diff --git a/compose.yml b/compose.yml index 0888efb..2cb0e1f 100644 --- a/compose.yml +++ b/compose.yml @@ -11,9 +11,10 @@ services: command: - --configFile=/etc/traefik/traefik.yml ports: - - 80:80 - - 443:443 - - 8080:8080 + - 80:80/tcp + - 443:443/tcp + - 443:443/udp + - 8080:8080/tcp volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik/etc:/etc/traefik:ro diff --git a/mkdocs/docs/projects/k3s_traefik_setup.md b/mkdocs/docs/projects/k3s_traefik_setup.md index 3e90f40..5e7604b 100644 --- a/mkdocs/docs/projects/k3s_traefik_setup.md +++ b/mkdocs/docs/projects/k3s_traefik_setup.md @@ -2,7 +2,7 @@ ## Brief -Enabling internal access to dashboard and metrics for traefik ingress controller in k3s kubernetes cluster +Enabling traefik access to dashboard and metrics for traefik ingress controller in k3s kubernetes cluster - by `rskntroot` on `2024-07-01` @@ -23,23 +23,30 @@ Server Version: v1.29.5+k3s1 ## Traefik Dashboards -`Traefik Dashboards` refers to both traefik dashboard and prometheus metrics for traefik which are readily available, however, disabled by default in K3S. +K3S comes packaged with `Traefik Dashboard` and `Prometheus Metrics` which are disabled by default. ### Preparation -Enable `internal`+`.your.domain.com` in non-public DNS +=== "DNS" -- (alt) edit the `hosts` file on your admin to point the desired k3s host IP + Set DNS record `traefik.your.domain.com` in a non-public DNS -On host with `kubectl` access: -``` bash -export DOMAIN=your.domain.com -``` +=== "Hosts File" + + Alternatively, you can just edit your workstations `hosts` file. + + ``` title="/etc/hosts" + + 10.0.0.1 traefik.your.domain.com + + ``` !!! warning "This example does not include authentication. Exposing these dashboards is a security risk." ### Update Manifest +On host with `kubectl` access. + Add the following to `spec.valuesContent` in: ``` bash @@ -102,7 +109,7 @@ Save the following to `traefik-dashboard.yml` in your workspace. === "Traefik Dashboard" - ``` yaml + ``` yaml title="traefik-dashboard.yml" apiVersion: v1 kind: Service metadata: @@ -133,7 +140,7 @@ Save the following to `traefik-dashboard.yml` in your workspace. spec.ingressClassName: traefik spec: rules: - - host: internal.${DOMAIN} + - host: traefik.${DOMAIN} http: paths: - path: / @@ -147,7 +154,7 @@ Save the following to `traefik-dashboard.yml` in your workspace. === "Promethus Only" - ``` yaml + ``` yaml title="traefik-dashboard.yml" apiVersion: v1 kind: Service metadata: @@ -178,7 +185,7 @@ Save the following to `traefik-dashboard.yml` in your workspace. spec.ingressClassName: traefik spec: rules: - - host: internal.${DOMAIN} + - host: traefik.${DOMAIN} http: paths: - path: / @@ -199,7 +206,7 @@ Save the following to `traefik-dashboard.yml` in your workspace. === "Both" - ``` yaml + ``` yaml title="traefik-dashboard.yml" apiVersion: v1 kind: Service metadata: @@ -251,7 +258,7 @@ Save the following to `traefik-dashboard.yml` in your workspace. spec.ingressClassName: traefik spec: rules: - - host: internal.${DOMAIN} + - host: traefik.${DOMAIN} http: paths: - path: / @@ -272,7 +279,11 @@ Save the following to `traefik-dashboard.yml` in your workspace. ### Create Service & Ingress Resources -[envsubst](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) - enables code-reuse by providing environment variable substituion as demonstrated below. +First, set the environment variable for to your domain. + +``` bash +export DOMAIN=your.domain.com +``` === "Bash" @@ -292,6 +303,10 @@ Save the following to `traefik-dashboard.yml` in your workspace. traefik-metrics ClusterIP 10.43.189.128 9100/TCP 25s ``` +!!! note annotate "Why are passing the yaml file into `envsubst`? (1)" + +1. `envsubst` - [gnu](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) - enables code-reuse by providing environment variable substituion as demonstrated above. + ### Access Dashboards That's it. You should now be able to access the Traefik Ingress Controller Dashboard and metrics remotely. @@ -301,7 +316,7 @@ Don't forget to include the appropriate uri paths: === "Traefik Dashboard" ``` - https://internal.your.domain.com/dashboard/ + https://traefik.your.domain.com/dashboard/ ``` !!! tip "When navigating to the traefik dashboard the `/` at the end is necessary. `/dashboard` will not work. " @@ -309,7 +324,7 @@ Don't forget to include the appropriate uri paths: === "Promethus Metrics" ``` - https://internal.your.domain.com/metrics + https://traefik.your.domain.com/metrics ``` ### Disable Dashboards diff --git a/mkdocs/mkdocs.yml b/mkdocs/mkdocs.yml index e9d6faf..f3ddc88 100644 --- a/mkdocs/mkdocs.yml +++ b/mkdocs/mkdocs.yml @@ -6,9 +6,10 @@ theme: name: material features: - navigation.instant + - content.code.copy + - content.code.select icon: admonition: - note: fontawesome/solid/note-sticky abstract: fontawesome/solid/book info: fontawesome/solid/circle-info success: fontawesome/solid/check @@ -18,6 +19,7 @@ theme: bug: fontawesome/solid/robot example: fontawesome/solid/flask quote: fontawesome/solid/quote-left + annotation: material/plus-circle repo: fontawesome/brands/github palette: # Palette toggle for dark mode @@ -32,8 +34,10 @@ theme: icon: material/weather-night name: Switch to dark mode markdown_extensions: - - admonition - abbr + - admonition + - attr_list + - md_in_html - pymdownx.snippets: auto_append: - includes/abbreviations.md diff --git a/nginx/etc/conf.d/default.conf b/nginx/etc/conf.d/default.conf index 4f0902d..7ad5114 100644 --- a/nginx/etc/conf.d/default.conf +++ b/nginx/etc/conf.d/default.conf @@ -10,9 +10,6 @@ server { add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; add_header X-XSS-Protection "1; mode=block"; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - # rskio logging is handled via traefik #access_log /var/log/nginx/host.access.log main; diff --git a/traefik/etc/dynamic.yml b/traefik/etc/dynamic.yml index 37d6324..962d9bd 100644 --- a/traefik/etc/dynamic.yml +++ b/traefik/etc/dynamic.yml @@ -1,2 +1,29 @@ # To enable update provider in traefik.yml +tls: + options: + default: + minVersion: VersionTLS12 + mintls13: + minVersion: VersionTLS13 + cipherSuites: + - TLS_AES_256_GCM_SHA384 + - TLS_AES_128_GCM_SHA256 + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_FALLBACK_SCSV + +http: + middlewares: + secureHeaders: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + frameDeny: true + referrerPolicy: "same-origin" + sslRedirect: true + stsSeconds: 31536000 diff --git a/traefik/etc/traefik.yml b/traefik/etc/traefik.yml index db0509d..29a5d7b 100644 --- a/traefik/etc/traefik.yml +++ b/traefik/etc/traefik.yml @@ -10,12 +10,14 @@ entryPoints: entryPoint: to: websecure priority: 10 + middlewares: + - secureHeaders@file websecure: address: :443 http3: advertisedPort: 443 -certificatesresolvers: +certificatesResolvers: rskio_certresolver: acme: tlschallenge: true @@ -40,7 +42,7 @@ providers: endpoint: unix:///var/run/docker.sock network: rskio_default exposedByDefault: false -# file: -# filename: /etc/traefik/dynamic.yml -# watch: true + file: + filename: /etc/traefik/dynamic.yml + watch: true