Add traefik-config for X-Forwarded-For header trust

Amp-Thread-ID: https://ampcode.com/threads/T-019c086d-c760-779d-b740-0f748094b62a
Co-authored-by: Amp <amp@ampcode.com>

4 files changed, 66 insertions, 0 deletions

diff --git a/f3s/argocd-apps/infra/traefik-config.yaml b/f3s/argocd-apps/infra/traefik-config.yaml
new file mode 100644
index 0000000..1ab3527
--- /dev/null
+++ b/f3s/argocd-apps/infra/traefik-config.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-config
+  namespace: cicd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: http://git-server.cicd.svc.cluster.local/conf.git
+    targetRevision: master
+    path: f3s/traefik-config/helm-chart
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+    retry:
+      limit: 3
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 1m
diff --git a/f3s/traefik-config/README.md b/f3s/traefik-config/README.md
new file mode 100644
index 0000000..783ea7b
--- /dev/null
+++ b/f3s/traefik-config/README.md
@@ -0,0 +1,23 @@
+# Traefik Configuration
+
+k3s HelmChartConfig to customize the bundled Traefik ingress controller.
+
+## What This Does
+
+Configures Traefik to trust `X-Forwarded-For` headers from trusted proxy networks (relayd on frontends).
+
+This allows backend applications to see the real client IP address instead of internal cluster IPs.
+
+## Apply
+
+```bash
+kubectl apply -f helmchartconfig.yaml
+```
+
+Traefik will automatically restart and pick up the new configuration.
+
+## Trusted Networks
+
+- `192.168.0.0/16` - WireGuard tunnel IPs (relayd frontends)
+- `10.0.0.0/8` - Kubernetes pod/service network
+- `172.16.0.0/12` - Docker bridge networks
diff --git a/f3s/traefik-config/helm-chart/Chart.yaml b/f3s/traefik-config/helm-chart/Chart.yaml
new file mode 100644
index 0000000..333b097
--- /dev/null
+++ b/f3s/traefik-config/helm-chart/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: traefik-config
+description: HelmChartConfig to customize k3s bundled Traefik ingress controller.
+version: 0.1.0
+appVersion: "1.0.0"
diff --git a/f3s/traefik-config/helm-chart/templates/helmchartconfig.yaml b/f3s/traefik-config/helm-chart/templates/helmchartconfig.yaml
new file mode 100644
index 0000000..9b4b8b2
--- /dev/null
+++ b/f3s/traefik-config/helm-chart/templates/helmchartconfig.yaml
@@ -0,0 +1,10 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    additionalArguments:
+      - "--entryPoints.web.forwardedHeaders.trustedIPs=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"
+      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"