Update traefik deployment + add crowdsec bouncer

2022-06-05 11:27:24 +02:00 · 2022-06-05 11:27:24 +02:00 · 6def4562ad
commit 6def4562ad
parent 736ac64ff0
4 changed files with 46 additions and 10 deletions
--- a/templates/traefik-cm.yml.j2
+++ b/templates/traefik-cm.yml.j2
@ -19,6 +19,7 @@ data:
    #        - auth@file
    #        - secure_headers@file
    #        - crowdsec-bouncer@file
+    #        - {{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd
          redirections:
            entryPoint:
              to: websecure
@ -37,10 +38,18 @@ data:
 {% for traefik_entrypoint in traefik_entrypoints %}
      {{ traefik_entrypoint.name }}:
        address: :{{ traefik_entrypoint.port }}
-{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %}
+{% if traefik_entrypoint.tls is defined or traefik_entrypoint.middlewares is defined %}
        http:
+{% if traefik_entrypoint.middlewares is defined %}
+          middlewares:
+{% for middleware in traefik_entrypoint.middlewares %}
+            - {{ middleware }}
+{% endfor %}
+{% endif %}
+{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %}
          tls: {}
 {% endif %}
+{% endif %}
 {% endfor %}
    providers:
      kubernetesCRD:
--- a/templates/traefik-files.yml.j2
+++ b/templates/traefik-files.yml.j2
@ -7,14 +7,14 @@ data:
  traefik-middlewares.yaml: |
    http:
      middlewares:
-        test_chain:
+        min_security:
          chain:
            middlewares:
-              - rate-limit
              - security_headers
 {% if ingress_whitelist is defined %}
              - traefik-ipwhitelist
 {% endif %}
+              - rate-limit
              - compress
 {% if basic_auth|bool %}
              - basic-auth
@ -41,9 +41,8 @@ data:
            stsPreload: true
            customFrameOptionsValue: "SAMEORIGIN"
            referrerPolicy: "same-origin"
-            featurePolicy: "vibrate 'self'"
+            permissionsPolicy: "vibrate 'self'"
            stsSeconds: 315360000
-            sslRedirect: true
            contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
    #        customResponseHeaders:
    #          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
@ -84,7 +83,7 @@ data:
              - "Remote-Email"
        crowdsec-bouncer:
          forwardAuth:
-            address: "http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth
+            address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth"
            trustForwardHeader: true

  traefik-tls-defaults-options.yaml: |