promote(infra/prod): freight 5156c91d9d5d70decc8f78ca021bb04178f65daf

2026-03-11 08:17:52 +00:00
parent 2ef96b3f49
commit 8d3d75b902
52 changed files with 295 additions and 1012 deletions
--- a/infra/traefik-routes/manifests/gitea-ingress.yaml
+++ b/infra/traefik-routes/manifests/gitea-ingress.yaml
@@ -0,0 +1,41 @@
+# Gitea HTTPS IngressRoute via Traefik
+# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-https
+  namespace: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+        - name: gitea-buffer-timeout
+          namespace: gitea
+      services:
+        - name: gitea-http
+          port: 3000
+  tls: {}
+---
+# HTTP → HTTPS redirect for Gitea
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-http-redirect
+  namespace: gitea
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: kube-system
+      services:
+        - name: gitea-http
+          port: 3000
--- a/infra/traefik-routes/manifests/gitea-ssh.yaml
+++ b/infra/traefik-routes/manifests/gitea-ssh.yaml
@@ -0,0 +1,14 @@
+# Gitea SSH access via Traefik TCP routing (port 2222)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  entryPoints:
+    - ssh
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 22
--- a/infra/traefik-routes/manifests/kargo-ingress.yaml
+++ b/infra/traefik-routes/manifests/kargo-ingress.yaml
@@ -0,0 +1,21 @@
+# Kargo dashboard HTTPS IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kargo-https
+  namespace: kargo
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`kargo.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: kargo-tls-middleware
+          namespace: kargo
+      services:
+        - name: kargo-api
+          port: 443
+          scheme: https
+          serversTransport: kargo-skip-verify
+  tls: {}
--- a/infra/traefik-routes/manifests/kargo-transport.yaml
+++ b/infra/traefik-routes/manifests/kargo-transport.yaml
@@ -0,0 +1,8 @@
+# ServersTransport to skip TLS verification for Kargo backend (self-signed cert)
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kargo-skip-verify
+  namespace: kargo
+spec:
+  insecureSkipVerify: true
--- a/infra/traefik-routes/manifests/middlewares.yaml
+++ b/infra/traefik-routes/manifests/middlewares.yaml
@@ -0,0 +1,57 @@
+# HTTP → HTTPS redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: kube-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+# Forward X-Forwarded-Proto header for backends behind TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: sslheader
+  namespace: kube-system
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+---
+# Gitea: buffer large requests (git push) + timeout for CI builds
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: gitea-buffer-timeout
+  namespace: gitea
+spec:
+  buffering:
+    maxRequestBodyBytes: 0
+    maxResponseBodyBytes: 0
+    memRequestBodyBytes: 20971520
+    memResponseBodyBytes: 20971520
+    retryExpression: "IsNetworkError()"
+---
+# ArgoCD: X-Forwarded-Proto for TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: argocd-tls-middleware
+  namespace: argocd
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+---
+# Kargo: X-Forwarded-Proto for TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: kargo-tls-middleware
+  namespace: kargo
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
--- a/infra/traefik-routes/manifests/namespaces.yaml
+++ b/infra/traefik-routes/manifests/namespaces.yaml
@@ -0,0 +1,14 @@
+# Ensure namespaces exist for cross-namespace middleware references
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
+  labels:
+    name: gitea
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kargo
+  labels:
+    name: kargo
--- a/infra/traefik-routes/manifests/tls-store.yaml
+++ b/infra/traefik-routes/manifests/tls-store.yaml
@@ -0,0 +1,10 @@
+# Default TLS store — uses wildcard-tls from kube-system as default cert.
+# All IngressRoutes with tls: {} will use this certificate.
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: kube-system
+spec:
+  defaultCertificate:
+    secretName: wildcard-tls
--- a/infra/traefik-routes/manifests/traefik-dashboard.yaml
+++ b/infra/traefik-routes/manifests/traefik-dashboard.yaml
@@ -0,0 +1,19 @@
+# Traefik Dashboard IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`traefik.k3s\..+\.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls: {}