Setup notes: reverse proxy

magsol commented 4 months ago

This is the trickiest one since I use traefik where you use nginx. I also use the traefik helm chart but my overrides are very different. Overrides summarized:

ingressClass enabled and made the default
environment variables set for Cloudflare API tokens (for automated cert renewals) in kubernetes Secrets
ports.websecure.tls values set to point to my cert resolver and the external domain name
- Is this field (ports.websecure.tls.domains) where I would put internal non-addressable domain names for services?
service.type is LoadBalancer
service.spec.LoadBalancerIP is the first IP (hard-coded) in the range I configured MetalLB with
A persistence setup, mainly for logging
certResolvers.leresolver.dnsChallenge is configured with .provider: cloudflare and resolvers: pointing to cloudflare's DNS servers (1.1.1.1 and 8.8.8.8)
- I use the DNS challenge, rather than the HTTPS challenge, for cert renewals

Currently the only actual ingress I have defined is in the Mastodon helm chart.

bplein commented 3 months ago

If you include an anonymized version here, I can post it as an alternate example for traefik.

magsol commented 3 months ago

Here's the anonymized version:

image:
  name: traefik

ingressClass:
  enabled: true
  isDefaultClass: true

env:
  - name: CF_API_EMAIL
    valueFrom:
      secretKeyRef:
        name: cloudflare-api-credentials
        key: email
  - name: CF_API_KEY
    valueFrom:
      secretKeyRef:
        name: cloudflare-api-credentials
        key: api-key
  - name: CF_DNS_API_TOKEN
    valueFrom:
      secretKeyRef:
        name: cloudflare-api-credentials
        key: api-token

ports:
  websecure:
    tls:
      enabled: true
      certResolver: "leresolver"
      domains:
      - main: "mydomain.com"
        sans:
          - "mastodon.mydomain.com"
          - "*.mydomain.com"

service:
  enabled: true
  type: LoadBalancer
  spec:
    externalTrafficPolicy: Cluster
    loadBalancerIP: "192.168.1.100" # the first IP in my metallb floating range

persistence:
  enabled: true
  name: traefik-data
  accessMode: ReadWriteOnce
  size: 256Mi
  storageClass: "nfs-client"
  path: /traefikdata

certResolvers:
  leresolver:
    # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
    email: my_email@email.com
    dnsChallenge:
      provider: cloudflare
      delayBeforeCheck: 30
      resolvers:
        - 1.1.1.1
        - 8.8.8.8

magsol commented 2 months ago

Hey @bplein, wanted to see if you've had a chance to look over things yet. I kinda figure the reverse proxy is where the magic needs to happen, since the other two are more or less identical to your setup. Let me know, thanks!

bplein / post-talos-setup

Setup notes: reverse proxy #2