state(monitoring): update encrypted state
This commit is contained in:
parent
d41211ddd5
commit
878b556179
4 changed files with 48 additions and 7 deletions
|
|
@ -73,7 +73,7 @@ variable "skip_default_rate_limit" {
|
||||||
}
|
}
|
||||||
variable "anti_ai_scraping" {
|
variable "anti_ai_scraping" {
|
||||||
type = bool
|
type = bool
|
||||||
default = true
|
default = null # null = auto (enabled when not protected, disabled when protected)
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "homepage_group" {
|
variable "homepage_group" {
|
||||||
|
|
@ -87,7 +87,8 @@ variable "homepage_enabled" {
|
||||||
}
|
}
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
effective_host = var.full_host != null ? var.full_host : "${var.host != null ? var.host : var.name}.${var.root_domain}"
|
effective_host = var.full_host != null ? var.full_host : "${var.host != null ? var.host : var.name}.${var.root_domain}"
|
||||||
|
effective_anti_ai = var.anti_ai_scraping != null ? var.anti_ai_scraping : !var.protected
|
||||||
|
|
||||||
ns_to_group = {
|
ns_to_group = {
|
||||||
monitoring = "Infrastructure"
|
monitoring = "Infrastructure"
|
||||||
|
|
@ -165,10 +166,10 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
||||||
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
||||||
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
||||||
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
|
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
|
||||||
var.anti_ai_scraping ? "traefik-ai-bot-block@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
|
||||||
var.anti_ai_scraping ? "traefik-anti-ai-headers@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
|
||||||
var.anti_ai_scraping ? "traefik-strip-accept-encoding@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-strip-accept-encoding@kubernetescrd" : null,
|
||||||
var.anti_ai_scraping ? "traefik-anti-ai-trap-links@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-anti-ai-trap-links@kubernetescrd" : null,
|
||||||
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
||||||
var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null,
|
var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null,
|
||||||
var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
|
var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
|
||||||
|
|
|
||||||
|
|
@ -1357,9 +1357,16 @@ serverFiles:
|
||||||
expr: (traefik_tls_certs_not_after - time()) / 86400 < 7
|
expr: (traefik_tls_certs_not_after - time()) / 86400 < 7
|
||||||
for: 1h
|
for: 1h
|
||||||
labels:
|
labels:
|
||||||
severity: warning
|
severity: critical
|
||||||
annotations:
|
annotations:
|
||||||
summary: "TLS cert {{ $labels.cn }} expires in {{ $value | printf \"%.0f\" }} days"
|
summary: "TLS cert {{ $labels.cn }} expires in {{ $value | printf \"%.0f\" }} days"
|
||||||
|
- alert: TLSCertRenewalOverdue
|
||||||
|
expr: (traefik_tls_certs_not_after - time()) / 86400 < 30
|
||||||
|
for: 1h
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "TLS cert {{ $labels.cn }} expires in {{ $value | printf \"%.0f\" }} days — renewal may have failed (LE certs valid 90d, renewed at 60d)"
|
||||||
- alert: TraefikHighOpenConnections
|
- alert: TraefikHighOpenConnections
|
||||||
expr: sum(traefik_service_open_connections) by (service) > 500
|
expr: sum(traefik_service_open_connections) by (service) > 500
|
||||||
for: 5m
|
for: 5m
|
||||||
|
|
|
||||||
|
|
@ -139,6 +139,25 @@ resource "kubernetes_manifest" "middleware_error_pages" {
|
||||||
depends_on = [helm_release.traefik, kubernetes_service.error_pages]
|
depends_on = [helm_release.traefik, kubernetes_service.error_pages]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Default TLSStore — serves wildcard cert for unknown hosts instead of self-signed fallback
|
||||||
|
resource "kubernetes_manifest" "tlsstore_default" {
|
||||||
|
manifest = {
|
||||||
|
apiVersion = "traefik.io/v1alpha1"
|
||||||
|
kind = "TLSStore"
|
||||||
|
metadata = {
|
||||||
|
name = "default"
|
||||||
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
||||||
|
}
|
||||||
|
spec = {
|
||||||
|
defaultCertificate = {
|
||||||
|
secretName = var.tls_secret_name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
depends_on = [helm_release.traefik, module.tls_secret]
|
||||||
|
}
|
||||||
|
|
||||||
# Catch-all IngressRoute — serves 404 for unknown hosts (lowest priority)
|
# Catch-all IngressRoute — serves 404 for unknown hosts (lowest priority)
|
||||||
resource "kubernetes_manifest" "ingressroute_catchall" {
|
resource "kubernetes_manifest" "ingressroute_catchall" {
|
||||||
manifest = {
|
manifest = {
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,14 @@ resource "helm_release" "traefik" {
|
||||||
values = [yamlencode({
|
values = [yamlencode({
|
||||||
deployment = {
|
deployment = {
|
||||||
replicas = 3
|
replicas = 3
|
||||||
|
terminationGracePeriodSeconds = 60
|
||||||
|
lifecycle = {
|
||||||
|
preStop = {
|
||||||
|
exec = {
|
||||||
|
command = ["/bin/sh", "-c", "sleep 15"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
podAnnotations = {
|
podAnnotations = {
|
||||||
"diun.enable" = "true"
|
"diun.enable" = "true"
|
||||||
"diun.include_tags" = "^v\\d+(?:\\.\\d+)?(?:\\.\\d+)?.*$"
|
"diun.include_tags" = "^v\\d+(?:\\.\\d+)?(?:\\.\\d+)?.*$"
|
||||||
|
|
@ -193,6 +201,12 @@ resource "helm_release" "traefik" {
|
||||||
"--serversTransport.forwardingTimeouts.dialTimeout=60s",
|
"--serversTransport.forwardingTimeouts.dialTimeout=60s",
|
||||||
"--serversTransport.forwardingTimeouts.responseHeaderTimeout=30s",
|
"--serversTransport.forwardingTimeouts.responseHeaderTimeout=30s",
|
||||||
"--serversTransport.forwardingTimeouts.idleConnTimeout=90s",
|
"--serversTransport.forwardingTimeouts.idleConnTimeout=90s",
|
||||||
|
# Increase backend connection pool (default maxIdleConnsPerHost=2 is too low)
|
||||||
|
"--serversTransport.maxIdleConnsPerHost=100",
|
||||||
|
# Explicit entrypoint timeouts to bound tail latency from slow clients
|
||||||
|
"--entryPoints.websecure.transport.respondingTimeouts.readTimeout=60s",
|
||||||
|
"--entryPoints.websecure.transport.respondingTimeouts.writeTimeout=60s",
|
||||||
|
"--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=180s",
|
||||||
# Use forwarded headers from trusted proxies
|
# Use forwarded headers from trusted proxies
|
||||||
"--entryPoints.websecure.forwardedHeaders.insecure=false",
|
"--entryPoints.websecure.forwardedHeaders.insecure=false",
|
||||||
"--entryPoints.web.forwardedHeaders.insecure=false",
|
"--entryPoints.web.forwardedHeaders.insecure=false",
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue