viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

[ci skip] Fix HTTPS backend proxying for reverse-proxy services

Browse source 
- Add insecureSkipVerify=true globally for self-signed backend certs
- Name service ports with https- prefix for HTTPS backends so Traefik uses HTTPS
- Add ServersTransport CRD for per-service insecureSkipVerify
- Add serversscheme/serverstransport annotations to reverse-proxy factory
This commit is contained in:
Viktor Barzin 2026-02-07 13:56:24 +00:00
parent 4d0d2a3568
commit d4cf63dce9
No known key found for this signature in database
GPG key ID: 0EB088298288D958
3 changed files with 23 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/kubernetes/reverse_proxy/factory/main.tf
View file

@ -49,7 +49,7 @@ resource "kubernetes_service" "proxied-service" {
external_name = var.external_name external_name = var.external_name
port { port {
name = "${var.name}-web" name = var.backend_protocol == "HTTPS" ? "https-${var.name}" : "${var.name}-web"
port = var.port port = var.port
protocol = "TCP" protocol = "TCP"
target_port = var.port target_port = var.port
@ -70,7 +70,9 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null, var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null, var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
])) ]))
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
"traefik.ingress.kubernetes.io/service.serversscheme" = var.backend_protocol == "HTTPS" ? "https" : null
"traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null
}, var.extra_annotations) }, var.extra_annotations)
} }

2
modules/kubernetes/traefik/main.tf
View file

@ -142,6 +142,8 @@ resource "helm_release" "traefik" {
"--api.insecure=true", "--api.insecure=true",
"--global.checknewversion=false", "--global.checknewversion=false",
"--global.sendanonymoususage=false", "--global.sendanonymoususage=false",
# Skip TLS verification for self-signed backend certs (proxmox, idrac, etc.)
"--serversTransport.insecureSkipVerify=true",
# Increase timeouts for services like Immich # Increase timeouts for services like Immich
"--serversTransport.forwardingTimeouts.dialTimeout=60s", "--serversTransport.forwardingTimeouts.dialTimeout=60s",
"--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s", "--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s",

17
modules/kubernetes/traefik/middleware.tf
View file

@ -156,6 +156,23 @@ resource "kubernetes_manifest" "tls_option_mtls" {
depends_on = [helm_release.traefik] depends_on = [helm_release.traefik]
} }
# ServersTransport for backends with self-signed certificates
resource "kubernetes_manifest" "servers_transport_insecure" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "ServersTransport"
metadata = {
name = "insecure-skip-verify"
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec = {
insecureSkipVerify = true
}
}
depends_on = [helm_release.traefik]
}
# Immich-specific rate limit (higher limits for photo uploads) # Immich-specific rate limit (higher limits for photo uploads)
resource "kubernetes_manifest" "middleware_immich_rate_limit" { resource "kubernetes_manifest" "middleware_immich_rate_limit" {
manifest = { manifest = {