Requirements:
- cert-manager already set up and at least a cluster-issuer
- traefik
- flux or argocd (Optional but highly recommended)
Issue that caused it: the --serversTransport.insecureSkipVerify global option no longer works on newer versions of traefik, it was replaced and now the way seems to be to define a serverstransport crd and an ingressroute. I had to go through pretty much every ingress anyway to fix it even had I known how to before.
Deployment: Best used with Flux or ArgoCD.
Just FORK this repository, then point Flux/ArgoCD to YOUR FORK and select the external_services_helm directory. Then use a customized values.yaml.
Security and peace of mind. if I make changes you'll have to review them before putting something into your cluster. Sure you could automate it and have it pull but that breaks the security model. It's just best practice. if you really want to point to this repository be my guest.
It generates ExternalName services, middlewares, servertransports, certificates, and IngressRoutes.
Two working examples are provided to show intended usage.
A compose for your kubernetes Traefik Ingress.
Defining ingresses almost became a full time job. All the seperate parts required for it to work to point to a service outside of the kubernetes was cumbersone, lots of redundant typing and specifying things over and over. This simplifies things so one smaller entry can define everything and the implimentation details are then generated from the specification.
This reduces the time it takes to create an ingress from 20+ minutes to 3-5 minutes. And if traefik decides to change their spec the templates can be updated to fix all of the IngressRoutes quickly.
From 39 lines of yaml for the simplest kubernetes external service to 10 lines (+9 for the certificate, but the certificates can often be re-used across multiple ingressRoutes)
- name: n8n-centerionware-com-ingressroute
secretName: centerionware-default
routes:
- kind: Rule
match: Host(`n8n.centerionware.com`) && PathPrefix(`/`)
services:
- type: ExternalName
name: n8n-routing-centerionware-com-service
externalName: n8n.centerionware.lan
port: 80
scheme: httpAnd this generates all the manifests for all the things.
348 lines was the largest definition I had for a specific set of ingresses, and this replaced it with 56(+9) lines of specification (centerionware-ingress in the examples). This doesn't include the middlewares required for this part for either side. Middlewares definitions with this are also made smaller but by a fixed amount.
Technically the type: ExternalName isn't used either, they're all ExternalName services so that's one more line that can be removed.
I'd like to make this work with regular Ingresses with all the features that this already supports. No timeline, may never get to it.
Added Reflector support. Add Kubernetes-Reflector to your cluster, then the reflector can mirror a single certificate to many destinataions.
certificates:
- name: centerionware-default
secretName: centerionware-default
issuerRef:
name: cloudflare-issuer
kind: ClusterIssuer
commonName: centerionware.com
reflectionAllowedNamespaces:
- argocd
createReflectedSecrets:
- namespace: argocd
secretName: argocd-server-tls
dnsNames:
- centerionware.com
- '*.centerionware.com'The above example will fetch the certificate, and add argocd to the annototations of the secret via the secretTemplate of the certificate CRD. the createReflectedSecrets will make the argocd-server-tls in the argocd namespace with the appropriate annotation to mirror the secret generated by this certificate. The mirrored secret also contains some annotations politely asking argocd to not worry about the extra data that appears on the secrets data object that was mirrored by the reflector.