adrien/ansible-role-k8s-traefik
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix a bug and add TLS configuration support

Browse source
This commit is contained in:
Adrien Reslinger 2020-01-21 20:25:48 +01:00
parent 206f44c362
commit 7dff2ffc7b
7 changed files with 96 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

21
tasks/version_2.0.yml
View file

@ -2,12 +2,12 @@
- set_fact: - set_fact:
traefik_2_0_state: "present" traefik_2_0_state: "present"
when: when:
- traefik_version == "2.0" - traefik_version | regex_search('(2.)')
- set_fact: - set_fact:
traefik_2_0_state: "absent" traefik_2_0_state: "absent"
when: when:
- traefik_version != "2.0" - not traefik_version | regex_search('(2.0)')
- name: traefik files version {{ traefik_version }} need to be {{ traefik_2_0_state }} - name: traefik files version {{ traefik_version }} need to be {{ traefik_2_0_state }}
k8s: k8s:
@ -23,11 +23,24 @@
- 2.0/traefik-crd-ingressroutetcp.yml.j2 - 2.0/traefik-crd-ingressroutetcp.yml.j2
- 2.0/traefik-crd-middleware.yml.j2 - 2.0/traefik-crd-middleware.yml.j2
- 2.0/traefik-crd-tlsoption.yml.j2 - 2.0/traefik-crd-tlsoption.yml.j2
- 2.0/traefik-middleware-httpsredirect.yml.j2
- 2.0/traefik-middleware-basicauth.yml.j2
- 2.0/traefik-dp.yml.j2 - 2.0/traefik-dp.yml.j2
- 2.0/traefik-svc.yml.j2 - 2.0/traefik-svc.yml.j2
- 2.0/traefik-dashboard-svc.yml.j2 - 2.0/traefik-dashboard-svc.yml.j2
- 2.0/traefik-middleware-httpsredirect.yml.j2
- 2.0/traefik-middleware-basicauth.yml.j2
- 2.0/traefik-tls-options.yml.j2
- 2.0/traefik-dashboard.yml.j2 - 2.0/traefik-dashboard.yml.j2
- 2.0/traefik-dashboard-insecure.yml.j2 - 2.0/traefik-dashboard-insecure.yml.j2
- 2.0/traefik-ping.yml.j2
tags: traefik
- name: IP white list need to be {{ traefik_2_0_state }} for traefik version {{ traefik_version }}
k8s:
state: "{{ traefik_2_0_state }}"
context: "{{ my_context }}"
resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items:
- 2.0/traefik-middleware-ipwhitelist.yml.j2
when:
- ingress_whitelist is defined or traefik_2_0_state == "absent"
tags: traefik tags: traefik

3
templates/2.0/traefik-dashboard-insecure.yml.j2
View file

@ -21,6 +21,9 @@ spec:
# (optional) Priority disambiguates rules of the same length, for route matching. # (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12 priority: 12
middlewares: middlewares:
{% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist
{% endif %}
- name: https-only - name: https-only
services: services:
- name: traefik-dashboard - name: traefik-dashboard

10
templates/2.0/traefik-dashboard.yml.j2
View file

@ -20,9 +20,14 @@ spec:
kind: Rule kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching. # (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12 priority: 12
{% if basic_auth is defined %} {% if basic_auth is defined or ingress_whitelist is defined %}
middlewares: middlewares:
{% if basic_auth is defined %}
- name: basic-auth - name: basic-auth
{% endif %}
{% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist
{% endif %}
{% endif %} {% endif %}
services: services:
- name: traefik-dashboard - name: traefik-dashboard
@ -38,3 +43,6 @@ spec:
flushInterval: 100ms flushInterval: 100ms
tls: tls:
secretName: wildcard-cluster secretName: wildcard-cluster
options:
name: default
namespace: tools

2
templates/2.0/traefik-dp.yml.j2
View file

@ -8,6 +8,8 @@ metadata:
spec: spec:
replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %}
strategy:
type: Recreate
selector: selector:
matchLabels: matchLabels:
app: traefik app: traefik

11
templates/2.0/traefik-middleware-ipwhitelist.yml.j2 Normal file
View file

@ -0,0 +1,11 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-ipwhitelist
namespace: traefik
spec:
ipWhiteList:
sourceRange:
{% for acl_whitelist in ingress_whitelist %}
- {{ acl_whitelist }}
{% endfor %}

39
templates/2.0/traefik-ping.yml.j2 Normal file
View file

@ -0,0 +1,39 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-ping
namespace: traefik
labels:
app: traefik
spec:
entryPoints:
- https
routes:
# Match is the rule corresponding to an underlying router.
# Later on, match could be the simple form of a path prefix, e.g. just "/bar",
# but for now we only support a traefik style matching rule.
- match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
# "Parameter", etc, to support simpler forms of rule matching, but for now we
# only support "Rule".
kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 14
services:
- name: traefik-dashboard
port: 8080
# (default 1) A weight used by the weighted round-robin strategy (WRR).
weight: 1
# (default true) PassHostHeader controls whether to leave the request's Host
# Header as it was before it reached the proxy, or whether to let the proxy set it
# to the destination (backend) host.
passHostHeader: true
responseForwarding:
# (default 100ms) Interval between flushes of the buffered response body to the client.
flushInterval: 100ms
tls:
secretName: wildcard-cluster
options:
name: default
namespace: tools

15
templates/2.0/traefik-tls-options.yml.j2 Normal file
View file

@ -0,0 +1,15 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: traefik
spec:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA