traefik example

examples/nginx/README.md

@@ -1,6 +1,6 @@
 ## nginx custom routing example
 
-Creates an nginx proxy which routes traffic to different internally accessable workloads for different request paths.
+Creates an nginx proxy which routes traffic to different internally accessible workloads for different request paths.
 
 ### Default Routing Rules
 

examples/traefik/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: traefik
+description: A traefik helm chart for Control Plane
+type: application
+version: 0.1.0
+appVersion: "1.0.0"

examples/traefik/README.md

@@ -0,0 +1,54 @@
+## Traefik custom routing example
+
+Creates a Traefik proxy which routes traffic to different internally accessible workloads for different request paths.
+
+### Default Routing Rules
+
+- all requests starting with `/foo` -> `foo` workload
+- all requests starting with `/bar` -> `bar` workload
+- all requests starting with `/ping` -> 200
+
+### Default passwords
+
+A middleware plugin [Basic Auth](https://doc.traefik.io/traefik/middlewares/http/basicauth/), is used in the example with the following user password combinations.
+- test1:test1
+- test2:test2
+
+### Steps to run this example:
+
+**HELM**
+
+The [Helm CLI](https://helm.sh/docs/intro/install/#through-package-managers) must be installed.
+
+1. Clone this repo and update the `values.yaml` file as needed.
+
+2. If the GVC does not exist, create it and select location(s).
+
+   ```bash
+   cpln gvc create --name traefik-example --location aws-us-west-2
+   ```
+
+3. Run the command below from this directory.
+
+   ```bash
+   cpln helm install traefik-example --gvc traefik-example
+
+   ```
+
+4. Inspect the workloads and access the external endpoint of the traefik workload.
+
+   1. Notice how authentication is enforced on the /foo and /bar endpoints.
+
+   2. Traffic is routed through the Traefik workload and forwarded to the internally accessible services.
+
+   2. All endpoints use tls by default.
+
+   3. Internal service to service communication uses mutual tls with a verified client certificate.
+
+### Cleanup
+
+**HELM**
+
+```bash
+cpln helm uninstall traefik-example
+```

examples/traefik/templates/cpln.yaml

@@ -0,0 +1,88 @@
+kind: identity
+name: {{ .Values.traefik.name }}-identity
+description: {{ .Values.traefik.name }}-identity
+tags: {}
+---
+kind: policy
+name: {{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-policy
+tags: {}
+origin: default
+bindings:
+  - permissions:
+      - reveal
+    principalLinks:
+      - //gvc/{{ .Values.cpln.gvc }}/identity/{{ .Values.traefik.name }}-identity
+targetKind: secret
+targetLinks:
+  - //secret/{{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-dynamic1-conf
+  - //secret/{{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-conf
+---
+kind: workload
+name: {{ .Values.traefik.name }}
+description: {{ .Values.traefik.name }}
+spec:
+  type: standard
+  containers:
+    - name: traefik
+      cpu: {{ .Values.traefik.cpu }}
+      image: {{ .Values.traefik.image }}
+      inheritEnv: false
+      livenessProbe:
+        failureThreshold: 3
+        httpGet:
+          httpHeaders: []
+          path: /ping
+          port: 80
+          scheme: HTTP
+        initialDelaySeconds: 50
+        periodSeconds: 10
+        successThreshold: 1
+        timeoutSeconds: 2
+      memory: {{ .Values.traefik.memory }}
+      ports:
+        - number: 80
+          protocol: http
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          httpHeaders: []
+          path: /ping
+          port: 80
+          scheme: HTTP
+        initialDelaySeconds: 0
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 2
+      volumes:
+        - path: /etc/traefik/traefik.yml
+          recoveryPolicy: retain
+          uri: cpln://secret/{{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-conf
+        - path: /configurations/dynamic.yml
+          recoveryPolicy: retain
+          uri: cpln://secret/{{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-dynamic1-conf
+  defaultOptions:
+    autoscaling:
+      maxConcurrency: {{ .Values.traefik.autoscaling.maxConcurrency }}
+      maxScale: {{ .Values.traefik.autoscaling.maxScale }}
+      metric: cpu
+      minScale: {{ .Values.traefik.autoscaling.minScale }}
+      scaleToZeroDelay: 300
+      target: 50
+    capacityAI: {{ .Values.traefik.capacityAI }}
+    debug: false
+    suspend: {{ .Values.traefik.suspend }}
+    timeoutSeconds: 5
+{{- if .Values.traefik.firewall }}
+  firewallConfig:
+    {{- if or (hasKey .Values.traefik.firewall "external_inboundAllowCIDR") (hasKey .Values.traefik.firewall "external_outboundAllowCIDR") }}
+    external:
+      inboundAllowCIDR: {{- if .Values.traefik.firewall.external_inboundAllowCIDR }}{{ .Values.traefik.firewall.external_inboundAllowCIDR | splitList "," | toYaml | nindent 8 }}{{- else }} []{{- end }}
+      outboundAllowCIDR: {{- if .Values.traefik.firewall.external_outboundAllowCIDR }}{{ .Values.traefik.firewall.external_outboundAllowCIDR | splitList "," | toYaml | nindent 8 }}{{- else }} []{{- end }}
+    {{- end }}
+    {{- if hasKey .Values.traefik.firewall "internal_inboundAllowType" }}
+    internal:
+      inboundAllowType: {{ default "[]" .Values.traefik.firewall.internal_inboundAllowType }}
+    {{- end }}
+{{- end }}
+  identityLink: //identity/{{ .Values.traefik.name }}-identity
+  supportDynamicTags: false

examples/traefik/templates/foo-bar.yaml

@@ -0,0 +1,89 @@
+kind: workload
+name: foo
+description: foo
+spec:
+  type: standard
+  containers:
+    - name: nginx
+      cpu: 60m
+      image: nginx
+      inheritEnv: false
+      lifecycle:
+        postStart:
+          exec:
+            command:
+              - /bin/sh
+              - '-c'
+              - 'echo ''Hostname: ''${HOSTNAME} > /usr/share/nginx/html/index.html'
+      memory: 100Mi
+      ports:
+        - number: 80
+          protocol: http
+  defaultOptions:
+    autoscaling:
+      maxConcurrency: 0
+      maxScale: 1
+      metric: cpu
+      minScale: 1
+      scaleToZeroDelay: 300
+      target: 100
+    capacityAI: false
+    debug: false
+    suspend: false
+    timeoutSeconds: 5
+  firewallConfig:
+    external:
+      inboundAllowCIDR: []
+      outboundAllowCIDR:
+        - 0.0.0.0/0
+      outboundAllowHostname: []
+      outboundAllowPort: []
+    internal:
+      inboundAllowType: same-gvc
+      inboundAllowWorkload: []
+  supportDynamicTags: false
+---
+kind: workload
+name: bar
+description: bar
+spec:
+  type: standard
+  containers:
+    - name: nginx
+      cpu: 60m
+      image: nginx
+      inheritEnv: false
+      lifecycle:
+        postStart:
+          exec:
+            command:
+              - /bin/sh
+              - '-c'
+              - 'echo ''Hostname: ''${HOSTNAME} > /usr/share/nginx/html/index.html'
+      memory: 100Mi
+      ports:
+        - number: 80
+          protocol: http
+  defaultOptions:
+    autoscaling:
+      maxConcurrency: 0
+      maxScale: 1
+      metric: cpu
+      minScale: 1
+      scaleToZeroDelay: 300
+      target: 100
+    capacityAI: false
+    debug: false
+    suspend: false
+    timeoutSeconds: 5
+  firewallConfig:
+    external:
+      inboundAllowCIDR: []
+      outboundAllowCIDR:
+        - 0.0.0.0/0
+      outboundAllowHostname: []
+      outboundAllowPort: []
+    internal:
+      inboundAllowType: same-gvc
+      inboundAllowWorkload: []
+  supportDynamicTags: false

examples/traefik/templates/traefik.yaml

@@ -0,0 +1,21 @@
+kind: secret
+name: {{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-conf
+description: {{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-conf
+type: opaque
+data:
+  encoding: plain
+  payload: |
+    providers:
+      file:
+        directory: /configurations
+        watch: true
+
+    log:
+      level: DEBUG
+
+    entryPoints:
+      web:
+        address: ":80"
+
+    ping:
+      entryPoint: "web"

examples/traefik/templates/traefik_dynamic1.yaml

@@ -0,0 +1,51 @@
+kind: secret
+name: {{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-dynamic1-conf
+description: {{ .Values.traefik.name }}-{{ .Values.cpln.gvc }}-dynamic1-conf
+type: opaque
+data:
+  encoding: plain
+  payload: |
+    http:
+      routers:
+        router0:
+          service: service-bar
+          middlewares:
+          - bar-prefix
+          - test-auth
+          rule: "PathPrefix(`/bar`)"
+          entryPoints:
+          - web
+        router1:
+          service: service-foo
+          middlewares:
+          - foo-prefix
+          - test-auth
+          rule: "PathPrefix(`/foo`)"
+          entryPoints:
+          - web
+
+      middlewares:
+        test-auth:
+          basicAuth:
+            users:
+              - test1:$apr1$p9SmSOad$tXcx39CQ4Fj2h026/D3sU/
+              - test2:$apr1$4uHFePSe$RG6Mms2472kZwJpXOZOdz0
+        foo-prefix:
+          stripPrefix:
+            prefixes:
+            - /foo
+        bar-prefix:
+          stripPrefix:
+            prefixes:
+            - /bar
+
+      # Add the service
+      services:
+        service-foo:
+          loadBalancer:
+            servers:
+            - url: http://foo.{{ .Values.cpln.gvc }}.cpln.local:80/
+        service-bar:
+          loadBalancer:
+            servers:
+            - url: http://bar.{{ .Values.cpln.gvc }}.cpln.local:80/

examples/traefik/values.yaml

@@ -0,0 +1,20 @@
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+traefik:
+  image: traefik:v3.1.0
+  capacityAI: false
+  suspend: false
+  name: traefik # Choose a unique name in the GVC you are deploying to
+  replicas: 2
+  cpu: 100m
+  memory: 150Mi # Gi / Mi
+  autoscaling:
+    minScale: 1
+    maxScale: 3
+    maxConcurrency: 1000
+  # To disable all traffic, comment out the corresponding rule. Docs: https://docs.controlplane.com/concepts/security#firewall
+  firewall:
+    internal_inboundAllowType: "same-org" # Options: same-org / same-gvc
+    external_inboundAllowCIDR: 0.0.0.0/0 # Provide a comma-separated list
+    external_outboundAllowCIDR: "0.0.0.0/0" # Provide a comma-separated list