adrien/ansible-role-k8s-traefik
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update traefik deployment + add crowdsec bouncer
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2022-06-05 11:27:24 +02:00
parent 736ac64ff0
commit 6def4562ad
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
4 changed files with 46 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

9
defaults/main.yml
View file

@ -1,5 +1,5 @@
my_context: kubernetes my_context: kubernetes
traefik_version: "2.6.1" traefik_version: "2.7.0"
cluster_domain: "local" cluster_domain: "local"
traefik_namespace: "traefik" traefik_namespace: "traefik"
traefik_service_type: LoadBalancer traefik_service_type: LoadBalancer
@ -12,11 +12,14 @@ traefik_service_type: LoadBalancer
traefik_cpu_limit: 500m traefik_cpu_limit: 500m
traefik_memory_limit: 300Mi traefik_memory_limit: 300Mi
traefik_entrypoints: [] traefik_entrypoints: []
# - { name: "http", port: 8000, proto: "TCP", hostport: 80 } # - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] }
# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true } # - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] }
# - { name: "traefik", port: 8080, proto: "TCP" } # - { name: "traefik", port: 8080, proto: "TCP" }
#traefik_external_ips: [] #traefik_external_ips: []
# - 1.2.3.4 # - 1.2.3.4
basic_auth: false basic_auth: false
#traefik_dashboard_certificate: wildcard-cluster #traefik_dashboard_certificate: wildcard-cluster
crowdsec_namespace: "crowdsec"
crowdsec_traefik_bouncer_chart_version: "0.1.0"

25
tasks/main.yml
View file

@ -45,6 +45,31 @@
when: when:
- traefik_node_selector is defined - traefik_node_selector is defined
- name: Deploy latest version of CrowdSec Traefik bouncer
kubernetes.core.helm:
context: "{{ my_context }}"
name: crowdsec-traefik-bouncer
release_namespace: "{{ traefik_namespace }}"
create_namespace: yes
chart_ref: crowdsec/crowdsec-traefik-bouncer
chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}"
values:
bouncer:
crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}"
crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080"
replicaCount: 1
podSecurityContext:
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
when:
- traefik_crowdsec_bouncer_apikey is defined
# - name: Get Deployment information object # - name: Get Deployment information object
# k8s_info: # k8s_info:
# context: "{{ my_context }}" # context: "{{ my_context }}"

11
templates/traefik-cm.yml.j2
View file

@ -19,6 +19,7 @@ data:
# - auth@file # - auth@file
# - secure_headers@file # - secure_headers@file
# - crowdsec-bouncer@file # - crowdsec-bouncer@file
# - {{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd
redirections: redirections:
entryPoint: entryPoint:
to: websecure to: websecure
@ -37,10 +38,18 @@ data:
{% for traefik_entrypoint in traefik_entrypoints %} {% for traefik_entrypoint in traefik_entrypoints %}
{{ traefik_entrypoint.name }}: {{ traefik_entrypoint.name }}:
address: :{{ traefik_entrypoint.port }} address: :{{ traefik_entrypoint.port }}
{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %} {% if traefik_entrypoint.tls is defined or traefik_entrypoint.middlewares is defined %}
http: http:
{% if traefik_entrypoint.middlewares is defined %}
middlewares:
{% for middleware in traefik_entrypoint.middlewares %}
- {{ middleware }}
{% endfor %}
{% endif %}
{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %}
tls: {} tls: {}
{% endif %} {% endif %}
{% endif %}
{% endfor %} {% endfor %}
providers: providers:
kubernetesCRD: kubernetesCRD:

9
templates/traefik-files.yml.j2
View file

@ -7,14 +7,14 @@ data:
traefik-middlewares.yaml: | traefik-middlewares.yaml: |
http: http:
middlewares: middlewares:
test_chain: min_security:
chain: chain:
middlewares: middlewares:
- rate-limit
- security_headers - security_headers
{% if ingress_whitelist is defined %} {% if ingress_whitelist is defined %}
- traefik-ipwhitelist - traefik-ipwhitelist
{% endif %} {% endif %}
- rate-limit
- compress - compress
{% if basic_auth|bool %} {% if basic_auth|bool %}
- basic-auth - basic-auth
@ -41,9 +41,8 @@ data:
stsPreload: true stsPreload: true
customFrameOptionsValue: "SAMEORIGIN" customFrameOptionsValue: "SAMEORIGIN"
referrerPolicy: "same-origin" referrerPolicy: "same-origin"
featurePolicy: "vibrate 'self'" permissionsPolicy: "vibrate 'self'"
stsSeconds: 315360000 stsSeconds: 315360000
sslRedirect: true
contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
# customResponseHeaders: # customResponseHeaders:
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
@ -84,7 +83,7 @@ data:
- "Remote-Email" - "Remote-Email"
crowdsec-bouncer: crowdsec-bouncer:
forwardAuth: forwardAuth:
address: "http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth"
trustForwardHeader: true trustForwardHeader: true
traefik-tls-defaults-options.yaml: | traefik-tls-defaults-options.yaml: |