From 0e6f763db5cbf9c13326ddbe5102911c45148f6d Mon Sep 17 00:00:00 2001 From: Adrien Date: Sat, 19 Dec 2020 13:20:57 +0100 Subject: [PATCH 1/3] Use helm and local provider --- meta/main.yml | 2 + tasks/main.yml | 135 ++++++++++++++----------- templates/traefik-cm.yml.j2 | 21 ++-- templates/traefik-file-provider.yml.j2 | 73 +++++++++++++ templates/traefik-ingressroute.yml.j2 | 14 --- templates/traefik-svc.yml.j2 | 20 ++-- vars/main.yml | 2 +- 7 files changed, 177 insertions(+), 90 deletions(-) create mode 100644 templates/traefik-file-provider.yml.j2 diff --git a/meta/main.yml b/meta/main.yml index a2e3209..c8bee80 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,8 @@ galaxy_info: min_ansible_version: 2.6 galaxy_tags: [] license: GPL2 + collections: + - community.kubernetes platforms: - name: kubernetes version: diff --git a/tasks/main.yml b/tasks/main.yml index b528a69..a4c6b05 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,35 +45,72 @@ when: - traefik_node_selector is defined - - name: Get Deployment information object - k8s_info: - context: "{{ my_context }}" - api_version: v1 - kind: DaemonSet +# - name: Get Deployment information object +# k8s_info: +# context: "{{ my_context }}" +# api_version: v1 +# kind: DaemonSet +# name: traefik +# namespace: '{{ traefik_namespace }}' +# field_selectors: +# - spec.template.spec.containers.image +# register: traefik_actual_resources +# +# - name: Retreive actual traefik version +# shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq +# register: traefik_actual_version +# +# - name: Remove old traefik version {{ traefik_actual_version.stdout }} +# k8s: +# state: "absent" +# context: "{{ my_context }}" +# resource_definition: "{{ lookup('template', item) | from_yaml }}" +# with_items: +# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" +## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse +# when: +# - not traefik_actual_version.stdout == "[]" +# - not traefik_version == traefik_actual_version.stdout +# - traefik_actual_version.stdout is version(traefik_version, '>') + + - name: deploy traefik + community.kubernetes.helm_repository: name: traefik - namespace: '{{ traefik_namespace }}' - field_selectors: - - spec.template.spec.containers.image - register: traefik_actual_resources + repo_url: "https://helm.traefik.io/traefik" + tags: traefik + - name: Deploy latest version of Traefik + community.kubernetes.helm: + name: traefik + chart_ref: traefik/traefik + release_namespace: traefik + values: + additionalArguments: + - --configFile=/etc/traefik/traefik.yaml + podSecurityPolicy: + enabled: true + service: + enabled: false + ingressRoute: + dashboard: + enabled: false + ports: + web: + redirectTo: websecure + hostPort: 80 + websecure: + hostPort: 443 + volumes: + - mountPath: /etc/traefik + name: traefik-conf + type: configMap + - mountPath: /etc/traefik/file + name: traefik-file-provider + type: configMap + - mountPath: /etc/traefik/basic-auth + name: basic-auth + type: secret - - name: Retreive actual traefik version - shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq - register: traefik_actual_version - - - name: Remove old traefik version {{ traefik_actual_version.stdout }} - k8s: - state: "absent" - context: "{{ my_context }}" - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" -# - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse - when: - - not traefik_actual_version.stdout == "[]" - - not traefik_version == traefik_actual_version.stdout - - traefik_actual_version.stdout is version(traefik_version, '>') - - - name: Install traefik version {{ traefik_version }} + - name: Install traefik configuration k8s: state: "present" context: "{{ my_context }}" @@ -81,40 +118,18 @@ merge_type: merge resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: - - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - - traefik-psp.yml.j2 +# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" +# - traefik-psp.yml.j2 - traefik-cm.yml.j2 - - traefik-sa.yml.j2 - - traefik-dp.yml.j2 -# - traefik-svc.yml.j2 -# - traefik-dashboard-svc.yml.j2 - - traefik-middleware-httpsredirect.yml.j2 - - traefik-middleware-basicauth.yml.j2 - - traefik-middleware-headers.yml.j2 - - traefik-tls-options.yml.j2 + - traefik-file-provider.yml.j2 +# - traefik-sa.yml.j2 +# - traefik-dp.yml.j2 +# - traefik-middleware-httpsredirect.yml.j2 +# - traefik-middleware-basicauth.yml.j2 +# - traefik-middleware-headers.yml.j2 +# - traefik-tls-options.yml.j2 - traefik-ingressroute.yml.j2 - - traefik-dashboard-insecure.yml.j2 -# - traefik-ping.yml.j2 - - - - name: Define state of ipwhitelist middleware to present - set_fact: - traefik_ipwhitelist_state: present - when: - - traefik_version | regex_search('(^2.)') - - ingress_whitelist is defined - - name: Define state of ipwhitelist middleware to absent - set_fact: - traefik_ipwhitelist_state: absent - when: - - not ingress_whitelist is defined or traefik_ipwhitelist_state is not defined - - name: IP white list need to be {{ traefik_ipwhitelist_state }} - k8s: - state: "{{ traefik_ipwhitelist_state }}" - context: "{{ my_context }}" - merge_type: merge - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - traefik-middleware-ipwhitelist.yml.j2 +# - traefik-dashboard-insecure.yml.j2 + - traefik-svc.yml.j2 tags: traefik diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 37a2ff7..876b6b4 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -7,6 +7,20 @@ data: serversTransport: insecureSkipVerify: true entryPoints: + web: + address: ":8000/tcp" + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: ":8443/tcp" + http: + tls: + options: default + traefik: + address: ":9000/tcp" {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: address: :{{ traefik_entrypoint.port }} @@ -26,18 +40,11 @@ data: watch: true metrics: prometheus: - buckets: - - 0.1 - - 0.3 - - 1.2 - - 5 entryPoint: traefik ping: entryPoint: traefik api: - insecure: true dashboard: true - debug: true log: level: WARN format: json diff --git a/templates/traefik-file-provider.yml.j2 b/templates/traefik-file-provider.yml.j2 new file mode 100644 index 0000000..c91b56b --- /dev/null +++ b/templates/traefik-file-provider.yml.j2 @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-file-provider + namespace: traefik +data: + traefik-middlewares.yaml: | + http: + middlewares: + compress: + compress: + excludedContentTypes: ["text/event-stream"] + rate-limit: + rateLimit: + average: 100 + burst: 50 + security_headers: + headers: + accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] + accessControlAllowOrigin: "origin-list-or-null" + accessControlMaxAge: 100 + addVaryHeader: true + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + frameDeny: true + stsIncludeSubdomains: true + stsPreload: true + customFrameOptionsValue: "SAMEORIGIN" + referrerPolicy: "same-origin" + featurePolicy: "vibrate 'self'" + stsSeconds: 315360000 + sslRedirect: true + contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + # customResponseHeaders: + # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," + # server: "" +{% if ingress_whitelist is defined %} + traefik-ipwhitelist: + ipWhiteList: + sourceRange: +{% for acl_whitelist in ingress_whitelist %} + - {{ acl_whitelist }} +{% endfor %} +{% endif %} +{% if basic_auth|bool %} + basic-auth: + basicAuth: + removeHeader: true + usersFile: "/etc/traefik/basic-auth/basic_auth" + # users: + # - {{ basic_auth_data }} +{% endif %} + authelia: + forwardAuth: + address: "http://authelia:9091/api/verify?rd=https://login.example.com/" + trustForwardHeader: true + authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"] + + traefik-tls-defaults-options.yaml: | + tls: + options: + default: + sniStrict: true + minVersion: VersionTLS12 + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 5c8ca55..b7f199a 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -30,17 +30,6 @@ spec: services: - name: api@internal kind: TraefikService -# - name: traefik-dashboard -# port: 8080 -# # (default 1) A weight used by the weighted round-robin strategy (WRR). -# weight: 1 -# # (default true) PassHostHeader controls whether to leave the request's Host -# # Header as it was before it reached the proxy, or whether to let the proxy set it -# # to the destination (backend) host. -# passHostHeader: true -# responseForwarding: -# # (default 100ms) Interval between flushes of the buffered response body to the client. -# flushInterval: 100ms - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) kind: Rule services: @@ -58,6 +47,3 @@ spec: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} {% endif %} - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index 7c369da..71d2044 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -2,20 +2,24 @@ apiVersion: v1 kind: Service metadata: labels: - app: traefik + app.kubernetes.io/instance: traefik + app.kubernetes.io/name: traefik name: traefik namespace: {{ traefik_namespace }} spec: ports: - - name: http + - name: web + hostPort: 80 port: 80 protocol: TCP - targetPort: 80 - - protocol: TCP + targetPort: web + - name: websecure + hostPort: 443 port: 443 - name: https - targetPort: 443 - type: LoadBalancer + protocol: TCP + targetPort: websecure selector: - app: traefik + app.kubernetes.io/instance: traefik + app.kubernetes.io/name: traefik + sessionAffinity: None diff --git a/vars/main.yml b/vars/main.yml index cb917ee..2ba0d63 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,7 @@ traefik_2_2_list: - 2.2/traefik-clusterrole.yml.j2 - 2.2/traefik-clusterrolebinding.yml.j2 -traefik_version_2_3: 2.3.4 +traefik_version_2_3: 2.3.6 traefik_2_3_list: - 2.3/traefik-crd-ingressroutes.yml.j2 - 2.3/traefik-crd-ingressroutetcps.yml.j2 From bdbf908070057e37eba1682b9c5cf2f976124b48 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 11 Jan 2021 22:48:28 +0100 Subject: [PATCH 2/3] Update traefik to version 2.3.7 --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 2ba0d63..ffe6edb 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,7 @@ traefik_2_2_list: - 2.2/traefik-clusterrole.yml.j2 - 2.2/traefik-clusterrolebinding.yml.j2 -traefik_version_2_3: 2.3.6 +traefik_version_2_3: 2.3.7 traefik_2_3_list: - 2.3/traefik-crd-ingressroutes.yml.j2 - 2.3/traefik-crd-ingressroutetcps.yml.j2 From 88bdd203777c5d319dbb5d39fc0e5f49bc7ef21a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 19 Jan 2021 00:00:47 +0100 Subject: [PATCH 3/3] Use helm to deploy traefik --- tasks/main.yml | 21 ++- templates/2.0/traefik-clusterrole.yml.j2 | 62 ------- .../2.0/traefik-clusterrolebinding.yml.j2 | 13 -- templates/2.0/traefik-crd-ingressroute.yml.j2 | 16 -- .../2.0/traefik-crd-ingressroutetcp.yml.j2 | 16 -- templates/2.0/traefik-crd-middleware.yml.j2 | 16 -- templates/2.0/traefik-crd-tlsoption.yml.j2 | 13 -- templates/2.1/Ressources-exemple.yml | 157 ------------------ templates/2.1/traefik-clusterrole.yml.j2 | 42 ----- .../2.1/traefik-clusterrolebinding.yml.j2 | 13 -- templates/2.1/traefik-crd-ingressroute.yml.j2 | 16 -- .../2.1/traefik-crd-ingressroutetcp.yml.j2 | 16 -- templates/2.1/traefik-crd-middleware.yml.j2 | 16 -- templates/2.1/traefik-crd-tlsoption.yml.j2 | 16 -- .../2.1/traefik-crd-traefikservice.yml.j2 | 16 -- templates/2.2/Ressources-exemple.yml | 157 ------------------ templates/2.2/traefik-clusterrole.yml.j2 | 48 ------ .../2.2/traefik-clusterrolebinding.yml.j2 | 13 -- .../2.2/traefik-crd-ingressroutes.yml.j2 | 16 -- .../2.2/traefik-crd-ingressroutetcps.yml.j2 | 16 -- .../2.2/traefik-crd-ingressrouteudps.yml.j2 | 16 -- templates/2.2/traefik-crd-middlewares.yml.j2 | 16 -- templates/2.2/traefik-crd-tlsoptions.yml.j2 | 16 -- templates/2.2/traefik-crd-tlsstores.yml.j2 | 16 -- .../2.2/traefik-crd-traefikservices.yml.j2 | 16 -- templates/2.3/Ressources-exemple.yml | 157 ------------------ templates/2.3/traefik-clusterrole.yml.j2 | 50 ------ .../2.3/traefik-clusterrolebinding.yml.j2 | 13 -- .../2.3/traefik-crd-ingressroutes.yml.j2 | 13 -- .../2.3/traefik-crd-ingressroutetcps.yml.j2 | 13 -- .../2.3/traefik-crd-ingressrouteudps.yml.j2 | 13 -- templates/2.3/traefik-crd-middlewares.yml.j2 | 13 -- templates/2.3/traefik-crd-tlsoptions.yml.j2 | 13 -- templates/2.3/traefik-crd-tlsstores.yml.j2 | 13 -- .../2.3/traefik-crd-traefikservices.yml.j2 | 13 -- templates/traefik-cm.yml.j2 | 11 +- templates/traefik-dashboard-insecure.yml.j2 | 40 ----- templates/traefik-dashboard-svc.yml.j2 | 24 --- templates/traefik-dp.yml.j2 | 93 ----------- ...e-provider.yml.j2 => traefik-files.yml.j2} | 3 +- templates/traefik-ingressroute.yml.j2 | 1 - templates/traefik-middleware-basicauth.yml.j2 | 8 - templates/traefik-middleware-headers.yml.j2 | 31 ---- .../traefik-middleware-httpsredirect.yml.j2 | 8 - .../traefik-middleware-ipwhitelist.yml.j2 | 1 - templates/traefik-ping.yml.j2 | 41 ----- templates/traefik-psp.yml.j2 | 49 ------ templates/traefik-sa.yml.j2 | 1 - templates/traefik-svc.yml.j2 | 1 - templates/traefik-tls-options.yml.j2 | 16 -- vars/main.yml | 30 ---- 51 files changed, 16 insertions(+), 1432 deletions(-) delete mode 100644 templates/2.0/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.0/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.0/traefik-crd-ingressroute.yml.j2 delete mode 100644 templates/2.0/traefik-crd-ingressroutetcp.yml.j2 delete mode 100644 templates/2.0/traefik-crd-middleware.yml.j2 delete mode 100644 templates/2.0/traefik-crd-tlsoption.yml.j2 delete mode 100644 templates/2.1/Ressources-exemple.yml delete mode 100644 templates/2.1/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.1/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.1/traefik-crd-ingressroute.yml.j2 delete mode 100644 templates/2.1/traefik-crd-ingressroutetcp.yml.j2 delete mode 100644 templates/2.1/traefik-crd-middleware.yml.j2 delete mode 100644 templates/2.1/traefik-crd-tlsoption.yml.j2 delete mode 100644 templates/2.1/traefik-crd-traefikservice.yml.j2 delete mode 100644 templates/2.2/Ressources-exemple.yml delete mode 100644 templates/2.2/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.2/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.2/traefik-crd-ingressroutes.yml.j2 delete mode 100644 templates/2.2/traefik-crd-ingressroutetcps.yml.j2 delete mode 100644 templates/2.2/traefik-crd-ingressrouteudps.yml.j2 delete mode 100644 templates/2.2/traefik-crd-middlewares.yml.j2 delete mode 100644 templates/2.2/traefik-crd-tlsoptions.yml.j2 delete mode 100644 templates/2.2/traefik-crd-tlsstores.yml.j2 delete mode 100644 templates/2.2/traefik-crd-traefikservices.yml.j2 delete mode 100644 templates/2.3/Ressources-exemple.yml delete mode 100644 templates/2.3/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.3/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.3/traefik-crd-ingressroutes.yml.j2 delete mode 100644 templates/2.3/traefik-crd-ingressroutetcps.yml.j2 delete mode 100644 templates/2.3/traefik-crd-ingressrouteudps.yml.j2 delete mode 100644 templates/2.3/traefik-crd-middlewares.yml.j2 delete mode 100644 templates/2.3/traefik-crd-tlsoptions.yml.j2 delete mode 100644 templates/2.3/traefik-crd-tlsstores.yml.j2 delete mode 100644 templates/2.3/traefik-crd-traefikservices.yml.j2 delete mode 100644 templates/traefik-dashboard-insecure.yml.j2 delete mode 100644 templates/traefik-dashboard-svc.yml.j2 delete mode 100644 templates/traefik-dp.yml.j2 rename templates/{traefik-file-provider.yml.j2 => traefik-files.yml.j2} (97%) delete mode 100644 templates/traefik-middleware-basicauth.yml.j2 delete mode 100644 templates/traefik-middleware-headers.yml.j2 delete mode 100644 templates/traefik-middleware-httpsredirect.yml.j2 delete mode 100644 templates/traefik-ping.yml.j2 delete mode 100644 templates/traefik-psp.yml.j2 delete mode 100644 templates/traefik-tls-options.yml.j2 diff --git a/tasks/main.yml b/tasks/main.yml index a4c6b05..9844fba 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -73,7 +73,7 @@ # - not traefik_version == traefik_actual_version.stdout # - traefik_actual_version.stdout is version(traefik_version, '>') - - name: deploy traefik + - name: Defined traefik repository community.kubernetes.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" @@ -84,6 +84,8 @@ chart_ref: traefik/traefik release_namespace: traefik values: + image: + tag: "{{ traefik_version_2_3 }}" additionalArguments: - --configFile=/etc/traefik/traefik.yaml podSecurityPolicy: @@ -93,6 +95,9 @@ ingressRoute: dashboard: enabled: false + ingressClass: + enabled: true + isDefaultClass: true ports: web: redirectTo: websecure @@ -104,7 +109,7 @@ name: traefik-conf type: configMap - mountPath: /etc/traefik/file - name: traefik-file-provider + name: traefik-files type: configMap - mountPath: /etc/traefik/basic-auth name: basic-auth @@ -115,21 +120,15 @@ state: "present" context: "{{ my_context }}" namespace: '{{ traefik_namespace }}' - merge_type: merge +# merge_type: merge + apply: yes resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: # - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" -# - traefik-psp.yml.j2 - traefik-cm.yml.j2 - - traefik-file-provider.yml.j2 + - traefik-files.yml.j2 # - traefik-sa.yml.j2 -# - traefik-dp.yml.j2 -# - traefik-middleware-httpsredirect.yml.j2 -# - traefik-middleware-basicauth.yml.j2 -# - traefik-middleware-headers.yml.j2 -# - traefik-tls-options.yml.j2 - traefik-ingressroute.yml.j2 -# - traefik-dashboard-insecure.yml.j2 - traefik-svc.yml.j2 tags: traefik diff --git a/templates/2.0/traefik-clusterrole.yml.j2 b/templates/2.0/traefik-clusterrole.yml.j2 deleted file mode 100644 index 537813c..0000000 --- a/templates/2.0/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,62 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - ingressroutes - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - ingressroutetcps - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - tlsoptions - verbs: - - get - - list - - watch diff --git a/templates/2.0/traefik-clusterrolebinding.yml.j2 b/templates/2.0/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 9f58700..0000000 --- a/templates/2.0/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: traefik diff --git a/templates/2.0/traefik-crd-ingressroute.yml.j2 b/templates/2.0/traefik-crd-ingressroute.yml.j2 deleted file mode 100644 index 41f70f9..0000000 --- a/templates/2.0/traefik-crd-ingressroute.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - namespace: traefik - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 deleted file mode 100644 index 107c4e5..0000000 --- a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - namespace: traefik - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.0/traefik-crd-middleware.yml.j2 b/templates/2.0/traefik-crd-middleware.yml.j2 deleted file mode 100644 index b517ac8..0000000 --- a/templates/2.0/traefik-crd-middleware.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - namespace: traefik - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.0/traefik-crd-tlsoption.yml.j2 b/templates/2.0/traefik-crd-tlsoption.yml.j2 deleted file mode 100644 index 1495e0d..0000000 --- a/templates/2.0/traefik-crd-tlsoption.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.1/Ressources-exemple.yml b/templates/2.1/Ressources-exemple.yml deleted file mode 100644 index bf512dd..0000000 --- a/templates/2.1/Ressources-exemple.yml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr2 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: s1 - weight: 1 - port: 80 - # Optional, as it is the default value - kind: Service - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr1 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: wrr2 - kind: TraefikService - weight: 1 - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror1 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: s1 - port: 80 - mirrors: - - name: s3 - percent: 20 - port: 80 - - name: mirror2 - kind: TraefikService - percent: 20 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror2 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: wrr2 - kind: TraefikService - mirrors: - - name: s2 - # Optional, as it is the default value - kind: Service - percent: 20 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroute -spec: - entryPoints: - - web - - websecure - routes: - - match: Host(`foo.com`) && PathPrefix(`/bar`) - kind: Rule - priority: 12 - # defining several services is possible and allowed, but for now the servers of - # all the services (for a given route) get merged altogether under the same - # load-balancing strategy. - services: - - name: s1 - port: 80 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - # strategy defines the load balancing strategy between the servers. It defaults - # to Round Robin, and for now only Round Robin is supported anyway. - strategy: RoundRobin - - name: s2 - port: 433 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - - match: PathPrefix(`/misc`) - services: - - name: s3 - port: 80 - middlewares: - - name: stripprefix - - name: addprefix - - match: PathPrefix(`/misc`) - services: - - name: s3 - # Optional, as it is the default value - kind: Service - port: 8443 - # scheme allow to override the scheme for the service. (ex: https or h2c) - scheme: https - - match: PathPrefix(`/lb`) - services: - - name: wrr1 - kind: TraefikService - - match: PathPrefix(`/mirrored`) - services: - - name: mirror1 - kind: TraefikService - # use an empty tls object for TLS with Let's Encrypt - tls: - secretName: supersecret - options: - name: myTLSOption - namespace: default - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: ingressroutetcp.crd - namespace: default - -spec: - entryPoints: - - footcp - routes: - - match: HostSNI(`bar.com`) - services: - - name: whoamitcp - port: 8080 - tls: - secretName: foosecret - passthrough: false - options: - name: myTLSOption - namespace: default \ No newline at end of file diff --git a/templates/2.1/traefik-clusterrole.yml.j2 b/templates/2.1/traefik-clusterrole.yml.j2 deleted file mode 100644 index fe4f9c9..0000000 --- a/templates/2.1/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,42 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - - ingressroutes - - traefikservices - - ingressroutetcps - - tlsoptions - verbs: - - get - - list - - watch diff --git a/templates/2.1/traefik-clusterrolebinding.yml.j2 b/templates/2.1/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 2a4398a..0000000 --- a/templates/2.1/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: {{ traefik_namespace }} diff --git a/templates/2.1/traefik-crd-ingressroute.yml.j2 b/templates/2.1/traefik-crd-ingressroute.yml.j2 deleted file mode 100644 index f31a6bd..0000000 --- a/templates/2.1/traefik-crd-ingressroute.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 deleted file mode 100644 index a766ed8..0000000 --- a/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.1/traefik-crd-middleware.yml.j2 b/templates/2.1/traefik-crd-middleware.yml.j2 deleted file mode 100644 index 1c0168e..0000000 --- a/templates/2.1/traefik-crd-middleware.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.1/traefik-crd-tlsoption.yml.j2 b/templates/2.1/traefik-crd-tlsoption.yml.j2 deleted file mode 100644 index a1200f0..0000000 --- a/templates/2.1/traefik-crd-tlsoption.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.1/traefik-crd-traefikservice.yml.j2 b/templates/2.1/traefik-crd-traefikservice.yml.j2 deleted file mode 100644 index 46ce7ca..0000000 --- a/templates/2.1/traefik-crd-traefikservice.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: traefikservices.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TraefikService - plural: traefikservices - singular: traefikservice - scope: Namespaced diff --git a/templates/2.2/Ressources-exemple.yml b/templates/2.2/Ressources-exemple.yml deleted file mode 100644 index bf512dd..0000000 --- a/templates/2.2/Ressources-exemple.yml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr2 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: s1 - weight: 1 - port: 80 - # Optional, as it is the default value - kind: Service - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr1 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: wrr2 - kind: TraefikService - weight: 1 - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror1 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: s1 - port: 80 - mirrors: - - name: s3 - percent: 20 - port: 80 - - name: mirror2 - kind: TraefikService - percent: 20 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror2 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: wrr2 - kind: TraefikService - mirrors: - - name: s2 - # Optional, as it is the default value - kind: Service - percent: 20 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroute -spec: - entryPoints: - - web - - websecure - routes: - - match: Host(`foo.com`) && PathPrefix(`/bar`) - kind: Rule - priority: 12 - # defining several services is possible and allowed, but for now the servers of - # all the services (for a given route) get merged altogether under the same - # load-balancing strategy. - services: - - name: s1 - port: 80 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - # strategy defines the load balancing strategy between the servers. It defaults - # to Round Robin, and for now only Round Robin is supported anyway. - strategy: RoundRobin - - name: s2 - port: 433 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - - match: PathPrefix(`/misc`) - services: - - name: s3 - port: 80 - middlewares: - - name: stripprefix - - name: addprefix - - match: PathPrefix(`/misc`) - services: - - name: s3 - # Optional, as it is the default value - kind: Service - port: 8443 - # scheme allow to override the scheme for the service. (ex: https or h2c) - scheme: https - - match: PathPrefix(`/lb`) - services: - - name: wrr1 - kind: TraefikService - - match: PathPrefix(`/mirrored`) - services: - - name: mirror1 - kind: TraefikService - # use an empty tls object for TLS with Let's Encrypt - tls: - secretName: supersecret - options: - name: myTLSOption - namespace: default - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: ingressroutetcp.crd - namespace: default - -spec: - entryPoints: - - footcp - routes: - - match: HostSNI(`bar.com`) - services: - - name: whoamitcp - port: 8080 - tls: - secretName: foosecret - passthrough: false - options: - name: myTLSOption - namespace: default \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrole.yml.j2 b/templates/2.2/traefik-clusterrole.yml.j2 deleted file mode 100644 index bef2410..0000000 --- a/templates/2.2/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,48 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['traefik-ingress-controller'] - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - - ingressroutes - - traefikservices - - ingressroutetcps - - ingressrouteudps - - tlsoptions - - tlsstores - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrolebinding.yml.j2 b/templates/2.2/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 2a4398a..0000000 --- a/templates/2.2/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: {{ traefik_namespace }} diff --git a/templates/2.2/traefik-crd-ingressroutes.yml.j2 b/templates/2.2/traefik-crd-ingressroutes.yml.j2 deleted file mode 100644 index f31a6bd..0000000 --- a/templates/2.2/traefik-crd-ingressroutes.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 deleted file mode 100644 index a766ed8..0000000 --- a/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 deleted file mode 100644 index 535726c..0000000 --- a/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressrouteudps.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteUDP - plural: ingressrouteudps - singular: ingressrouteudp - scope: Namespaced diff --git a/templates/2.2/traefik-crd-middlewares.yml.j2 b/templates/2.2/traefik-crd-middlewares.yml.j2 deleted file mode 100644 index 1c0168e..0000000 --- a/templates/2.2/traefik-crd-middlewares.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsoptions.yml.j2 b/templates/2.2/traefik-crd-tlsoptions.yml.j2 deleted file mode 100644 index a1200f0..0000000 --- a/templates/2.2/traefik-crd-tlsoptions.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsstores.yml.j2 b/templates/2.2/traefik-crd-tlsstores.yml.j2 deleted file mode 100644 index eae918f..0000000 --- a/templates/2.2/traefik-crd-tlsstores.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsstores.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSStore - plural: tlsstores - singular: tlsstore - scope: Namespaced diff --git a/templates/2.2/traefik-crd-traefikservices.yml.j2 b/templates/2.2/traefik-crd-traefikservices.yml.j2 deleted file mode 100644 index 46ce7ca..0000000 --- a/templates/2.2/traefik-crd-traefikservices.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: traefikservices.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TraefikService - plural: traefikservices - singular: traefikservice - scope: Namespaced diff --git a/templates/2.3/Ressources-exemple.yml b/templates/2.3/Ressources-exemple.yml deleted file mode 100644 index bf512dd..0000000 --- a/templates/2.3/Ressources-exemple.yml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr2 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: s1 - weight: 1 - port: 80 - # Optional, as it is the default value - kind: Service - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr1 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: wrr2 - kind: TraefikService - weight: 1 - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror1 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: s1 - port: 80 - mirrors: - - name: s3 - percent: 20 - port: 80 - - name: mirror2 - kind: TraefikService - percent: 20 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror2 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: wrr2 - kind: TraefikService - mirrors: - - name: s2 - # Optional, as it is the default value - kind: Service - percent: 20 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroute -spec: - entryPoints: - - web - - websecure - routes: - - match: Host(`foo.com`) && PathPrefix(`/bar`) - kind: Rule - priority: 12 - # defining several services is possible and allowed, but for now the servers of - # all the services (for a given route) get merged altogether under the same - # load-balancing strategy. - services: - - name: s1 - port: 80 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - # strategy defines the load balancing strategy between the servers. It defaults - # to Round Robin, and for now only Round Robin is supported anyway. - strategy: RoundRobin - - name: s2 - port: 433 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - - match: PathPrefix(`/misc`) - services: - - name: s3 - port: 80 - middlewares: - - name: stripprefix - - name: addprefix - - match: PathPrefix(`/misc`) - services: - - name: s3 - # Optional, as it is the default value - kind: Service - port: 8443 - # scheme allow to override the scheme for the service. (ex: https or h2c) - scheme: https - - match: PathPrefix(`/lb`) - services: - - name: wrr1 - kind: TraefikService - - match: PathPrefix(`/mirrored`) - services: - - name: mirror1 - kind: TraefikService - # use an empty tls object for TLS with Let's Encrypt - tls: - secretName: supersecret - options: - name: myTLSOption - namespace: default - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: ingressroutetcp.crd - namespace: default - -spec: - entryPoints: - - footcp - routes: - - match: HostSNI(`bar.com`) - services: - - name: whoamitcp - port: 8080 - tls: - secretName: foosecret - passthrough: false - options: - name: myTLSOption - namespace: default \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrole.yml.j2 b/templates/2.3/traefik-clusterrole.yml.j2 deleted file mode 100644 index 46bbd16..0000000 --- a/templates/2.3/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,50 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['traefik-ingress-controller'] - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - - ingressroutes - - traefikservices - - ingressroutetcps - - ingressrouteudps - - tlsoptions - - tlsstores - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrolebinding.yml.j2 b/templates/2.3/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 2a4398a..0000000 --- a/templates/2.3/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: {{ traefik_namespace }} diff --git a/templates/2.3/traefik-crd-ingressroutes.yml.j2 b/templates/2.3/traefik-crd-ingressroutes.yml.j2 deleted file mode 100644 index 0bcfd35..0000000 --- a/templates/2.3/traefik-crd-ingressroutes.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 deleted file mode 100644 index 36b202a..0000000 --- a/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 deleted file mode 100644 index d7c2624..0000000 --- a/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressrouteudps.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteUDP - plural: ingressrouteudps - singular: ingressrouteudp - scope: Namespaced diff --git a/templates/2.3/traefik-crd-middlewares.yml.j2 b/templates/2.3/traefik-crd-middlewares.yml.j2 deleted file mode 100644 index d1ae35f..0000000 --- a/templates/2.3/traefik-crd-middlewares.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsoptions.yml.j2 b/templates/2.3/traefik-crd-tlsoptions.yml.j2 deleted file mode 100644 index 1495e0d..0000000 --- a/templates/2.3/traefik-crd-tlsoptions.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsstores.yml.j2 b/templates/2.3/traefik-crd-tlsstores.yml.j2 deleted file mode 100644 index f9a4005..0000000 --- a/templates/2.3/traefik-crd-tlsstores.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsstores.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSStore - plural: tlsstores - singular: tlsstore - scope: Namespaced diff --git a/templates/2.3/traefik-crd-traefikservices.yml.j2 b/templates/2.3/traefik-crd-traefikservices.yml.j2 deleted file mode 100644 index 3262c43..0000000 --- a/templates/2.3/traefik-crd-traefikservices.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: traefikservices.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TraefikService - plural: traefikservices - singular: traefikservice - scope: Namespaced \ No newline at end of file diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 876b6b4..a29ddaa 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -1,4 +1,9 @@ apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik-conf data: traefik.yaml: | global: @@ -56,9 +61,3 @@ data: BackendName: keep BackendURL: keep FrontendName: keep -kind: ConfigMap -metadata: - labels: - app: traefik - name: traefik - namespace: {{ traefik_namespace }} diff --git a/templates/traefik-dashboard-insecure.yml.j2 b/templates/traefik-dashboard-insecure.yml.j2 deleted file mode 100644 index 4ed4b56..0000000 --- a/templates/traefik-dashboard-insecure.yml.j2 +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard-insecure - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - entryPoints: - - http - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - middlewares: -{% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist -{% endif %} - - name: https-only - services: - - name: api@internal - kind: TraefikService -# - name: traefik-dashboard -# port: 8080 -# # (default 1) A weight used by the weighted round-robin strategy (WRR). -# weight: 1 -# # (default true) PassHostHeader controls whether to leave the request's Host -# # Header as it was before it reached the proxy, or whether to let the proxy set it -# # to the destination (backend) host. -# passHostHeader: true -# responseForwarding: -# # (default 100ms) Interval between flushes of the buffered response body to the client. -# flushInterval: 100ms diff --git a/templates/traefik-dashboard-svc.yml.j2 b/templates/traefik-dashboard-svc.yml.j2 deleted file mode 100644 index f6973c0..0000000 --- a/templates/traefik-dashboard-svc.yml.j2 +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: traefik - name: traefik-dashboard - namespace: {{ traefik_namespace }} - -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 -# - name: traefik -# port: 8080 -# protocol: TCP - - protocol: TCP - port: 443 - name: https - targetPort: 443 - type: ClusterIP - selector: - app: traefik diff --git a/templates/traefik-dp.yml.j2 b/templates/traefik-dp.yml.j2 deleted file mode 100644 index b7f3a54..0000000 --- a/templates/traefik-dp.yml.j2 +++ /dev/null @@ -1,93 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - namespace: {{ traefik_namespace }} - name: traefik - labels: - app: traefik - -spec: -# replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} - strategy: - type: Recreate - selector: - matchLabels: - app: traefik - template: - metadata: - labels: - app: traefik - spec: - serviceAccountName: traefik-ingress-controller -# securityContext: -# sysctls: -# - name: kernel.net.ipv4.ip_unprivileged_port_start -# value: "80" - containers: - - name: traefik - image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }} - args: - - --configfile=/config/traefik.yaml -# imagePullPolicy: IfNotPresent - ports: -{% for traefik_entrypoint in traefik_entrypoints %} - - name: {{ traefik_entrypoint.name }} - containerPort: {{ traefik_entrypoint.port }} - protocol: {{ traefik_entrypoint.proto }} -{% if traefik_entrypoint.hostport is defined %} - hostPort: {{ traefik_entrypoint.hostport }} -{% endif %} -{% endfor %} - readinessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: true - resources: - limits: - cpu: {{ traefik_cpu_limit }} - memory: {{ traefik_memory_limit }} - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /config - name: config -{% if traefik_node_selector is defined %} - nodeSelector: - reslinger.net/entrypoint: traefik -{% endif %} - dnsPolicy: ClusterFirst - hostNetwork: false - restartPolicy: Always - terminationGracePeriodSeconds: 1 - tolerations: - - effect: NoSchedule - operator: Exists - volumes: - - configMap: - defaultMode: 420 - name: traefik - name: config diff --git a/templates/traefik-file-provider.yml.j2 b/templates/traefik-files.yml.j2 similarity index 97% rename from templates/traefik-file-provider.yml.j2 rename to templates/traefik-files.yml.j2 index c91b56b..4a0c27e 100644 --- a/templates/traefik-file-provider.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -2,8 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: traefik-file-provider - namespace: traefik + name: traefik-files data: traefik-middlewares.yaml: | http: diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index b7f199a..587857f 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -2,7 +2,6 @@ apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik - namespace: {{ traefik_namespace }} labels: app: traefik diff --git a/templates/traefik-middleware-basicauth.yml.j2 b/templates/traefik-middleware-basicauth.yml.j2 deleted file mode 100644 index 797fe1f..0000000 --- a/templates/traefik-middleware-basicauth.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: basic-auth - namespace: {{ traefik_namespace }} -spec: - basicAuth: - secret: basic-auth \ No newline at end of file diff --git a/templates/traefik-middleware-headers.yml.j2 b/templates/traefik-middleware-headers.yml.j2 deleted file mode 100644 index 50172d4..0000000 --- a/templates/traefik-middleware-headers.yml.j2 +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: security-headers - namespace: {{ traefik_namespace }} -spec: - headers: - browserXssFilter: "true" - contentTypeNosniff: "true" - forceSTSHeader: "true" - frameDeny: "true" - stsIncludeSubdomains: "true" - stsPreload: "true" - stsSeconds: "15768000" - sslRedirect: "true" - contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" - customFrameOptionsValue: "SAMEORIGIN" - referrerPolicy: "same-origin" - featurePolicy: "vibrate 'self'" - - # CORS - accessControlAllowMethods: - - "GET" - - "OPTIONS" - - "PUT" - accessControlAllowOrigin: "origin-list-or-null" - #accessControlAllowOriginList: - # - "https://foo.bar.org" - # - "https://example.org" - accessControlMaxAge: 100 - addVaryHeader: "true" \ No newline at end of file diff --git a/templates/traefik-middleware-httpsredirect.yml.j2 b/templates/traefik-middleware-httpsredirect.yml.j2 deleted file mode 100644 index d5f4cb3..0000000 --- a/templates/traefik-middleware-httpsredirect.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: https-only - namespace: {{ traefik_namespace }} -spec: - redirectScheme: - scheme: https \ No newline at end of file diff --git a/templates/traefik-middleware-ipwhitelist.yml.j2 b/templates/traefik-middleware-ipwhitelist.yml.j2 index 0722f45..2e987a9 100644 --- a/templates/traefik-middleware-ipwhitelist.yml.j2 +++ b/templates/traefik-middleware-ipwhitelist.yml.j2 @@ -2,7 +2,6 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: traefik-ipwhitelist - namespace: {{ traefik_namespace }} spec: ipWhiteList: sourceRange: diff --git a/templates/traefik-ping.yml.j2 b/templates/traefik-ping.yml.j2 deleted file mode 100644 index 86666f8..0000000 --- a/templates/traefik-ping.yml.j2 +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-ping - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - entryPoints: - - https - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 14 - services: - - name: ping@internal - kind: TraefikService -# - name: traefik-dashboard -# port: 8080 -# # (default 1) A weight used by the weighted round-robin strategy (WRR). -# weight: 1 -# # (default true) PassHostHeader controls whether to leave the request's Host -# # Header as it was before it reached the proxy, or whether to let the proxy set it -# # to the destination (backend) host. -# passHostHeader: true -# responseForwarding: -# # (default 100ms) Interval between flushes of the buffered response body to the client. -# flushInterval: 100ms - tls: - secretName: wildcard-cluster - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-psp.yml.j2 b/templates/traefik-psp.yml.j2 deleted file mode 100644 index ac10d3d..0000000 --- a/templates/traefik-psp.yml.j2 +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default - name: traefik-ingress-controller -spec: - requiredDropCapabilities: - - ALL - allowedCapabilities: - - NET_BIND_SERVICE - privileged: false - allowPrivilegeEscalation: false - # Allow core volume types. - volumes: - - configMap - - downwardAPI - - secret - - emptyDir - - projected - # - persistentVolumeClaim - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - hostPorts: - readOnlyRootFilesystem: true - seLinux: - rule: 'RunAsAny' - hostPorts: - - max: 65535 - min: 1 - #allowedUnsafeSysctls: - # - kernel.net.ipv4.ip_unprivileged_port_start \ No newline at end of file diff --git a/templates/traefik-sa.yml.j2 b/templates/traefik-sa.yml.j2 index 07c38a6..8a31290 100644 --- a/templates/traefik-sa.yml.j2 +++ b/templates/traefik-sa.yml.j2 @@ -1,5 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - namespace: {{ traefik_namespace }} name: traefik-ingress-controller diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index 71d2044..dc82b82 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -5,7 +5,6 @@ metadata: app.kubernetes.io/instance: traefik app.kubernetes.io/name: traefik name: traefik - namespace: {{ traefik_namespace }} spec: ports: diff --git a/templates/traefik-tls-options.yml.j2 b/templates/traefik-tls-options.yml.j2 deleted file mode 100644 index 6f64045..0000000 --- a/templates/traefik-tls-options.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: default - namespace: {{ traefik_namespace }} - -spec: - sniStrict: true - minVersion: VersionTLS12 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - curvePreferences: - - CurveP521 - - CurveP384 \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index ffe6edb..3720128 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,33 +1,3 @@ -traefik_version_2_0: 2.0.7 -traefik_2_0_list: - - 2.0/traefik-clusterrole.yml.j2 - - 2.0/traefik-clusterrolebinding.yml.j2 - - 2.0/traefik-crd-ingressroute.yml.j2 - - 2.0/traefik-crd-ingressroutetcp.yml.j2 - - 2.0/traefik-crd-middleware.yml.j2 - - 2.0/traefik-crd-tlsoption.yml.j2 - -traefik_version_2_1: 2.1.9 -traefik_2_1_list: - - 2.1/traefik-clusterrole.yml.j2 - - 2.1/traefik-clusterrolebinding.yml.j2 - - 2.1/traefik-crd-ingressroute.yml.j2 - - 2.1/traefik-crd-ingressroutetcp.yml.j2 - - 2.1/traefik-crd-middleware.yml.j2 - - 2.1/traefik-crd-tlsoption.yml.j2 - - 2.1/traefik-crd-traefikservice.yml.j2 - -traefik_version_2_2: 2.2.11 -traefik_2_2_list: - - 2.2/traefik-crd-ingressroutes.yml.j2 - - 2.2/traefik-crd-ingressroutetcps.yml.j2 - - 2.2/traefik-crd-ingressrouteudps.yml.j2 - - 2.2/traefik-crd-middlewares.yml.j2 - - 2.2/traefik-crd-tlsoptions.yml.j2 - - 2.2/traefik-crd-tlsstores.yml.j2 - - 2.2/traefik-crd-traefikservices.yml.j2 - - 2.2/traefik-clusterrole.yml.j2 - - 2.2/traefik-clusterrolebinding.yml.j2 traefik_version_2_3: 2.3.7 traefik_2_3_list: