From 7dff2ffc7bfc65769192759920fb5020cb189e88 Mon Sep 17 00:00:00 2001
From: Adrien <adrien@reslinger.net>
Date: Tue, 21 Jan 2020 20:25:48 +0100
Subject: [PATCH] Fix a bug and add TLS configuration support

---
 tasks/version_2.0.yml                         | 21 ++++++++--
 .../2.0/traefik-dashboard-insecure.yml.j2     |  3 ++
 templates/2.0/traefik-dashboard.yml.j2        | 10 ++++-
 templates/2.0/traefik-dp.yml.j2               |  2 +
 .../2.0/traefik-middleware-ipwhitelist.yml.j2 | 11 ++++++
 templates/2.0/traefik-ping.yml.j2             | 39 +++++++++++++++++++
 templates/2.0/traefik-tls-options.yml.j2      | 15 +++++++
 7 files changed, 96 insertions(+), 5 deletions(-)
 create mode 100644 templates/2.0/traefik-middleware-ipwhitelist.yml.j2
 create mode 100644 templates/2.0/traefik-ping.yml.j2
 create mode 100644 templates/2.0/traefik-tls-options.yml.j2

diff --git a/tasks/version_2.0.yml b/tasks/version_2.0.yml
index b251ba9..f0ecadc 100644
--- a/tasks/version_2.0.yml
+++ b/tasks/version_2.0.yml
@@ -2,12 +2,12 @@
 - set_fact:
     traefik_2_0_state: "present"
   when:
-    - traefik_version == "2.0"
+    - traefik_version | regex_search('(2.)')
 
 - set_fact:
     traefik_2_0_state: "absent"
   when:
-    - traefik_version != "2.0"
+    - not traefik_version | regex_search('(2.0)')
 
 - name: traefik files version {{ traefik_version }} need to be {{ traefik_2_0_state }}
   k8s:
@@ -23,11 +23,24 @@
     - 2.0/traefik-crd-ingressroutetcp.yml.j2
     - 2.0/traefik-crd-middleware.yml.j2
     - 2.0/traefik-crd-tlsoption.yml.j2
-    - 2.0/traefik-middleware-httpsredirect.yml.j2
-    - 2.0/traefik-middleware-basicauth.yml.j2
     - 2.0/traefik-dp.yml.j2
     - 2.0/traefik-svc.yml.j2
     - 2.0/traefik-dashboard-svc.yml.j2
+    - 2.0/traefik-middleware-httpsredirect.yml.j2
+    - 2.0/traefik-middleware-basicauth.yml.j2
+    - 2.0/traefik-tls-options.yml.j2
     - 2.0/traefik-dashboard.yml.j2
     - 2.0/traefik-dashboard-insecure.yml.j2
+    - 2.0/traefik-ping.yml.j2
+  tags: traefik
+
+- name: IP white list need to be {{ traefik_2_0_state }} for traefik version {{ traefik_version }} 
+  k8s:
+    state: "{{ traefik_2_0_state }}"
+    context: "{{ my_context }}"
+    resource_definition: "{{ lookup('template', item) | from_yaml }}"
+  with_items:
+    - 2.0/traefik-middleware-ipwhitelist.yml.j2
+  when:
+    - ingress_whitelist is defined or traefik_2_0_state == "absent"
   tags: traefik
diff --git a/templates/2.0/traefik-dashboard-insecure.yml.j2 b/templates/2.0/traefik-dashboard-insecure.yml.j2
index f3b1386..9b64270 100644
--- a/templates/2.0/traefik-dashboard-insecure.yml.j2
+++ b/templates/2.0/traefik-dashboard-insecure.yml.j2
@@ -21,6 +21,9 @@ spec:
     # (optional) Priority disambiguates rules of the same length, for route matching.
     priority: 12
     middlewares:
+{% if ingress_whitelist is defined %}
+      - name: traefik-ipwhitelist
+{% endif %}
       - name: https-only
     services:
     - name: traefik-dashboard
diff --git a/templates/2.0/traefik-dashboard.yml.j2 b/templates/2.0/traefik-dashboard.yml.j2
index 085db70..064ddc0 100644
--- a/templates/2.0/traefik-dashboard.yml.j2
+++ b/templates/2.0/traefik-dashboard.yml.j2
@@ -20,9 +20,14 @@ spec:
     kind: Rule
     # (optional) Priority disambiguates rules of the same length, for route matching.
     priority: 12
-{% if basic_auth is defined %}
+{% if basic_auth is defined or ingress_whitelist is defined %}
     middlewares:
+{% if basic_auth is defined %}
       - name: basic-auth
+{% endif %}
+{% if ingress_whitelist is defined %}
+      - name: traefik-ipwhitelist
+{% endif %}
 {% endif %}
     services:
     - name: traefik-dashboard
@@ -38,3 +43,6 @@ spec:
         flushInterval: 100ms
   tls:
     secretName: wildcard-cluster
+    options:
+      name: default
+      namespace: tools
diff --git a/templates/2.0/traefik-dp.yml.j2 b/templates/2.0/traefik-dp.yml.j2
index 5214740..b291ce1 100644
--- a/templates/2.0/traefik-dp.yml.j2
+++ b/templates/2.0/traefik-dp.yml.j2
@@ -8,6 +8,8 @@ metadata:
 
 spec:
   replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} 
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: traefik
diff --git a/templates/2.0/traefik-middleware-ipwhitelist.yml.j2 b/templates/2.0/traefik-middleware-ipwhitelist.yml.j2
new file mode 100644
index 0000000..00ee429
--- /dev/null
+++ b/templates/2.0/traefik-middleware-ipwhitelist.yml.j2
@@ -0,0 +1,11 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-ipwhitelist
+  namespace: traefik
+spec:
+  ipWhiteList:
+    sourceRange:
+{% for acl_whitelist in ingress_whitelist %}
+      - {{ acl_whitelist }}
+{% endfor %}
diff --git a/templates/2.0/traefik-ping.yml.j2 b/templates/2.0/traefik-ping.yml.j2
new file mode 100644
index 0000000..53ab4d1
--- /dev/null
+++ b/templates/2.0/traefik-ping.yml.j2
@@ -0,0 +1,39 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ping
+  namespace: traefik
+  labels:
+    app: traefik
+
+spec:
+  entryPoints:
+    - https
+  routes:
+  # Match is the rule corresponding to an underlying router.
+  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
+  # but for now we only support a traefik style matching rule.
+  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
+    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
+    # "Parameter", etc, to support simpler forms of rule matching, but for now we
+    # only support "Rule".
+    kind: Rule
+    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 14
+    services:
+    - name: traefik-dashboard
+      port: 8080
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
+  tls:
+    secretName: wildcard-cluster
+    options:
+      name: default
+      namespace: tools
\ No newline at end of file
diff --git a/templates/2.0/traefik-tls-options.yml.j2 b/templates/2.0/traefik-tls-options.yml.j2
new file mode 100644
index 0000000..a37696e
--- /dev/null
+++ b/templates/2.0/traefik-tls-options.yml.j2
@@ -0,0 +1,15 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: traefik
+
+spec:
+  sniStrict: true
+  minVersion: VersionTLS12
+  cipherSuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA