save

2025-12-07 00:47:50 +00:00 · 2025-12-07 00:47:50 +00:00 · 348d567421
commit 348d567421
parent 0b6cd0c427
3 changed files with 43 additions and 61 deletions
--- a/.github/workflows/k8s_traefik_init_setup.yml
+++ b/.github/workflows/k8s_traefik_init_setup.yml
@ -84,10 +84,8 @@ jobs:
      # Install Traefik CRDs (idempotent)
      - name: Install Traefik CRDs
        run: |
-          if ! kubectl get crd ingressroutes.traefik.io >/dev/null 2>&1; then
-            kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-            kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-          fi
+          kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+          kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

      # Deploy Traefik
      - name: Deploy Traefik
--- a/traefik/edge-router/traefik-deployment.yml
+++ b/traefik/edge-router/traefik-deployment.yml
@ -1,19 +1,8 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: default
-  name: traefik-ingress-controller
-
---
-
-kind: Deployment
 apiVersion: apps/v1
+kind: Deployment
 metadata:
+  name: traefik
  namespace: default
-  name: traefik-deployment
-  labels:
-    app: traefik
-
 spec:
  replicas: 1
  selector:
@ -25,35 +14,51 @@ spec:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
+      volumes:
+        - name: acme
+          persistentVolumeClaim:
+            claimName: traefik-acme
      containers:
        - name: traefik
          image: traefik:v2.11
+          ports:
+            - name: web
+              containerPort: 80
+            - name: websecure
+              containerPort: 443
+            - name: admin
+              containerPort: 8080
+          volumeMounts:
+            - name: acme
+              mountPath: /acme
          args:
-            - --api.insecure
-            - --accesslog=True
-            - --entrypoints.web.Address=:80
-            - --entrypoints.websecure.Address=:443
-            - --providers.kubernetescrd
-            - --api.dashboard
-            - --serverstransport.insecureskipverify=true
-            # TLS (HTTPS)
-            - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
-            - "--certificatesresolvers.myresolver.acme.httpChallenge=false"
-            - "--certificatesresolvers.myresolver.acme.tlsChallenge=false"
-            - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53"
-            - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com"
-            - "--certificatesresolvers.myresolver.acme.storage=/certs/acme.json"
-            - "--certificatesresolvers.myresolver.acme.httpChallenge.entryPoint=web"
+            - "--api.dashboard=true"
+            - "--api.insecure=false"
+            - "--entrypoints.web.address=:80"
+            - "--entrypoints.websecure.address=:443"
+
+            # Redirect HTTP → HTTPS
            - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
            - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-            - "--providers.kubernetescrd.allowexternalnameservices=true"
-            - "--providers.kubernetescrd.allowcrossnamespace=false"
-            - "--providers.kubernetescrd.legacyCRDDisabled=true"
-            # 🔥 USE STAGING CERTIFICATES
+
+            # Providers
+            - "--providers.kubernetescrd=true"
+
+            # TLS + ACME
+            - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com"
+            - "--certificatesresolvers.myresolver.acme.storage=/acme/acme.json"
+            - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
+            - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53"
+
+            # STAGING (uncomment for first-time)  
            - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

-
          env:
+            - name: AWS_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: aws-secrets
+                  key: AWS_REGION
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
@ -64,24 +69,3 @@ spec:
                secretKeyRef:
                  name: aws-secrets
                  key: AWS_SECRET_ACCESS_KEY
-            - name: AWS_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: aws-secrets
-                  key: AWS_REGION
-          ports:
-            - name: web
-              containerPort: 80
-            - name: admin
-              containerPort: 8080
-            - name: websecure
-              containerPort: 443
-          volumeMounts:
-          - name: cert-volume
-            mountPath: /certs
-      imagePullSecrets:
-        - name: registrypullsecret
-      volumes:
-      - name: cert-volume
-        persistentVolumeClaim:
-          claimName: certs-pvc
--- a/traefik/edge-router/traefik-services.yml
+++ b/traefik/edge-router/traefik-services.yml
@ -10,10 +10,10 @@ spec:
  ports:
    - name: web
      port: 80
-      targetPort: web
+      targetPort: 80
    - name: websecure
      port: 443
-      targetPort: websecure
+      targetPort: 443
    - name: admin
      port: 8080
-      targetPort: admin
+      targetPort: 8080