New OPS-centric setup. Integrated with wild-init and wild-setup.

setup/cluster/traefik/README.md

@@ -0,0 +1,7 @@
+# Traefik
+
+- https://doc.traefik.io/traefik/providers/kubernetes-ingress/
+
+Ingress RDs can be create for any service. The routes specificed in the Ingress are added automatically to the Traefik proxy.
+
+Traefik serves all incoming network traffic on ports 80 and 443 to their appropriate services based on the route.

setup/cluster/traefik/internal-middleware.yaml

@@ -0,0 +1,13 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: internal-only
+  namespace: kube-system
+spec:
+  ipWhiteList:
+    # Restrict to local private network ranges - adjust these to match your network
+    sourceRange:
+      - 127.0.0.1/32    # localhost
+      - 10.0.0.0/8      # Private network
+      - 172.16.0.0/12   # Private network
+      - 192.168.0.0/16  # Private network

setup/cluster/traefik/traefik-service.yaml

@@ -0,0 +1,29 @@
+---
+# Traefik service configuration with static LoadBalancer IP
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik
+  namespace: kube-system
+  annotations:
+    # Get a stable IP from MetalLB
+    metallb.universe.tf/address-pool: production
+    metallb.universe.tf/allow-shared-ip: traefik-lb
+  labels:
+    app.kubernetes.io/instance: traefik-kube-system
+    app.kubernetes.io/name: traefik
+spec:
+  type: LoadBalancer
+  loadBalancerIP: 192.168.8.240
+  selector:
+    app.kubernetes.io/instance: traefik-kube-system
+    app.kubernetes.io/name: traefik
+  ports:
+    - name: web
+      port: 80
+      targetPort: web
+    - name: websecure 
+      port: 443
+      targetPort: websecure
+  externalTrafficPolicy: Local
+