fix for review

mesosphere · Jan 16, 2025 · 548ccb7 · 548ccb7
1 parent bcf8dad
commit 548ccb7
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 39 deletions.
diff --git a/services/traefik/34.1.0/defaults/cm.yaml b/services/traefik/34.1.0/defaults/cm.yaml
@@ -67,7 +67,6 @@ data:
               - /dkp/kubecost/grafana
               - /dkp/kubernetes
               - /dkp/prometheus
-      #          - /dkp/traefik
       - # Create stripprefix middleware for kubetunnel exposed services.
         # This expects that every TunnelGateway will be launched with
         # `urlPathPrefix: /dkp/tunnel` configuration.
@@ -102,6 +101,23 @@ data:
               - X-Forwarded-User
               - Impersonate-User
               - Impersonate-Group
+      - # Used by apps such as Kuberentes-Dashboard and Kiali
+        # that obtain the K8S API Bearer token via
+        # the `Authorization:` header and Impersonate the user.
+        apiVersion: traefik.io/v1alpha1
+        kind: Middleware
+        metadata:
+          name: forwardauth-full
+          namespace: ${releaseNamespace}
+        spec:
+          forwardAuth:
+            address: http://${tfaName}.${releaseNamespace}.svc.cluster.local:4181/
+            trustForwardHeader: true
+            authResponseHeaders:
+              - X-Forwarded-User
+              - Impersonate-User
+              - Impersonate-Group
+              - Authorization
     
     resources:
       limits:
@@ -110,9 +126,9 @@ data:
         cpu: 500m
     logs:
       general:
-        level: DEBUG
+        level: WARN
       access:
-        enabled: false
+        enabled: true
     additionalArguments:
       - "--serversTransport.insecureSkipVerify=true"
       - "--metrics.prometheus=true"

diff --git a/services/traefik/34.1.0/traefik.yaml b/services/traefik/34.1.0/traefik.yaml
@@ -159,39 +159,3 @@ rules:
       - post
       - put
       - delete
----
-# Expose Traefik dashboard in insecure mode according to
-# <https://doc.traefik.io/traefik/v2.0/operations/dashboard/>.
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: traefik-dashboard
-  namespace: ${releaseNamespace}
-  labels:
-    app.kubernetes.io/instance: traefik-dashboard
-    app.kubernetes.io/name: traefik-dashboard
-    app.kubernetes.io/version: 2.5.6
-  annotations:
-    kubernetes.io/ingress.class: kommander-traefik
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: "${releaseNamespace}-forwardauth@kubernetescrd"
-spec:
-  # Requesting `/` from kommander-traefik-dashboard results in an absolute redirect to `/dashboard/`, which then 404s.
-  # We provide a path each for `/dashboard/` and `/api/` to prevent requests to `/`.
-  rules:
-    - http:
-        paths:
-          - backend:
-              service:
-                name: kommander-traefik-dashboard
-                port:
-                  number: 80
-            path: /dkp/traefik/dashboard/
-            pathType: Prefix
-          - backend:
-              service:
-                name: kommander-traefik-dashboard
-                port:
-                  number: 80
-            path: /dkp/traefik/api/
-            pathType: Prefix