From 0e6f763db5cbf9c13326ddbe5102911c45148f6d Mon Sep 17 00:00:00 2001 From: Adrien Date: Sat, 19 Dec 2020 13:20:57 +0100 Subject: [PATCH] Use helm and local provider --- meta/main.yml | 2 + tasks/main.yml | 135 ++++++++++++++----------- templates/traefik-cm.yml.j2 | 21 ++-- templates/traefik-file-provider.yml.j2 | 73 +++++++++++++ templates/traefik-ingressroute.yml.j2 | 14 --- templates/traefik-svc.yml.j2 | 20 ++-- vars/main.yml | 2 +- 7 files changed, 177 insertions(+), 90 deletions(-) create mode 100644 templates/traefik-file-provider.yml.j2 diff --git a/meta/main.yml b/meta/main.yml index a2e3209..c8bee80 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,8 @@ galaxy_info: min_ansible_version: 2.6 galaxy_tags: [] license: GPL2 + collections: + - community.kubernetes platforms: - name: kubernetes version: diff --git a/tasks/main.yml b/tasks/main.yml index b528a69..a4c6b05 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,35 +45,72 @@ when: - traefik_node_selector is defined - - name: Get Deployment information object - k8s_info: - context: "{{ my_context }}" - api_version: v1 - kind: DaemonSet +# - name: Get Deployment information object +# k8s_info: +# context: "{{ my_context }}" +# api_version: v1 +# kind: DaemonSet +# name: traefik +# namespace: '{{ traefik_namespace }}' +# field_selectors: +# - spec.template.spec.containers.image +# register: traefik_actual_resources +# +# - name: Retreive actual traefik version +# shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq +# register: traefik_actual_version +# +# - name: Remove old traefik version {{ traefik_actual_version.stdout }} +# k8s: +# state: "absent" +# context: "{{ my_context }}" +# resource_definition: "{{ lookup('template', item) | from_yaml }}" +# with_items: +# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" +## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse +# when: +# - not traefik_actual_version.stdout == "[]" +# - not traefik_version == traefik_actual_version.stdout +# - traefik_actual_version.stdout is version(traefik_version, '>') + + - name: deploy traefik + community.kubernetes.helm_repository: name: traefik - namespace: '{{ traefik_namespace }}' - field_selectors: - - spec.template.spec.containers.image - register: traefik_actual_resources + repo_url: "https://helm.traefik.io/traefik" + tags: traefik + - name: Deploy latest version of Traefik + community.kubernetes.helm: + name: traefik + chart_ref: traefik/traefik + release_namespace: traefik + values: + additionalArguments: + - --configFile=/etc/traefik/traefik.yaml + podSecurityPolicy: + enabled: true + service: + enabled: false + ingressRoute: + dashboard: + enabled: false + ports: + web: + redirectTo: websecure + hostPort: 80 + websecure: + hostPort: 443 + volumes: + - mountPath: /etc/traefik + name: traefik-conf + type: configMap + - mountPath: /etc/traefik/file + name: traefik-file-provider + type: configMap + - mountPath: /etc/traefik/basic-auth + name: basic-auth + type: secret - - name: Retreive actual traefik version - shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq - register: traefik_actual_version - - - name: Remove old traefik version {{ traefik_actual_version.stdout }} - k8s: - state: "absent" - context: "{{ my_context }}" - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" -# - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse - when: - - not traefik_actual_version.stdout == "[]" - - not traefik_version == traefik_actual_version.stdout - - traefik_actual_version.stdout is version(traefik_version, '>') - - - name: Install traefik version {{ traefik_version }} + - name: Install traefik configuration k8s: state: "present" context: "{{ my_context }}" @@ -81,40 +118,18 @@ merge_type: merge resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: - - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - - traefik-psp.yml.j2 +# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" +# - traefik-psp.yml.j2 - traefik-cm.yml.j2 - - traefik-sa.yml.j2 - - traefik-dp.yml.j2 -# - traefik-svc.yml.j2 -# - traefik-dashboard-svc.yml.j2 - - traefik-middleware-httpsredirect.yml.j2 - - traefik-middleware-basicauth.yml.j2 - - traefik-middleware-headers.yml.j2 - - traefik-tls-options.yml.j2 + - traefik-file-provider.yml.j2 +# - traefik-sa.yml.j2 +# - traefik-dp.yml.j2 +# - traefik-middleware-httpsredirect.yml.j2 +# - traefik-middleware-basicauth.yml.j2 +# - traefik-middleware-headers.yml.j2 +# - traefik-tls-options.yml.j2 - traefik-ingressroute.yml.j2 - - traefik-dashboard-insecure.yml.j2 -# - traefik-ping.yml.j2 - - - - name: Define state of ipwhitelist middleware to present - set_fact: - traefik_ipwhitelist_state: present - when: - - traefik_version | regex_search('(^2.)') - - ingress_whitelist is defined - - name: Define state of ipwhitelist middleware to absent - set_fact: - traefik_ipwhitelist_state: absent - when: - - not ingress_whitelist is defined or traefik_ipwhitelist_state is not defined - - name: IP white list need to be {{ traefik_ipwhitelist_state }} - k8s: - state: "{{ traefik_ipwhitelist_state }}" - context: "{{ my_context }}" - merge_type: merge - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - traefik-middleware-ipwhitelist.yml.j2 +# - traefik-dashboard-insecure.yml.j2 + - traefik-svc.yml.j2 tags: traefik diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 37a2ff7..876b6b4 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -7,6 +7,20 @@ data: serversTransport: insecureSkipVerify: true entryPoints: + web: + address: ":8000/tcp" + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: ":8443/tcp" + http: + tls: + options: default + traefik: + address: ":9000/tcp" {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: address: :{{ traefik_entrypoint.port }} @@ -26,18 +40,11 @@ data: watch: true metrics: prometheus: - buckets: - - 0.1 - - 0.3 - - 1.2 - - 5 entryPoint: traefik ping: entryPoint: traefik api: - insecure: true dashboard: true - debug: true log: level: WARN format: json diff --git a/templates/traefik-file-provider.yml.j2 b/templates/traefik-file-provider.yml.j2 new file mode 100644 index 0000000..c91b56b --- /dev/null +++ b/templates/traefik-file-provider.yml.j2 @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-file-provider + namespace: traefik +data: + traefik-middlewares.yaml: | + http: + middlewares: + compress: + compress: + excludedContentTypes: ["text/event-stream"] + rate-limit: + rateLimit: + average: 100 + burst: 50 + security_headers: + headers: + accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] + accessControlAllowOrigin: "origin-list-or-null" + accessControlMaxAge: 100 + addVaryHeader: true + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + frameDeny: true + stsIncludeSubdomains: true + stsPreload: true + customFrameOptionsValue: "SAMEORIGIN" + referrerPolicy: "same-origin" + featurePolicy: "vibrate 'self'" + stsSeconds: 315360000 + sslRedirect: true + contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + # customResponseHeaders: + # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," + # server: "" +{% if ingress_whitelist is defined %} + traefik-ipwhitelist: + ipWhiteList: + sourceRange: +{% for acl_whitelist in ingress_whitelist %} + - {{ acl_whitelist }} +{% endfor %} +{% endif %} +{% if basic_auth|bool %} + basic-auth: + basicAuth: + removeHeader: true + usersFile: "/etc/traefik/basic-auth/basic_auth" + # users: + # - {{ basic_auth_data }} +{% endif %} + authelia: + forwardAuth: + address: "http://authelia:9091/api/verify?rd=https://login.example.com/" + trustForwardHeader: true + authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"] + + traefik-tls-defaults-options.yaml: | + tls: + options: + default: + sniStrict: true + minVersion: VersionTLS12 + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 5c8ca55..b7f199a 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -30,17 +30,6 @@ spec: services: - name: api@internal kind: TraefikService -# - name: traefik-dashboard -# port: 8080 -# # (default 1) A weight used by the weighted round-robin strategy (WRR). -# weight: 1 -# # (default true) PassHostHeader controls whether to leave the request's Host -# # Header as it was before it reached the proxy, or whether to let the proxy set it -# # to the destination (backend) host. -# passHostHeader: true -# responseForwarding: -# # (default 100ms) Interval between flushes of the buffered response body to the client. -# flushInterval: 100ms - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) kind: Rule services: @@ -58,6 +47,3 @@ spec: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} {% endif %} - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index 7c369da..71d2044 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -2,20 +2,24 @@ apiVersion: v1 kind: Service metadata: labels: - app: traefik + app.kubernetes.io/instance: traefik + app.kubernetes.io/name: traefik name: traefik namespace: {{ traefik_namespace }} spec: ports: - - name: http + - name: web + hostPort: 80 port: 80 protocol: TCP - targetPort: 80 - - protocol: TCP + targetPort: web + - name: websecure + hostPort: 443 port: 443 - name: https - targetPort: 443 - type: LoadBalancer + protocol: TCP + targetPort: websecure selector: - app: traefik + app.kubernetes.io/instance: traefik + app.kubernetes.io/name: traefik + sessionAffinity: None diff --git a/vars/main.yml b/vars/main.yml index cb917ee..2ba0d63 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,7 @@ traefik_2_2_list: - 2.2/traefik-clusterrole.yml.j2 - 2.2/traefik-clusterrolebinding.yml.j2 -traefik_version_2_3: 2.3.4 +traefik_version_2_3: 2.3.6 traefik_2_3_list: - 2.3/traefik-crd-ingressroutes.yml.j2 - 2.3/traefik-crd-ingressroutetcps.yml.j2