Skip to content

Add Traefik deployment and IngressRoute configuration#93

Open
1989shack wants to merge 1 commit intomainfrom
1989shack-patch-17
Open

Add Traefik deployment and IngressRoute configuration#93
1989shack wants to merge 1 commit intomainfrom
1989shack-patch-17

Conversation

@1989shack
Copy link
Owner

@1989shack 1989shack commented Dec 22, 2025
edited by sourcery-ai bot
Loading

Summary by Sourcery

Add Traefik deployment and routing configuration for exposing an example service via HTTP with real IP handling middleware.

New Features:

  • Introduce a Traefik Deployment in the default namespace with HTTP and admin entrypoints configured via Kubernetes CRD provider.
  • Add a Traefik middleware using the traefik-real-ip plugin to manage client IP handling with excluded networks.
  • Define an IngressRoute to expose an example Kubernetes service over the web entrypoint using the configured real IP middleware.

@1989shack
Add Traefik deployment and IngressRoute configuration
1c4f8f0 
Signed-off-by: Martin M Sheriff <smartin772@yahoo.com>
@codesandbox
Copy link

codesandbox bot commented Dec 22, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@sourcery-ai
Copy link

sourcery-ai bot commented Dec 22, 2025
edited
Loading

Reviewer's Guide

Adds a Traefik v2.4 Deployment plus associated Middleware plugin configuration and an example IngressRoute for routing HTTP traffic through Traefik with a real IP plugin.

Sequence diagram for HTTP request through Traefik IngressRoute with real IP middleware

sequenceDiagram
    actor User
    participant TraefikPod as Traefik_pod
    participant MiddlewareRealIP as Middleware_traefik_real_ip
    participant ExampleService as example_service

    User->>TraefikPod: HTTP GET http://domain.ltd/
    TraefikPod->>TraefikPod: Match IngressRoute ingress-example (entryPoint web)
    TraefikPod->>MiddlewareRealIP: Apply real IP processing
    MiddlewareRealIP-->>TraefikPod: Updated client IP headers
    TraefikPod->>ExampleService: HTTP request with real client IP
    ExampleService-->>TraefikPod: HTTP response
    TraefikPod-->>User: HTTP response
Loading

File-Level Changes

Change Details Files
Introduce Traefik deployment configured with Kubernetes CRD provider and real IP plugin.
  • Create a Deployment for a single-replica Traefik pod in the default namespace with app=traefik labels and a dedicated service account.
  • Configure Traefik container image v2.4 with CLI args enabling insecure API dashboard, access logging, web entrypoint on port 80, and Kubernetes CRD provider.
  • Enable Traefik Pilot token placeholder and configure the experimental traefik-real-ip plugin (module name and version).
  • Expose container ports 80 (web) and 8080 (admin) and define CPU requests/limits for the Traefik container.
 kubernetes.yml
Add Middleware resource wiring the traefik-real-ip plugin and excluded IP networks.
  • Define a Traefik Middleware custom resource using the traefik-real-ip plugin.
  • Configure the plugin with an excludednets list containing 1.1.1.1/24 so those addresses are not rewritten.
 kubernetes.yml
Add example IngressRoute using Traefik entrypoint, service, and middleware.
  • Create an IngressRoute in the default namespace listening on the web entryPoint.
  • Route HTTP traffic matching Host(domain.ltd) and PathPrefix(/) to example-service on port 80.
  • Attach the traefik-real-ip middleware to the route so requests go through the real IP processing.
 kubernetes.yml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@appwrite
Copy link

appwrite bot commented Dec 22, 2025
edited
Loading

1989shack.com

Project ID: e-commerce-free-web-hosting-platform

Sites (1)
Site Status Logs Preview QR
 1989shack.com
691b5ee800385b8bebac		 Failed Failed View Logs Preview URL QR Code

Tip

Custom domains work with both CNAME for subdomains and NS records for apex domains

@netlify
Copy link

netlify bot commented Dec 22, 2025
edited
Loading

Deploy Preview for 1989shack-e-c failed. Why did it fail? →

Name Link
🔨 Latest commit 1c4f8f0
🔍 Latest deploy log https://app.netlify.com/projects/1989shack-e-c/deploys/69490fc33dc4a100081e8918

sourcery-ai[bot]
sourcery-ai bot reviewed Dec 22, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 3 issues, and left some high level feedback:

  • The Deployment currently enables --api.insecure and hardcodes --pilot.token={YOUR_PILOT_TOKEN}; consider disabling the insecure API and sourcing the pilot token (if still needed) via a Secret or config mechanism rather than committing it in the manifest.
  • Host and network-specific values like Host(domain.ltd) and excludednets: ["1.1.1.1/24"] are hardcoded in the IngressRoute and Middleware; you may want to externalize these into environment-specific overlays or configuration to avoid editing the base manifest per environment.
  • The Traefik Deployment has no liveness/readiness probes configured; adding HTTP probes on the appropriate ports would make the controller’s health behavior more robust under failure or restart conditions.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The Deployment currently enables `--api.insecure` and hardcodes `--pilot.token={YOUR_PILOT_TOKEN}`; consider disabling the insecure API and sourcing the pilot token (if still needed) via a Secret or config mechanism rather than committing it in the manifest.
- Host and network-specific values like `Host(`domain.ltd`)` and `excludednets: ["1.1.1.1/24"]` are hardcoded in the IngressRoute and Middleware; you may want to externalize these into environment-specific overlays or configuration to avoid editing the base manifest per environment.
- The Traefik Deployment has no liveness/readiness probes configured; adding HTTP probes on the appropriate ports would make the controller’s health behavior more robust under failure or restart conditions.

## Individual Comments

### Comment 1
<location> `kubernetes.yml:24` </location>
<code_context>
+        - name: traefik
+          image: traefik:v2.4
+          args:
+            - --api.insecure
+            - --accesslog
+            - --entrypoints.web.Address=:80
</code_context>

<issue_to_address>
**🚨 issue (security):** Exposing the Traefik API/dashboard insecurely can be a security risk in most environments.

`--api.insecure` exposes the Traefik dashboard/API on the `admin` port without authentication. Outside of local/testing, consider disabling it or protecting it with auth and strict network controls (e.g., internal-only Service, IP allowlist, or an auth middleware).
</issue_to_address>

### Comment 2
<location> `kubernetes.yml:28` </location>
<code_context>
+            - --accesslog
+            - --entrypoints.web.Address=:80
+            - --providers.kubernetescrd
+            - --pilot.token={YOUR_PILOT_TOKEN}
+            - --experimental.plugins.traefik-real-ip.modulename=github.com/soulbalz/traefik-real-ip
+            - --experimental.plugins.traefik-real-ip.version=v1.0.3
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Pilot token should not be embedded directly in the manifest.

Putting `{YOUR_PILOT_TOKEN}` directly in args ties a sensitive value to the manifest and increases the risk of leaking it via version control. Prefer sourcing it from an environment variable backed by a Kubernetes Secret and referencing that in the args, or remove the Pilot integration if it’s no longer needed.

Suggested implementation:

```
        - name: traefik
          image: traefik:v2.4
          env:
            - name: TRAEFIK_PILOT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: traefik-pilot-token
                  key: token
          args:

```

```
            - --providers.kubernetescrd
            - --experimental.plugins.traefik-real-ip.modulename=github.com/soulbalz/traefik-real-ip

```

1. Create a `Secret` named `traefik-pilot-token` in the same namespace, with a key `token` containing the Pilot token, for example:
   ```yaml
   apiVersion: v1
   kind: Secret
   metadata:
     name: traefik-pilot-token
   type: Opaque
   data:
     token: <base64-encoded-token>
   ```
2. Verify that the Traefik version you are using supports reading the Pilot token from the `TRAEFIK_PILOT_TOKEN`/`PILOT_TOKEN` environment variable (v2.x does).
</issue_to_address>

### Comment 3
<location> `kubernetes.yml:36-40` </location>
<code_context>
+              containerPort: 80
+            - name: admin
+              containerPort: 8080
+          resources:
+            requests:
+              cpu: 300m
+            limits:
+              cpu: 500m
+
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Resource spec only sets CPU requests/limits, omitting memory constraints.

Only CPU is configured under `resources`. Without memory requests/limits, the pod may be scheduled unpredictably and is more prone to OOM kills under load. Please add appropriate memory requests/limits based on expected Traefik usage.

```suggestion
          resources:
            requests:
              cpu: 300m
              memory: 256Mi
            limits:
              cpu: 500m
              memory: 512Mi
```
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@1989shack