Traefik trusted IPs (#52)

* Set trusted ips * deploy * I have no plans * fix * cleanup
nycmeshnet · Nov 20, 2024 · 9d44cbc · 9d44cbc
1 parent 7167a2f
commit 9d44cbc
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 12 deletions.
diff --git a/.github/workflows/deploy_k8s_cluster.yaml b/.github/workflows/deploy_k8s_cluster.yaml
@@ -75,17 +75,6 @@ jobs:
           sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }}
           sudo ip link set up dev wg0
           rm privatekey
-
-      - name: Terraform plan
-        id: plan
-        if: github.event_name == 'pull_request'
-        run: terraform plan -no-color -input=false -var-file=${{ vars.ENV_NAME }}.tfvars
-        continue-on-error: true
-        working-directory: ./terraform/
-
-      - name: Terraform Plan Status
-        if: steps.plan.outcome == 'failure'
-        run: exit 1
       
       - name: Terraform Apply
         run: |

diff --git a/ansible/roles/k8s-cluster-helm/tasks/main.yaml b/ansible/roles/k8s-cluster-helm/tasks/main.yaml
@@ -36,3 +36,16 @@
   ansible.builtin.command:
     chdir: /root/
     cmd: kubectl apply -f datadog_agent.yaml
+
+- name: Copy traefik config
+  ansible.builtin.template:
+    src: ./templates/traefik_config.yaml.j2
+    dest: /root/traefik_config.yaml
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Apply traefik config manifest
+  ansible.builtin.command:
+    chdir: /root/
+    cmd: kubectl apply -f traefik_config.yaml
diff --git a/ansible/roles/k8s-cluster-helm/templates/traefik_config.yaml.j2 b/ansible/roles/k8s-cluster-helm/templates/traefik_config.yaml.j2
@@ -0,0 +1,10 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    additionalArguments:
+      - "--entryPoints.web.proxyProtocol.trustedIPs={{ TRAEFIK_TRUSTED_IPs }}"
+      - "--entryPoints.web.forwardedHeaders.trustedIPs={{ TRAEFIK_TRUSTED_IPs }}"
diff --git a/terraform/mesh_cluster/ansible.tf b/terraform/mesh_cluster/ansible.tf
@@ -47,7 +47,8 @@ resource "ansible_host" "meshmgr" {
   name   = var.mesh_mgr_ips[count.index]
   groups = [ansible_group.mgrs.name]
   variables = {
-    K3S_API_ENDPOINT = var.mesh_mgr_ips[0]
+    K3S_API_ENDPOINT    = var.mesh_mgr_ips[0]
+    TRAEFIK_TRUSTED_IPs = format("%s/32,%s/32,10.42.0.0/16", var.mesh_lb_ip, var.mesh_external_ip)
   }
 }