66f1e2ea3b
The previous init container incorrectly disabled TLSOffload, causing MeshCentral to serve HTTPS on port 443. Traefik connects via HTTP, resulting in protocol mismatch and 500 errors. Fix ensures TLSOffload is always enabled so MeshCentral serves plain HTTP behind Traefik.
249 lines
6.6 KiB
HCL
249 lines
6.6 KiB
HCL
variable "tls_secret_name" {
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
variable "nfs_server" { type = string }
|
|
|
|
|
|
resource "kubernetes_namespace" "meshcentral" {
|
|
metadata {
|
|
name = "meshcentral"
|
|
labels = {
|
|
"istio-injection" : "disabled"
|
|
tier = local.tiers.aux
|
|
}
|
|
}
|
|
}
|
|
|
|
module "tls_secret" {
|
|
source = "../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.meshcentral.metadata[0].name
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
resource "kubernetes_persistent_volume_claim" "data_proxmox" {
|
|
wait_until_bound = false
|
|
metadata {
|
|
name = "meshcentral-data-proxmox"
|
|
namespace = kubernetes_namespace.meshcentral.metadata[0].name
|
|
annotations = {
|
|
"resize.topolvm.io/threshold" = "80%"
|
|
"resize.topolvm.io/increase" = "100%"
|
|
"resize.topolvm.io/storage_limit" = "5Gi"
|
|
}
|
|
}
|
|
spec {
|
|
access_modes = ["ReadWriteOnce"]
|
|
storage_class_name = "proxmox-lvm"
|
|
resources {
|
|
requests = {
|
|
storage = "1Gi"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_persistent_volume_claim" "files_proxmox" {
|
|
wait_until_bound = false
|
|
metadata {
|
|
name = "meshcentral-files-proxmox"
|
|
namespace = kubernetes_namespace.meshcentral.metadata[0].name
|
|
annotations = {
|
|
"resize.topolvm.io/threshold" = "80%"
|
|
"resize.topolvm.io/increase" = "100%"
|
|
"resize.topolvm.io/storage_limit" = "5Gi"
|
|
}
|
|
}
|
|
spec {
|
|
access_modes = ["ReadWriteOnce"]
|
|
storage_class_name = "proxmox-lvm"
|
|
resources {
|
|
requests = {
|
|
storage = "1Gi"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
module "nfs_backups" {
|
|
source = "../../modules/kubernetes/nfs_volume"
|
|
name = "meshcentral-backups"
|
|
namespace = kubernetes_namespace.meshcentral.metadata[0].name
|
|
nfs_server = var.nfs_server
|
|
nfs_path = "/mnt/main/meshcentral/meshcentral-backups"
|
|
}
|
|
|
|
resource "kubernetes_deployment" "meshcentral" {
|
|
metadata {
|
|
name = "meshcentral"
|
|
namespace = kubernetes_namespace.meshcentral.metadata[0].name
|
|
labels = {
|
|
app = "meshcentral"
|
|
tier = local.tiers.aux
|
|
}
|
|
annotations = {
|
|
"reloader.stakater.com/search" = "true"
|
|
"meshcentral.enable" = "true"
|
|
}
|
|
}
|
|
spec {
|
|
replicas = 1
|
|
strategy {
|
|
type = "Recreate"
|
|
}
|
|
selector {
|
|
match_labels = {
|
|
app = "meshcentral"
|
|
}
|
|
}
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "meshcentral"
|
|
}
|
|
annotations = {
|
|
"diun.enable" = "true"
|
|
"diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$,latest"
|
|
}
|
|
}
|
|
spec {
|
|
|
|
init_container {
|
|
name = "fix-config"
|
|
image = "alpine:latest"
|
|
image_pull_policy = "IfNotPresent"
|
|
command = ["/bin/sh"]
|
|
args = ["-c", <<-EOT
|
|
if [ -f /opt/meshcentral/meshcentral-data/config.json ]; then
|
|
# Disable certUrl when using Traefik reverse proxy with TLS offload
|
|
sed -i 's/"certUrl":/"_certUrl":/g' /opt/meshcentral/meshcentral-data/config.json
|
|
|
|
# Fix WebRTC value from string to boolean
|
|
sed -i 's/"WebRTC": "[^"]*"/"WebRTC": false/g' /opt/meshcentral/meshcentral-data/config.json
|
|
|
|
# Ensure TLSOffload is enabled (Traefik terminates TLS, MeshCentral serves HTTP on 443)
|
|
# Re-enable if previously disabled by restoring _TLSOffload back to TLSOffload
|
|
sed -i 's/"_TLSOffload":/"TLSOffload":/g' /opt/meshcentral/meshcentral-data/config.json
|
|
# Set TLSOffload to true (accepts any reverse proxy)
|
|
sed -i 's/"TLSOffload": "[^"]*"/"TLSOffload": true/g' /opt/meshcentral/meshcentral-data/config.json
|
|
sed -i 's/"TLSOffload": false/"TLSOffload": true/g' /opt/meshcentral/meshcentral-data/config.json
|
|
fi
|
|
EOT
|
|
]
|
|
volume_mount {
|
|
name = "data"
|
|
mount_path = "/opt/meshcentral/meshcentral-data"
|
|
}
|
|
}
|
|
|
|
container {
|
|
image = "typhonragewind/meshcentral:latest"
|
|
name = "meshcentral"
|
|
port {
|
|
name = "http"
|
|
container_port = 443
|
|
}
|
|
env {
|
|
name = "TZ"
|
|
value = "Europe/Sofia"
|
|
}
|
|
env {
|
|
name = "HOSTNAME"
|
|
value = "meshcentral.viktorbarzin.me"
|
|
}
|
|
env {
|
|
name = "REVERSE_PROXY"
|
|
value = "true"
|
|
}
|
|
env {
|
|
name = "ALLOW_NEW_ACCOUNTS"
|
|
value = "false"
|
|
}
|
|
env {
|
|
name = "WEBRTC"
|
|
value = "false"
|
|
}
|
|
|
|
volume_mount {
|
|
name = "data"
|
|
mount_path = "/opt/meshcentral/meshcentral-data"
|
|
}
|
|
volume_mount {
|
|
name = "files"
|
|
mount_path = "/opt/meshcentral/meshcentral-files"
|
|
}
|
|
resources {
|
|
requests = {
|
|
cpu = "15m"
|
|
memory = "256Mi"
|
|
}
|
|
limits = {
|
|
memory = "256Mi"
|
|
}
|
|
}
|
|
volume_mount {
|
|
name = "backups"
|
|
mount_path = "/opt/meshcentral/meshcentral-backups"
|
|
}
|
|
}
|
|
volume {
|
|
name = "data"
|
|
persistent_volume_claim {
|
|
claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name
|
|
}
|
|
}
|
|
volume {
|
|
name = "files"
|
|
persistent_volume_claim {
|
|
claim_name = kubernetes_persistent_volume_claim.files_proxmox.metadata[0].name
|
|
}
|
|
}
|
|
volume {
|
|
name = "backups"
|
|
persistent_volume_claim {
|
|
claim_name = module.nfs_backups.claim_name
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
resource "kubernetes_service" "meshcentral" {
|
|
metadata {
|
|
name = "meshcentral"
|
|
namespace = kubernetes_namespace.meshcentral.metadata[0].name
|
|
labels = {
|
|
"app" = "meshcentral"
|
|
}
|
|
}
|
|
|
|
spec {
|
|
selector = {
|
|
app = "meshcentral"
|
|
}
|
|
port {
|
|
name = "http"
|
|
port = 443
|
|
protocol = "TCP"
|
|
}
|
|
}
|
|
}
|
|
|
|
module "ingress" {
|
|
source = "../../modules/kubernetes/ingress_factory"
|
|
namespace = kubernetes_namespace.meshcentral.metadata[0].name
|
|
name = "meshcentral"
|
|
tls_secret_name = var.tls_secret_name
|
|
port = 443
|
|
protected = true
|
|
extra_annotations = {
|
|
"gethomepage.dev/enabled" = "true"
|
|
"gethomepage.dev/name" = "MeshCentral"
|
|
"gethomepage.dev/description" = "Remote management"
|
|
"gethomepage.dev/icon" = "meshcentral.png"
|
|
"gethomepage.dev/group" = "Infrastructure"
|
|
"gethomepage.dev/pod-selector" = ""
|
|
}
|
|
}
|