-      addEntryPointsLabels: true
+
-      addServicesLabels: true
+  gateway:
-  
+    listeners:
-  # Security
+      web:
-  securityContext:
+        namespacePolicy:
-    capabilities:
+          from: All
-      drop: [ALL]
+
-      add: [NET_BIND_SERVICE]
+  extraObjects:
-    readOnlyRootFilesystem: true
+    - apiVersion: gateway.networking.k8s.io/v1
-    runAsGroup: 65532
+      kind: HTTPRoute
-    runAsNonRoot: true
+      metadata:
-    runAsUser: 65532
+        name: traefik-dashboard
-  
+        namespace: traefik
-  podSecurityContext:
+      spec:
-    fsGroup: 65532
+        parentRefs:
          - name: traefik-gateway
        hostnames:
          - "traefik.noxxos.nl"
        rules:
          - matches:
              - path: { type: PathPrefix, value: /dashboard }
              - path: { type: PathPrefix, value: /api }
            backendRefs:
              - group: traefik.io
                kind: TraefikService
                name: api@internal
--- a/platform/components/02-argocd/post-install/httproute.yaml
+++ b/platform/components/02-argocd/post-install/httproute.yaml
@ -0,0 +1,20 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: argocd-server
  namespace: argocd
 spec:
  parentRefs:
    - name: traefik-gateway
      namespace: traefik
      sectionName: websecure
  hostnames:
    - "argocd.noxxos.nl"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: argocd-server
          port: 80
--- a/platform/components/02-argocd/values.yaml
+++ b/platform/components/02-argocd/values.yaml
@ -3,7 +3,4 @@ global:
 server:
  ingress:
-    enabled: true
+    enabled: false
    ingressClassName: traefik
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure