state(monitoring): update encrypted state

2026-03-29 01:04:11 +02:00 · 2026-03-29 01:04:11 +02:00 · 878b556179
commit 878b556179
parent d41211ddd5
4 changed files with 48 additions and 7 deletions
--- a/stacks/traefik/modules/traefik/error-pages.tf
+++ b/stacks/traefik/modules/traefik/error-pages.tf
@ -139,6 +139,25 @@ resource "kubernetes_manifest" "middleware_error_pages" {
  depends_on = [helm_release.traefik, kubernetes_service.error_pages]
 }

+# Default TLSStore — serves wildcard cert for unknown hosts instead of self-signed fallback
+resource "kubernetes_manifest" "tlsstore_default" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "TLSStore"
+    metadata = {
+      name      = "default"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      defaultCertificate = {
+        secretName = var.tls_secret_name
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik, module.tls_secret]
+}
+
 # Catch-all IngressRoute — serves 404 for unknown hosts (lowest priority)
 resource "kubernetes_manifest" "ingressroute_catchall" {
  manifest = {
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@ -34,6 +34,14 @@ resource "helm_release" "traefik" {
  values = [yamlencode({
    deployment = {
      replicas = 3
+      terminationGracePeriodSeconds = 60
+      lifecycle = {
+        preStop = {
+          exec = {
+            command = ["/bin/sh", "-c", "sleep 15"]
+          }
+        }
+      }
      podAnnotations = {
        "diun.enable"       = "true"
        "diun.include_tags" = "^v\\d+(?:\\.\\d+)?(?:\\.\\d+)?.*$"
@ -193,6 +201,12 @@ resource "helm_release" "traefik" {
      "--serversTransport.forwardingTimeouts.dialTimeout=60s",
      "--serversTransport.forwardingTimeouts.responseHeaderTimeout=30s",
      "--serversTransport.forwardingTimeouts.idleConnTimeout=90s",
+      # Increase backend connection pool (default maxIdleConnsPerHost=2 is too low)
+      "--serversTransport.maxIdleConnsPerHost=100",
+      # Explicit entrypoint timeouts to bound tail latency from slow clients
+      "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=60s",
+      "--entryPoints.websecure.transport.respondingTimeouts.writeTimeout=60s",
+      "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=180s",
      # Use forwarded headers from trusted proxies
      "--entryPoints.websecure.forwardedHeaders.insecure=false",
      "--entryPoints.web.forwardedHeaders.insecure=false",