diff --git a/charts/plane-enterprise/templates/ingress-traefik.yaml b/charts/plane-enterprise/templates/ingress-traefik.yaml new file mode 100644 index 0000000..f150bed --- /dev/null +++ b/charts/plane-enterprise/templates/ingress-traefik.yaml @@ -0,0 +1,84 @@ +{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "traefik") .Values.license.licenseDomain }} + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: {{ .Release.Name }}-ingress + namespace: {{ .Release.Namespace }} +spec: + entryPoints: + - websecure + + routes: + + # IMPORTANT: specific paths FIRST + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/spaces/`) + kind: Rule + services: + - name: {{ .Release.Name }}-space + port: 3000 + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/god-mode/`) + kind: Rule + services: + - name: {{ .Release.Name }}-admin + port: 3000 + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/api/`) + kind: Rule + services: + - name: {{ .Release.Name }}-api + port: 8000 + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/auth/`) + kind: Rule + services: + - name: {{ .Release.Name }}-api + port: 8000 + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/graphql/`) + kind: Rule + services: + - name: {{ .Release.Name }}-api + port: 8000 + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/marketplace/`) + kind: Rule + services: + - name: {{ .Release.Name }}-api + port: 8000 + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/live/`) + kind: Rule + services: + - name: {{ .Release.Name }}-live + port: 3000 + + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/silo/`) + kind: Rule + services: + - name: {{ .Release.Name }}-silo + port: 3000 + + {{- if and .Values.services.minio.local_setup .Values.env.docstore_bucket }} + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/{{ .Values.env.docstore_bucket }}`) + kind: Rule + services: + - name: {{ .Release.Name }}-minio + port: 9000 + {{- end }} + + # LAST: catch all + - match: Host(`{{ .Values.license.licenseDomain }}`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: {{ .Release.Name }}-body-limit + services: + - name: {{ .Release.Name }}-web + port: 3000 + + tls: + secretName: {{ default (printf "%s-ssl-cert" .Release.Name) .Values.ssl.tls_secret_name }} + +{{- end }} \ No newline at end of file diff --git a/charts/plane-enterprise/templates/ingress.yaml b/charts/plane-enterprise/templates/ingress.yaml index 2225f0f..8895922 100644 --- a/charts/plane-enterprise/templates/ingress.yaml +++ b/charts/plane-enterprise/templates/ingress.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.ingress.enabled .Values.license.licenseDomain }} +{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "nginx") .Values.license.licenseDomain }} apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/charts/plane-enterprise/templates/traefik-middleware.yaml b/charts/plane-enterprise/templates/traefik-middleware.yaml new file mode 100644 index 0000000..ecc76bb --- /dev/null +++ b/charts/plane-enterprise/templates/traefik-middleware.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "traefik") }} +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ .Release.Name }}-body-limit + namespace: {{ .Release.Namespace }} +spec: + buffering: + maxRequestBodyBytes: 5242880 + +{{- end }} diff --git a/charts/plane-enterprise/templates/traefik-rbac.yaml b/charts/plane-enterprise/templates/traefik-rbac.yaml new file mode 100644 index 0000000..4ccaab0 --- /dev/null +++ b/charts/plane-enterprise/templates/traefik-rbac.yaml @@ -0,0 +1,38 @@ +{{- $traefik := .Values.ingress.traefik | default dict }} +{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "traefik") ($traefik.createSecretReadRBAC) }} +# Role: allows reading secrets in this namespace (for TLS certs used by IngressRoute). +# RoleBinding: grants the Traefik controller's service account that permission. +# Required so Traefik can load the TLS certificate referenced in the IngressRoute. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-traefik-secret-reader + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: plane-enterprise + app.kubernetes.io/component: traefik-rbac + app.kubernetes.io/managed-by: helm +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-traefik-secret-reader + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: plane-enterprise + app.kubernetes.io/component: traefik-rbac + app.kubernetes.io/managed-by: helm +subjects: +- kind: ServiceAccount + name: {{ $traefik.serviceAccountName | default "traefik" }} + namespace: {{ $traefik.serviceAccountNamespace | default "traefik" }} +roleRef: + kind: Role + name: {{ .Release.Name }}-traefik-secret-reader + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/plane-enterprise/values.yaml b/charts/plane-enterprise/values.yaml index ed7ddf4..a7934f3 100644 --- a/charts/plane-enterprise/values.yaml +++ b/charts/plane-enterprise/values.yaml @@ -27,6 +27,7 @@ ingress: rabbitmqHost: '' ingressClass: 'nginx' ingress_annotations: { "nginx.ingress.kubernetes.io/proxy-body-size": "5m" } + # ingressClass: 'traefik' ssl: tls_secret_name: '' # If you have a custom TLS secret name