12 changed files with 67 additions and 164 deletions
--- a/apps/argocd/Chart.yaml
+++ b/apps/argocd/Chart.yaml
@ -1,7 +0,0 @@
 apiVersion: v2
 name: argocd
 version: 1.0.0
 dependencies:
  - name: argo-cd
    version: 9.1.0
    repository: https://argoproj.github.io/argo-helm
--- a/apps/argocd/application.yaml
+++ b/apps/argocd/application.yaml
@ -1,41 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: argocd
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "-1"  # Sync before other apps
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.mvzijl.nl/marco/veda.git
    targetRevision: applicationset-rewrite
    path: apps/argocd
    helm:
      releaseName: argocd
      valueFiles:
        - values.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: argocd
  syncPolicy:
    automated:
      prune: false  # Be careful with pruning ArgoCD itself
      selfHeal: true  # Auto-fix configuration drift
    syncOptions:
      - CreateNamespace=true
      - PruneLast=true
      - PrunePropagationPolicy=foreground
  ignoreDifferences:
    # Ignore certain fields that change frequently
    - group: apps
      kind: Deployment
      jsonPointers:
        - /spec/replicas  # If using HPA
    - group: ""
      kind: Secret
      name: argocd-initial-admin-secret
      jsonPointers:
        - /data  # Don't sync the initial password secret
--- a/apps/argocd/templates/httproute.yaml
+++ b/apps/argocd/templates/httproute.yaml
@ -1,20 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: argocd-server
  namespace: {{ .Release.Namespace }}
 spec:
  parentRefs:
    - name: traefik-gateway
      namespace: traefik
      sectionName: web
  hostnames:
    - {{ index .Values "argo-cd" "global" "domain" | quote }}
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: argocd-server
          port: 80
--- a/apps/argocd/values.yaml
+++ b/apps/argocd/values.yaml
@ -1,7 +0,0 @@
 argo-cd:
  global:
    domain: argocd.noxxos.nl
  server:
    ingress:
      enabled: false
--- a/apps/gateway-api/application.yaml
+++ b/apps/gateway-api/application.yaml
@ -1,25 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: gateway-api
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "0"
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://github.com/kubernetes-sigs/gateway-api
    targetRevision: v1.4.0
    path: config/crd/standard
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: false
      selfHeal: false
    syncOptions:
      - CreateNamespace=true
      - Replace=true
      - ServerSideApply=true
--- a/apps/traefik/application.yaml
+++ b/apps/traefik/application.yaml
@ -28,4 +28,3 @@ spec:
      - CreateNamespace=true
      - PruneLast=true
      - PrunePropagationPolicy=foreground
      - Replace=true
--- a/apps/traefik/templates/dashboard-httproute.yaml
+++ b/apps/traefik/templates/dashboard-httproute.yaml
--- a/apps/traefik/templates/gateway.yaml
+++ b/apps/traefik/templates/gateway.yaml
--- a/apps/traefik/templates/reference-grant.yaml
+++ b/apps/traefik/templates/reference-grant.yaml
--- a/apps/traefik/values.yaml
+++ b/apps/traefik/values.yaml
@ -1,30 +1,60 @@
 traefik:
-
+  # Service configuration
  global:
    checkNewVersion: false
  installCRDs: true
  service:
    type: LoadBalancer
    annotations:
      io.cilium/lb-ipam-ips: "192.168.0.2"
  # Ports configuration
  ports:
    web:
      port: 80
      exposedPort: 80
      protocol: TCP
    websecure:
-      asDefault: true
+      port: 443
      exposedPort: 443
      protocol: TCP
      tls:
        enabled: true
    metrics:
      port: 9100
      expose:
        default: false
      protocol: TCP
  # Enable dashboard
  ingressRoute:
    dashboard:
      enabled: true
      matchRule: Host(`traefik.noxxos.nl`)
      entryPoints:
        - websecure
  # Global arguments
  globalArguments:
    - "--global.checknewversion=false"
    - "--global.sendanonymoususage=false"
  # Additional arguments
  additionalArguments:
    - "--api.dashboard=true"
    - "--log.level=INFO"
    - "--accesslog=true"
    - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
    - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
  # Providers
  providers:
    kubernetesCRD:
      enabled: true
      allowCrossNamespace: true
    kubernetesIngress:
      enabled: false
    kubernetesGateway:
      enabled: true
      publishedService:
        enabled: true
  # Resource limits
  resources:
    requests:
      cpu: "100m"
@ -33,35 +63,26 @@ traefik:
      cpu: "500m"
      memory: "512Mi"
  # Replicas
  deployment:
    replicas: 2
  # Metrics (Prometheus)
  metrics:
    prometheus:
      enabled: true
      addEntryPointsLabels: true
      addServicesLabels: true
-  gateway:
+  # Security
-    listeners:
+  securityContext:
-      web:
+    capabilities:
-        namespacePolicy:
+      drop: [ALL]
-          from: All
+      add: [NET_BIND_SERVICE]
    readOnlyRootFilesystem: true
    runAsGroup: 65532
    runAsNonRoot: true
    runAsUser: 65532
-  extraObjects:
+  podSecurityContext:
-    - apiVersion: gateway.networking.k8s.io/v1
+    fsGroup: 65532
      kind: HTTPRoute
      metadata:
        name: traefik-dashboard
        namespace: traefik
      spec:
        parentRefs:
          - name: traefik-gateway
        hostnames:
          - "traefik.noxxos.nl"
        rules:
          - matches:
              - path: { type: PathPrefix, value: /dashboard }
              - path: { type: PathPrefix, value: /api }
            backendRefs:
              - group: traefik.io
                kind: TraefikService
                name: api@internal
--- a/platform/components/02-argocd/post-install/httproute.yaml
+++ b/platform/components/02-argocd/post-install/httproute.yaml
@ -1,20 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: argocd-server
  namespace: argocd
 spec:
  parentRefs:
    - name: traefik-gateway
      namespace: traefik
      sectionName: websecure
  hostnames:
    - "argocd.noxxos.nl"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: argocd-server
          port: 80
--- a/platform/components/02-argocd/values.yaml
+++ b/platform/components/02-argocd/values.yaml
@ -3,4 +3,7 @@ global:
 server:
  ingress:
-    enabled: false
+    enabled: true
    ingressClassName: traefik
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure