From 6d6ec0c1e2252e14ad5f79259534c322b5da5d3b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Tue, 10 Feb 2026 21:11:46 +0000 Subject: [PATCH] [ci skip] Refactor raw ingresses to use ingress_factory module Enhance ingress_factory with full_host, extra_middlewares, and skip_default_rate_limit variables. Fix TLS hosts bug to use effective_host. Migrate 13 services from raw kubernetes_ingress_v1 resources to centralized ingress_factory module calls, removing manual rybbit middleware CRDs where the factory now handles them. --- modules/kubernetes/authentik/main.tf | 63 ++++-------- modules/kubernetes/blog/main.tf | 85 +++------------- modules/kubernetes/discount-bandit/main.tf | 39 ++------ modules/kubernetes/immich/main.tf | 82 ++++------------ modules/kubernetes/ingress_factory/main.tf | 33 +++++-- modules/kubernetes/jellyfin/main.tf | 38 +------ modules/kubernetes/oauth-proxy/main.tf | 38 +------ modules/kubernetes/openid_help_page/main.tf | 39 ++------ .../kubernetes/real-estate-crawler/main.tf | 98 +++---------------- modules/kubernetes/rybbit/main.tf | 88 +++-------------- modules/kubernetes/servarr/readarr/main.tf | 40 ++------ modules/kubernetes/vikunja/main.tf | 61 ++++-------- modules/kubernetes/webhook_handler/main.tf | 39 ++------ 13 files changed, 161 insertions(+), 582 deletions(-) diff --git a/modules/kubernetes/authentik/main.tf b/modules/kubernetes/authentik/main.tf index 71730e21..75ca8deb 100644 --- a/modules/kubernetes/authentik/main.tf +++ b/modules/kubernetes/authentik/main.tf @@ -35,50 +35,21 @@ resource "helm_release" "authentik" { } -resource "kubernetes_ingress_v1" "authentik" { - metadata { - name = "authentik" - namespace = kubernetes_namespace.authentik.metadata[0].name - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["authentik.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "authentik.viktorbarzin.me" - http { - path { - path = "/outpost.goauthentik.io" - path_type = "Prefix" - backend { - service { - name = "ak-outpost-authentik-embedded-outpost" - port { - number = 9000 - } - } - } - } - path { - path = "/" - path_type = "Prefix" - backend { - service { - name = "goauthentik-server" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.authentik.metadata[0].name + name = "authentik" + service_name = "goauthentik-server" + tls_secret_name = var.tls_secret_name +} + +module "ingress-outpost" { + source = "../ingress_factory" + namespace = kubernetes_namespace.authentik.metadata[0].name + name = "authentik-outpost" + host = "authentik" + service_name = "ak-outpost-authentik-embedded-outpost" + port = 9000 + ingress_path = ["/outpost.goauthentik.io"] + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/blog/main.tf b/modules/kubernetes/blog/main.tf index afe3fb73..e8d88914 100644 --- a/modules/kubernetes/blog/main.tf +++ b/modules/kubernetes/blog/main.tf @@ -108,75 +108,22 @@ resource "kubernetes_service" "blog" { } } -resource "kubernetes_ingress_v1" "blog" { - metadata { - name = "blog-ingress" - namespace = kubernetes_namespace.website.metadata[0].name - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,website-rybbit-analytics@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "blog" - port { - number = 80 - } - } - } - } - } - } - rule { - host = "www.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "blog" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.website.metadata[0].name + name = "blog" + service_name = "blog" + full_host = "viktorbarzin.me" + tls_secret_name = var.tls_secret_name + rybbit_site_id = "da853a2438d0" } -# Rybbit analytics middleware for blog -resource "kubernetes_manifest" "rybbit_analytics" { - manifest = { - apiVersion = "traefik.io/v1alpha1" - kind = "Middleware" - metadata = { - name = "rybbit-analytics" - namespace = kubernetes_namespace.website.metadata[0].name - } - spec = { - plugin = { - rewritebody = { - rewrites = [{ - regex = "" - replacement = "" - }] - } - } - } - } +module "ingress-www" { + source = "../ingress_factory" + namespace = kubernetes_namespace.website.metadata[0].name + name = "blog-www" + service_name = "blog" + full_host = "www.viktorbarzin.me" + tls_secret_name = var.tls_secret_name + rybbit_site_id = "da853a2438d0" } diff --git a/modules/kubernetes/discount-bandit/main.tf b/modules/kubernetes/discount-bandit/main.tf index b3e4b140..a7e6c5de 100644 --- a/modules/kubernetes/discount-bandit/main.tf +++ b/modules/kubernetes/discount-bandit/main.tf @@ -98,37 +98,10 @@ resource "kubernetes_service" "discount-bandit" { } } -resource "kubernetes_ingress_v1" "discount-bandit" { - metadata { - name = "discount-bandit" - namespace = kubernetes_namespace.discount-bandit.metadata[0].name - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["discount.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "discount.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "discount-bandit" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.discount-bandit.metadata[0].name + name = "discount-bandit" + host = "discount" + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/immich/main.tf b/modules/kubernetes/immich/main.tf index 35412dac..2512af9a 100644 --- a/modules/kubernetes/immich/main.tf +++ b/modules/kubernetes/immich/main.tf @@ -455,47 +455,25 @@ resource "kubernetes_service" "immich-machine-learning" { } } -resource "kubernetes_ingress_v1" "ingress" { - metadata { - namespace = kubernetes_namespace.immich.metadata[0].name - name = "immich" - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-immich-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,immich-rybbit-analytics@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - - "gethomepage.dev/enabled" = "true" - "gethomepage.dev/description" = "Photos library" - "gethomepage.dev/icon" = "immich.png" - "gethomepage.dev/name" = "Immich" - "gethomepage.dev/widget.type" = "immich" - "gethomepage.dev/widget.url" = "https://immich.viktorbarzin.me" - "gethomepage.dev/pod-selector" = "" - "gethomepage.dev/widget.key" = var.homepage_token - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["immich.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "immich.viktorbarzin.me" - http { - path { - backend { - service { - name = "immich-server" - port { - number = 2283 - - } - } - } - } - } - } +module "ingress-immich" { + source = "../ingress_factory" + namespace = kubernetes_namespace.immich.metadata[0].name + name = "immich" + service_name = "immich-server" + port = 2283 + tls_secret_name = var.tls_secret_name + rybbit_site_id = "35eedb7a3d2b" + skip_default_rate_limit = true + extra_middlewares = ["traefik-immich-rate-limit@kubernetescrd"] + extra_annotations = { + "gethomepage.dev/enabled" = "true" + "gethomepage.dev/description" = "Photos library" + "gethomepage.dev/icon" = "immich.png" + "gethomepage.dev/name" = "Immich" + "gethomepage.dev/widget.type" = "immich" + "gethomepage.dev/widget.url" = "https://immich.viktorbarzin.me" + "gethomepage.dev/pod-selector" = "" + "gethomepage.dev/widget.key" = var.homepage_token } } @@ -667,25 +645,3 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" { # protected = true # } -# Rybbit analytics middleware for Immich -resource "kubernetes_manifest" "rybbit_analytics" { - manifest = { - apiVersion = "traefik.io/v1alpha1" - kind = "Middleware" - metadata = { - name = "rybbit-analytics" - namespace = kubernetes_namespace.immich.metadata[0].name - } - spec = { - plugin = { - rewritebody = { - rewrites = [{ - regex = "" - replacement = "" - }] - } - } - } - } -} - diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf index acff9fc3..8d2ed134 100644 --- a/modules/kubernetes/ingress_factory/main.tf +++ b/modules/kubernetes/ingress_factory/main.tf @@ -59,6 +59,22 @@ variable "exclude_crowdsec" { type = bool default = false } +variable "full_host" { + type = string + default = null +} +variable "extra_middlewares" { + type = list(string) + default = [] +} +variable "skip_default_rate_limit" { + type = bool + default = false +} + +locals { + effective_host = var.full_host != null ? var.full_host : "${var.host != null ? var.host : var.name}.${var.root_domain}" +} resource "kubernetes_service" "proxied-service" { @@ -89,15 +105,15 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { name = var.name namespace = var.namespace annotations = merge({ - "traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact([ - "traefik-rate-limit@kubernetescrd", + "traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact(concat([ + var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd", var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null, var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null, var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null, var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null, - ])) + ], var.extra_middlewares))) "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" }, var.extra_annotations) } @@ -105,11 +121,11 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { spec { ingress_class_name = "traefik" tls { - hosts = ["${var.name}.${var.root_domain}"] + hosts = [local.effective_host] secret_name = var.tls_secret_name } rule { - host = "${var.host != null ? var.host : var.name}.${var.root_domain}" + host = local.effective_host http { dynamic "path" { for_each = var.ingress_path @@ -132,7 +148,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { } } -# Rybbit analytics middleware (rewritebody plugin) - created per service when rybbit_site_id is set +# Rybbit analytics middleware (rewrite-body plugin with content-type filtering) - created per service when rybbit_site_id is set resource "kubernetes_manifest" "rybbit_analytics" { count = var.rybbit_site_id != null ? 1 : 0 @@ -145,11 +161,14 @@ resource "kubernetes_manifest" "rybbit_analytics" { } spec = { plugin = { - rewritebody = { + rewrite-body = { rewrites = [{ regex = "" replacement = "" }] + monitoring = { + types = ["text/html"] + } } } } diff --git a/modules/kubernetes/jellyfin/main.tf b/modules/kubernetes/jellyfin/main.tf index eb1dfb74..31768890 100644 --- a/modules/kubernetes/jellyfin/main.tf +++ b/modules/kubernetes/jellyfin/main.tf @@ -108,38 +108,10 @@ resource "kubernetes_service" "jellyfin" { } } -resource "kubernetes_ingress_v1" "jellyfin" { - metadata { - name = "jellyfin" - namespace = kubernetes_namespace.jellyfin.metadata[0].name - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["jellyfin.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "jellyfin.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "jellyfin" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.jellyfin.metadata[0].name + name = "jellyfin" + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/oauth-proxy/main.tf b/modules/kubernetes/oauth-proxy/main.tf index f4f5149d..0f46bb02 100644 --- a/modules/kubernetes/oauth-proxy/main.tf +++ b/modules/kubernetes/oauth-proxy/main.tf @@ -210,39 +210,11 @@ resource "kubernetes_service" "oauth_proxy" { } } -resource "kubernetes_ingress_v1" "oauth" { - metadata { - name = "oauth2" - namespace = "oauth2" - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["oauth2.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "oauth2.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "oauth2" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = "oauth2" + name = "oauth2" + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/openid_help_page/main.tf b/modules/kubernetes/openid_help_page/main.tf index 5aa72783..59151979 100644 --- a/modules/kubernetes/openid_help_page/main.tf +++ b/modules/kubernetes/openid_help_page/main.tf @@ -78,37 +78,10 @@ resource "kubernetes_service" "openid_help_page" { } } -resource "kubernetes_ingress_v1" "openid_help_page" { - metadata { - name = "openid-help-page" - namespace = "openid-help-page" - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["kubectl.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "kubectl.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "openid-help-page" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = "openid-help-page" + name = "openid-help-page" + host = "kubectl" + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/real-estate-crawler/main.tf b/modules/kubernetes/real-estate-crawler/main.tf index 450b2e26..bd885402 100644 --- a/modules/kubernetes/real-estate-crawler/main.tf +++ b/modules/kubernetes/real-estate-crawler/main.tf @@ -89,14 +89,6 @@ resource "kubernetes_service" "realestate-crawler-ui" { } } } -# module "ingress" { -# source = "../ingress_factory" -# namespace = kubernetes_namespace.realestate-crawler.metadata[0].name -# name = "wrongmove" -# service_name = "realestate-crawler-ui" -# tls_secret_name = var.tls_secret_name -# protected = true -# } resource "kubernetes_deployment" "realestate-crawler-api" { metadata { @@ -228,60 +220,24 @@ resource "kubernetes_service" "realestate-crawler-api" { } } } -# module "ingress-api" { -# source = "../ingress_factory" -# namespace = kubernetes_namespace.realestate-crawler.metadata[0].name -# name = "wrongmove-api" -# service_name = "realestate-crawler-api" -# tls_secret_name = var.tls_secret_name -# } -resource "kubernetes_ingress_v1" "proxied-ingress" { - metadata { - name = "realestate-crawler" - namespace = kubernetes_namespace.realestate-crawler.metadata[0].name - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,realestate-crawler-rybbit-analytics@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.realestate-crawler.metadata[0].name + name = "wrongmove" + service_name = "realestate-crawler-ui" + tls_secret_name = var.tls_secret_name + rybbit_site_id = "edee05de453d" +} - spec { - ingress_class_name = "traefik" - tls { - hosts = ["wrongmove.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "wrongmove.viktorbarzin.me" - http { - path { - path = "/" - path_type = "Prefix" - backend { - service { - name = "realestate-crawler-ui" - port { - number = 80 - } - } - } - } - path { - path = "/api" - path_type = "Prefix" - backend { - service { - name = "realestate-crawler-api" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress-api" { + source = "../ingress_factory" + namespace = kubernetes_namespace.realestate-crawler.metadata[0].name + name = "wrongmove-api" + host = "wrongmove" + service_name = "realestate-crawler-api" + ingress_path = ["/api"] + tls_secret_name = var.tls_secret_name } @@ -490,25 +446,3 @@ resource "kubernetes_cron_job_v1" "scrape-rightmove" { } } } - -# Rybbit analytics middleware for real-estate-crawler -resource "kubernetes_manifest" "rybbit_analytics" { - manifest = { - apiVersion = "traefik.io/v1alpha1" - kind = "Middleware" - metadata = { - name = "rybbit-analytics" - namespace = kubernetes_namespace.realestate-crawler.metadata[0].name - } - spec = { - plugin = { - rewritebody = { - rewrites = [{ - regex = "" - replacement = "" - }] - } - } - } - } -} diff --git a/modules/kubernetes/rybbit/main.tf b/modules/kubernetes/rybbit/main.tf index ddce51ba..5df5ba56 100644 --- a/modules/kubernetes/rybbit/main.tf +++ b/modules/kubernetes/rybbit/main.tf @@ -286,79 +286,21 @@ resource "kubernetes_service" "rybbit-client" { } } - -resource "kubernetes_ingress_v1" "rybbit" { - metadata { - name = "rybbit" - namespace = kubernetes_namespace.rybbit.metadata[0].name - - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,rybbit-rybbit-analytics@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["rybbit.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "rybbit.viktorbarzin.me" - - http { - # API backend - path { - path = "/api" - path_type = "Prefix" - backend { - service { - name = "rybbit" - port { - number = 80 - } - } - } - } - - # Frontend - path { - path = "/" - path_type = "Prefix" - - backend { - service { - name = "rybbit-client" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.rybbit.metadata[0].name + name = "rybbit" + service_name = "rybbit-client" + tls_secret_name = var.tls_secret_name + rybbit_site_id = "3c476801a777" } -# Rybbit analytics middleware for self-tracking -resource "kubernetes_manifest" "rybbit_analytics" { - manifest = { - apiVersion = "traefik.io/v1alpha1" - kind = "Middleware" - metadata = { - name = "rybbit-analytics" - namespace = kubernetes_namespace.rybbit.metadata[0].name - } - spec = { - plugin = { - rewritebody = { - rewrites = [{ - regex = "" - replacement = "" - }] - } - } - } - } +module "ingress-api" { + source = "../ingress_factory" + namespace = kubernetes_namespace.rybbit.metadata[0].name + name = "rybbit-api" + host = "rybbit" + service_name = "rybbit" + ingress_path = ["/api"] + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/servarr/readarr/main.tf b/modules/kubernetes/servarr/readarr/main.tf index 23f8844e..91cb12ad 100644 --- a/modules/kubernetes/servarr/readarr/main.tf +++ b/modules/kubernetes/servarr/readarr/main.tf @@ -118,37 +118,11 @@ resource "kubernetes_service" "readarr" { } } -resource "kubernetes_ingress_v1" "readarr" { - metadata { - name = "readarr" - namespace = "readarr" - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["readarr.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "readarr.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "readarr" - port { - number = 8787 - } - } - } - } - } - } - } +module "ingress" { + source = "../../ingress_factory" + namespace = "readarr" + name = "readarr" + port = 8787 + tls_secret_name = var.tls_secret_name + protected = true } diff --git a/modules/kubernetes/vikunja/main.tf b/modules/kubernetes/vikunja/main.tf index b0b1664e..1936ab66 100644 --- a/modules/kubernetes/vikunja/main.tf +++ b/modules/kubernetes/vikunja/main.tf @@ -195,49 +195,22 @@ resource "kubernetes_service" "api" { } } -resource "kubernetes_ingress_v1" "vikunja" { - metadata { - name = "vikunja" - namespace = kubernetes_namespace.vikunja.metadata[0].name - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["todo.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "todo.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "vikunja" - port { - number = 80 - } - } - } - } - path { - path = "/api/" - backend { - service { - name = "api" - port { - number = 3456 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.vikunja.metadata[0].name + name = "vikunja" + host = "todo" + tls_secret_name = var.tls_secret_name +} + +module "ingress-api" { + source = "../ingress_factory" + namespace = kubernetes_namespace.vikunja.metadata[0].name + name = "vikunja-api" + host = "todo" + service_name = "api" + port = 3456 + ingress_path = ["/api/"] + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/webhook_handler/main.tf b/modules/kubernetes/webhook_handler/main.tf index c449e7f6..5e742ab9 100644 --- a/modules/kubernetes/webhook_handler/main.tf +++ b/modules/kubernetes/webhook_handler/main.tf @@ -189,37 +189,10 @@ resource "kubernetes_service" "webhook_handler" { } } -resource "kubernetes_ingress_v1" "webhook_handler" { - metadata { - name = "webhook-handler-ingress" - namespace = kubernetes_namespace.webhook-handler.metadata[0].name - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["webhook.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "webhook.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "webhook-handler" - port { - number = 80 - } - } - } - } - } - } - } +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.webhook-handler.metadata[0].name + name = "webhook-handler" + host = "webhook" + tls_secret_name = var.tls_secret_name }