Migrate all service modules from nginx-ingress to Traefik

- Remove nginx-specific ingress variables (use_proxy_protocol, proxy_timeout, additional_configuration_snippet) - Update ingress annotations to use Traefik middleware CRDs - Delete nginx-ingress module (replaced by traefik) - Add new traefik middleware.tf for shared middleware definitions - Update service modules to work with new ingress_factory interface
2026-02-07 13:25:49 +00:00 · 2026-02-07 13:25:49 +00:00 · c32acc70e6
commit c32acc70e6
parent 0315dd4044
53 changed files with 534 additions and 1714 deletions
--- a/modules/kubernetes/rybbit/main.tf
+++ b/modules/kubernetes/rybbit/main.tf
@ -293,35 +293,13 @@ resource "kubernetes_ingress_v1" "rybbit" {
    namespace = kubernetes_namespace.rybbit.metadata[0].name

    annotations = {
-      "kubernetes.io/ingress.class"           = "nginx"
-      "nginx.ingress.kubernetes.io/use-regex" = "true"
-      # Optional: enable SSL redirect
-      #"nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
-
-      "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
-        limit_req_status 429;
-        limit_conn_status 429;
-
-        # Rybbit Analytics
-        # Only modify HTML
-        sub_filter_types text/html;
-        sub_filter_once off;
-
-        # Disable compression so sub_filter works
-        proxy_set_header Accept-Encoding "";
-
-        # Inject analytics before </head>
-        sub_filter '</head>' '
-        <script src="https://rybbit.viktorbarzin.me/api/script.js"
-              data-site-id="3c476801a777"
-              defer></script> 
-        </head>';
-      EOF
+      "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,rybbit-rybbit-analytics@kubernetescrd"
+      "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
    }
  }

  spec {
-    ingress_class_name = "nginx"
+    ingress_class_name = "traefik"
    tls {
      hosts       = ["rybbit.viktorbarzin.me"]
      secret_name = var.tls_secret_name
@ -332,7 +310,8 @@ resource "kubernetes_ingress_v1" "rybbit" {
      http {
        # API backend
        path {
-          path = "/api(/|$)(.*)"
+          path      = "/api"
+          path_type = "Prefix"
          backend {
            service {
              name = "rybbit"
@ -361,3 +340,25 @@ resource "kubernetes_ingress_v1" "rybbit" {
    }
  }
 }
+
+# Rybbit analytics middleware for self-tracking
+resource "kubernetes_manifest" "rybbit_analytics" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "rybbit-analytics"
+      namespace = kubernetes_namespace.rybbit.metadata[0].name
+    }
+    spec = {
+      plugin = {
+        rewritebody = {
+          rewrites = [{
+            regex       = "</head>"
+            replacement = "<script src=\"https://rybbit.viktorbarzin.me/api/script.js\" data-site-id=\"3c476801a777\" defer></script></head>"
+          }]
+        }
+      }
+    }
+  }
+}