state(monitoring): update encrypted state

This commit is contained in:
Viktor Barzin 2026-03-29 01:04:11 +02:00
parent d41211ddd5
commit 878b556179
4 changed files with 48 additions and 7 deletions

View file

@ -73,7 +73,7 @@ variable "skip_default_rate_limit" {
} }
variable "anti_ai_scraping" { variable "anti_ai_scraping" {
type = bool type = bool
default = true default = null # null = auto (enabled when not protected, disabled when protected)
} }
variable "homepage_group" { variable "homepage_group" {
@ -87,7 +87,8 @@ variable "homepage_enabled" {
} }
locals { locals {
effective_host = var.full_host != null ? var.full_host : "${var.host != null ? var.host : var.name}.${var.root_domain}" effective_host = var.full_host != null ? var.full_host : "${var.host != null ? var.host : var.name}.${var.root_domain}"
effective_anti_ai = var.anti_ai_scraping != null ? var.anti_ai_scraping : !var.protected
ns_to_group = { ns_to_group = {
monitoring = "Infrastructure" monitoring = "Infrastructure"
@ -165,10 +166,10 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd", var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
var.anti_ai_scraping ? "traefik-ai-bot-block@kubernetescrd" : null, local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
var.anti_ai_scraping ? "traefik-anti-ai-headers@kubernetescrd" : null, local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
var.anti_ai_scraping ? "traefik-strip-accept-encoding@kubernetescrd" : null, local.effective_anti_ai ? "traefik-strip-accept-encoding@kubernetescrd" : null,
var.anti_ai_scraping ? "traefik-anti-ai-trap-links@kubernetescrd" : null, local.effective_anti_ai ? "traefik-anti-ai-trap-links@kubernetescrd" : null,
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null, var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null, var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null,
var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null, var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,

View file

@ -1357,9 +1357,16 @@ serverFiles:
expr: (traefik_tls_certs_not_after - time()) / 86400 < 7 expr: (traefik_tls_certs_not_after - time()) / 86400 < 7
for: 1h for: 1h
labels: labels:
severity: warning severity: critical
annotations: annotations:
summary: "TLS cert {{ $labels.cn }} expires in {{ $value | printf \"%.0f\" }} days" summary: "TLS cert {{ $labels.cn }} expires in {{ $value | printf \"%.0f\" }} days"
- alert: TLSCertRenewalOverdue
expr: (traefik_tls_certs_not_after - time()) / 86400 < 30
for: 1h
labels:
severity: warning
annotations:
summary: "TLS cert {{ $labels.cn }} expires in {{ $value | printf \"%.0f\" }} days — renewal may have failed (LE certs valid 90d, renewed at 60d)"
- alert: TraefikHighOpenConnections - alert: TraefikHighOpenConnections
expr: sum(traefik_service_open_connections) by (service) > 500 expr: sum(traefik_service_open_connections) by (service) > 500
for: 5m for: 5m

View file

@ -139,6 +139,25 @@ resource "kubernetes_manifest" "middleware_error_pages" {
depends_on = [helm_release.traefik, kubernetes_service.error_pages] depends_on = [helm_release.traefik, kubernetes_service.error_pages]
} }
# Default TLSStore serves wildcard cert for unknown hosts instead of self-signed fallback
resource "kubernetes_manifest" "tlsstore_default" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "TLSStore"
metadata = {
name = "default"
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec = {
defaultCertificate = {
secretName = var.tls_secret_name
}
}
}
depends_on = [helm_release.traefik, module.tls_secret]
}
# Catch-all IngressRoute serves 404 for unknown hosts (lowest priority) # Catch-all IngressRoute serves 404 for unknown hosts (lowest priority)
resource "kubernetes_manifest" "ingressroute_catchall" { resource "kubernetes_manifest" "ingressroute_catchall" {
manifest = { manifest = {

View file

@ -34,6 +34,14 @@ resource "helm_release" "traefik" {
values = [yamlencode({ values = [yamlencode({
deployment = { deployment = {
replicas = 3 replicas = 3
terminationGracePeriodSeconds = 60
lifecycle = {
preStop = {
exec = {
command = ["/bin/sh", "-c", "sleep 15"]
}
}
}
podAnnotations = { podAnnotations = {
"diun.enable" = "true" "diun.enable" = "true"
"diun.include_tags" = "^v\\d+(?:\\.\\d+)?(?:\\.\\d+)?.*$" "diun.include_tags" = "^v\\d+(?:\\.\\d+)?(?:\\.\\d+)?.*$"
@ -193,6 +201,12 @@ resource "helm_release" "traefik" {
"--serversTransport.forwardingTimeouts.dialTimeout=60s", "--serversTransport.forwardingTimeouts.dialTimeout=60s",
"--serversTransport.forwardingTimeouts.responseHeaderTimeout=30s", "--serversTransport.forwardingTimeouts.responseHeaderTimeout=30s",
"--serversTransport.forwardingTimeouts.idleConnTimeout=90s", "--serversTransport.forwardingTimeouts.idleConnTimeout=90s",
# Increase backend connection pool (default maxIdleConnsPerHost=2 is too low)
"--serversTransport.maxIdleConnsPerHost=100",
# Explicit entrypoint timeouts to bound tail latency from slow clients
"--entryPoints.websecure.transport.respondingTimeouts.readTimeout=60s",
"--entryPoints.websecure.transport.respondingTimeouts.writeTimeout=60s",
"--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=180s",
# Use forwarded headers from trusted proxies # Use forwarded headers from trusted proxies
"--entryPoints.websecure.forwardedHeaders.insecure=false", "--entryPoints.websecure.forwardedHeaders.insecure=false",
"--entryPoints.web.forwardedHeaders.insecure=false", "--entryPoints.web.forwardedHeaders.insecure=false",