diff --git a/defaults/main.yml b/defaults/main.yml index 576f812..f1807c9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,23 +3,23 @@ traefik_version: "2.8.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer -#ingress_whitelist: -# - 10.96.0.0/12 -# - 10.244.0.0/16 -# - 192.168.0.0/24 -#traefik_node_selector: -# - localhost +# ingress_whitelist: +# - 10.96.0.0/12 +# - 10.244.0.0/16 +# - 192.168.0.0/24 +# traefik_node_selector: +# - localhost traefik_cpu_limit: 500m traefik_memory_limit: 300Mi traefik_entrypoints: [] -# - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } -# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } -# - { name: "traefik", port: 8080, proto: "TCP" } -#traefik_external_ips: [] -# - 1.2.3.4 +# - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } +# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } +# - { name: "traefik", port: 8080, proto: "TCP" } +# traefik_external_ips: [] +# - 1.2.3.4 basic_auth: false -#traefik_dashboard_certificate: wildcard-cluster +# traefik_dashboard_certificate: wildcard-cluster crowdsec_namespace: "crowdsec" crowdsec_traefik_bouncer_chart_version: "0.1.0" diff --git a/meta/main.yml b/meta/main.yml index 65154b8..22bf70c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -8,6 +8,6 @@ galaxy_info: collections: - kubernetes.core platforms: - - name: kubernetes - version: - - all + - name: kubernetes + version: + - all diff --git a/tasks/main.yml b/tasks/main.yml index 927e442..1f5200d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,161 +1,161 @@ - name: traefik setup block: - - name: namespace - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - merge_type: merge - definition: - api_version: v1 - kind: Namespace - metadata: - name: '{{ traefik_namespace }}' - labels: - namespace: '{{ traefik_namespace }}' + - name: namespace + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + merge_type: merge + definition: + api_version: v1 + kind: Namespace + metadata: + name: '{{ traefik_namespace }}' + labels: + namespace: '{{ traefik_namespace }}' - - name: Create a Secret object for basic authentification - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' - definition: - apiVersion: v1 - kind: Secret - metadata: - name: basic-auth - type: Opaque - data: - basic_auth: "{{ basic_auth_data | b64encode }}" - when: - - basic_auth|bool + - name: Create a Secret object for basic authentification + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' + definition: + apiVersion: v1 + kind: Secret + metadata: + name: basic-auth + type: Opaque + data: + basic_auth: "{{ basic_auth_data | b64encode }}" + when: + - basic_auth|bool - - name: Add host label for traefik deployment - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - definition: - apiVersion: v1 - kind: Node - metadata: - name: "{{ item }}" - labels: - entrypoint: traefik - with_items: - - '{{ traefik_node_selector }}' - when: - - traefik_node_selector is defined + - name: Add host label for traefik deployment + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + definition: + apiVersion: v1 + kind: Node + metadata: + name: "{{ item }}" + labels: + entrypoint: traefik + with_items: + - '{{ traefik_node_selector }}' + when: + - traefik_node_selector is defined - - name: Deploy latest version of CrowdSec Traefik bouncer - kubernetes.core.helm: - context: "{{ my_context }}" - name: crowdsec-traefik-bouncer - release_namespace: "{{ traefik_namespace }}" - create_namespace: true - chart_ref: crowdsec/crowdsec-traefik-bouncer - chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" - values: - bouncer: - crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}" - crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080" - replicaCount: 1 - podSecurityContext: - fsGroup: 2000 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - when: - - traefik_crowdsec_bouncer_apikey is defined + - name: Deploy latest version of CrowdSec Traefik bouncer + kubernetes.core.helm: + context: "{{ my_context }}" + name: crowdsec-traefik-bouncer + release_namespace: "{{ traefik_namespace }}" + create_namespace: true + chart_ref: crowdsec/crowdsec-traefik-bouncer + chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" + values: + bouncer: + crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}" + crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080" + replicaCount: 1 + podSecurityContext: + fsGroup: 2000 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + when: + - traefik_crowdsec_bouncer_apikey is defined -# - name: Get Deployment information object -# kubernetes.core.k8s_info: -# context: "{{ my_context }}" -# api_version: v1 -# kind: DaemonSet -# name: traefik -# namespace: '{{ traefik_namespace }}' -# field_selectors: -# - spec.template.spec.containers.image -# register: traefik_actual_resources -# -# - name: Retreive actual traefik version -# shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq -# register: traefik_actual_version -# -# - name: Remove old traefik version {{ traefik_actual_version.stdout }} -# kubernetes.core.k8s: -# state: "absent" -# context: "{{ my_context }}" -# resource_definition: "{{ lookup('template', item) | from_yaml }}" -# with_items: -# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" -## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse -# when: -# - not traefik_actual_version.stdout == "[]" -# - not traefik_version == traefik_actual_version.stdout -# - traefik_actual_version.stdout is version(traefik_version, '>') +# - name: Get Deployment information object +# kubernetes.core.k8s_info: +# context: "{{ my_context }}" +# api_version: v1 +# kind: DaemonSet +# name: traefik +# namespace: '{{ traefik_namespace }}' +# field_selectors: +# - spec.template.spec.containers.image +# register: traefik_actual_resources +# +# - name: Retreive actual traefik version +# ansible.builtin.shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq +# register: traefik_actual_version +# +# - name: Remove old traefik version {{ traefik_actual_version.stdout }} +# kubernetes.core.k8s: +# state: "absent" +# context: "{{ my_context }}" +# resource_definition: "{{ lookup('template', item) | from_yaml }}" +# with_items: +# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" +## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse +# when: +# - not traefik_actual_version.stdout == "[]" +# - not traefik_version == traefik_actual_version.stdout +# - traefik_actual_version.stdout is version(traefik_version, '>') - - name: Defined traefik repository - kubernetes.core.helm_repository: - name: traefik - repo_url: "https://helm.traefik.io/traefik" - - name: Deploy latest version of Traefik - kubernetes.core.helm: - context: "{{ my_context }}" - name: traefik - chart_ref: traefik/traefik - release_namespace: "{{ traefik_namespace }}" - values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" + - name: Defined traefik repository + kubernetes.core.helm_repository: + name: traefik + repo_url: "https://helm.traefik.io/traefik" + - name: Deploy latest version of Traefik + kubernetes.core.helm: + context: "{{ my_context }}" + name: traefik + chart_ref: traefik/traefik + release_namespace: "{{ traefik_namespace }}" + values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" - - name: Install traefik configuration - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' -# merge_type: merge - apply: true - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: -# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - - traefik-certificate.yml.j2 - - traefik-cm.yml.j2 - - traefik-files.yml.j2 -# - traefik-sa.yml.j2 - - traefik-ingressroute.yml.j2 -# - traefik-svc.yml.j2 -# - traefik-defaultbackend.yml.j2 + - name: Install traefik configuration + kubernetes.core.k8s: + state: "present" + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' +# merge_type: merge + apply: true + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: +# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" + - traefik-certificate.yml.j2 + - traefik-cm.yml.j2 + - traefik-files.yml.j2 +# - traefik-sa.yml.j2 + - traefik-ingressroute.yml.j2 +# - traefik-svc.yml.j2 +# - traefik-defaultbackend.yml.j2 - - name: Install traefik plugin's - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' -# merge_type: merge - apply: true - resource_definition: "{{ lookup('template', item) | from_yaml_all }}" - with_items: - - traefik-ondemand-plugin.yml.j2 - when: - - traefik_ondemand is defined + - name: Install traefik plugin's + kubernetes.core.k8s: + state: "present" + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' +# merge_type: merge + apply: true + resource_definition: "{{ lookup('template', item) | from_yaml_all }}" + with_items: + - traefik-ondemand-plugin.yml.j2 + when: + - traefik_ondemand is defined - - name: Defined traefik-hub repository - kubernetes.core.helm_repository: - name: traefik-hub - repo_url: "https://helm.traefik.io/hub" - when: - - traefik_hub_token is defined - - name: Deploy latest version of Traefik-hub - kubernetes.core.helm: - context: "{{ my_context }}" - name: hub-agent - chart_ref: traefik-hub/hub-agent - release_namespace: "{{ traefik_namespace }}" - values: - token: "{{ traefik_hub_token }}" - when: - - traefik_hub_token is defined + - name: Defined traefik-hub repository + kubernetes.core.helm_repository: + name: traefik-hub + repo_url: "https://helm.traefik.io/hub" + when: + - traefik_hub_token is defined + - name: Deploy latest version of Traefik-hub + kubernetes.core.helm: + context: "{{ my_context }}" + name: hub-agent + chart_ref: traefik-hub/hub-agent + release_namespace: "{{ traefik_namespace }}" + values: + token: "{{ traefik_hub_token }}" + when: + - traefik_hub_token is defined tags: traefik diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 6f92802..40f342f 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -29,10 +29,10 @@ data: burst: 50 security_headers: headers: - # accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] + accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] # accessControlAllowOrigin: "origin-list-or-null" - # accessControlMaxAge: 100 - # addVaryHeader: true + accessControlMaxAge: 100 + addVaryHeader: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true @@ -42,11 +42,14 @@ data: customFrameOptionsValue: "SAMEORIGIN" referrerPolicy: "same-origin" permissionsPolicy: "vibrate 'self'" + permissionsPolicy: "camera 'none'; microphone 'none'; geolocation 'none'; payment 'none';" stsSeconds: 315360000 - contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + # contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" # customResponseHeaders: # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # server: "" + hostsProxyHeaders: + - "X-Forwarded-Host" {% if ingress_whitelist is defined %} traefik-ipwhitelist: ipWhiteList: @@ -99,6 +102,9 @@ data: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + alpnProtocols: + - h2 + - http/1.1 {% if false %} stores: default: