Maison/arti-api/deploy-traefik.sh

#!/bin/bash

# Traefik v2 IngressRoute Deployment Script for Artifactory
# Deploys the complete artifactory stack with Traefik-based access control

set -e

echo "🚀 Deploying Artifactory with Traefik v2 IngressRoute..."
echo "=================================================="
echo ""

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Configuration
NAMESPACE="artifactory"
TRAEFIK_VERSION="simple"  # Change to "full" for full-featured version

echo "📋 Configuration:"
echo "   Namespace: $NAMESPACE"
echo "   Internal Network: 192.168.100.0/24"
echo "   Traefik Version: $TRAEFIK_VERSION"
echo ""

# Check prerequisites
echo "🔍 Checking prerequisites..."

if ! command -v kubectl &> /dev/null; then
    echo -e "❌ ${RED}kubectl not found. Please install kubectl first.${NC}"
    exit 1
fi

# Check if Traefik is running
TRAEFIK_PODS=$(kubectl get pods -A -l app.kubernetes.io/name=traefik --no-headers 2>/dev/null | wc -l)
if [ "$TRAEFIK_PODS" -eq 0 ]; then
    echo -e "⚠️  ${YELLOW}Warning: No Traefik pods found. Make sure Traefik v2 is installed.${NC}"
    echo "   You can install Traefik with:"
    echo "   helm repo add traefik https://helm.traefik.io/traefik"
    echo "   helm install traefik traefik/traefik"
    echo ""
fi

# Create namespace if it doesn't exist
echo "📦 Creating namespace..."
kubectl create namespace $NAMESPACE --dry-run=client -o yaml | kubectl apply -f -

# Deploy the base services (without ingress)
echo "🏗️  Deploying base services..."
kubectl apply -f kubernetes.yaml -n $NAMESPACE 2>/dev/null || echo "   Note: Base services might already exist"

# Wait for services to be ready
echo "⏳ Waiting for services to be ready..."
kubectl wait --for=condition=available --timeout=120s deployment/arti-api -n $NAMESPACE 2>/dev/null || echo "   Arti-API deployment not found, continuing..."

# Deploy Traefik IngressRoute
echo "🌐 Deploying Traefik IngressRoute..."
if [ "$TRAEFIK_VERSION" = "full" ]; then
    kubectl apply -f traefik-ingressroute.yaml
    echo -e "   ✅ ${GREEN}Full-featured Traefik configuration deployed${NC}"
else
    kubectl apply -f traefik-simple.yaml
    echo -e "   ✅ ${GREEN}Simplified Traefik configuration deployed${NC}"
fi

# Check deployment status
echo ""
echo "📊 Deployment Status:"
echo "   Deployments:"
kubectl get deployments -n $NAMESPACE 2>/dev/null | grep -E "(NAME|arti-api|chartmuseum|docker-registry|error-service)" || echo "   No deployments found"

echo "   Services:"
kubectl get services -n $NAMESPACE 2>/dev/null | grep -E "(NAME|arti-api|chartmuseum|docker-registry|error-service)" || echo "   No services found"

echo "   IngressRoutes:"
kubectl get ingressroute -n $NAMESPACE 2>/dev/null | grep -E "(NAME|arti|chart|registry)" || echo "   No IngressRoutes found"

echo "   Middlewares:"
kubectl get middleware -n $NAMESPACE 2>/dev/null | grep -E "(NAME|internal|external|block)" || echo "   No middlewares found"

echo ""

# Get Traefik external IP/URL
TRAEFIK_SERVICE=$(kubectl get svc -A -l app.kubernetes.io/name=traefik --no-headers 2>/dev/null | head -1)
if [ -n "$TRAEFIK_SERVICE" ]; then
    TRAEFIK_IP=$(echo $TRAEFIK_SERVICE | awk '{print $5}')
    echo -e "🌐 ${BLUE}Traefik Service Info:${NC}"
    echo "   $TRAEFIK_SERVICE"
    echo ""
fi

# Display access information
echo "🎯 Access Information:"
echo ""
echo -e "📱 ${GREEN}Service URLs:${NC}"
echo "   🔧 Arti-API:        http://api.artifactory.local"
echo "   📚 API Docs:        http://api.artifactory.local/docs"
echo "   ⛵ Chart Museum:    http://charts.artifactory.local"
echo "   🐳 Docker Registry: http://registry.artifactory.local"
echo ""

echo -e "🔐 ${YELLOW}Access Control:${NC}"
echo "   🏠 Internal Network (192.168.100.0/24): Full access to all endpoints"
echo "   🌐 External Network: Limited to health endpoints only"
echo ""

echo -e "✅ ${GREEN}Health Endpoints (External Access):${NC}"
echo "   curl http://api.artifactory.local/health"
echo "   curl http://charts.artifactory.local/health"
echo "   curl http://registry.artifactory.local/v2/"
echo ""

echo -e "🚫 ${RED}Blocked Endpoints (External Access):${NC}"
echo "   curl http://api.artifactory.local/users          # Returns 403"
echo "   curl http://charts.artifactory.local/api/charts  # Returns 403"
echo "   curl http://registry.artifactory.local/v2/myapp/ # Returns 403"
echo ""

echo -e "🏠 ${GREEN}Internal Network Examples (192.168.100.x):${NC}"
echo "   curl http://api.artifactory.local/users          # Full access"
echo "   curl http://charts.artifactory.local/api/charts  # Full access"
echo "   docker login registry.artifactory.local         # Full access"
echo ""

echo -e "🔧 ${BLUE}DNS Configuration:${NC}"
echo "   Add these entries to your /etc/hosts or DNS server:"
echo "   $TRAEFIK_IP api.artifactory.local"
echo "   $TRAEFIK_IP charts.artifactory.local"
echo "   $TRAEFIK_IP registry.artifactory.local"
echo ""

echo -e "📋 ${BLUE}Management Commands:${NC}"
echo "   # View IngressRoute details:"
echo "   kubectl describe ingressroute -n $NAMESPACE"
echo ""
echo "   # Check middleware configuration:"
echo "   kubectl get middleware -n $NAMESPACE -o yaml"
echo ""
echo "   # View Traefik dashboard (if enabled):"
echo "   kubectl port-forward -n traefik service/traefik 9000:9000"
echo "   # Then access: http://localhost:9000/dashboard/"
echo ""
echo "   # Test from internal network:"
echo "   kubectl run test-internal --rm -i --tty --image=curlimages/curl -- sh"
echo ""
echo "   # Clean up:"
echo "   kubectl delete ingressroute,middleware,configmap,deployment,service -n $NAMESPACE -l app=error-service"
echo "   kubectl delete -f traefik-${TRAEFIK_VERSION}.yaml"
echo ""

echo -e "🎉 ${GREEN}Traefik IngressRoute deployment completed!${NC}"
echo ""
echo -e "📖 ${BLUE}Next Steps:${NC}"
echo "   1. Configure DNS entries for the artifactory domains"
echo "   2. Test access from internal network (192.168.100.x)"
echo "   3. Verify external access is properly restricted"
echo "   4. Set up TLS certificates for production use"
echo "   5. Configure Traefik dashboard access if needed"