Fix a bug and add TLS configuration support

2020-01-21 20:25:48 +01:00 · 2020-01-21 20:25:48 +01:00 · 7dff2ffc7b
commit 7dff2ffc7b
parent 206f44c362
7 changed files with 96 additions and 5 deletions
--- a/tasks/version_2.0.yml
+++ b/tasks/version_2.0.yml
@ -2,12 +2,12 @@
 - set_fact:
    traefik_2_0_state: "present"
  when:
-    - traefik_version == "2.0"
+    - traefik_version | regex_search('(2.)')

 - set_fact:
    traefik_2_0_state: "absent"
  when:
-    - traefik_version != "2.0"
+    - not traefik_version | regex_search('(2.0)')

 - name: traefik files version {{ traefik_version }} need to be {{ traefik_2_0_state }}
  k8s:
@ -23,11 +23,24 @@
    - 2.0/traefik-crd-ingressroutetcp.yml.j2
    - 2.0/traefik-crd-middleware.yml.j2
    - 2.0/traefik-crd-tlsoption.yml.j2
-    - 2.0/traefik-middleware-httpsredirect.yml.j2
-    - 2.0/traefik-middleware-basicauth.yml.j2
    - 2.0/traefik-dp.yml.j2
    - 2.0/traefik-svc.yml.j2
    - 2.0/traefik-dashboard-svc.yml.j2
+    - 2.0/traefik-middleware-httpsredirect.yml.j2
+    - 2.0/traefik-middleware-basicauth.yml.j2
+    - 2.0/traefik-tls-options.yml.j2
    - 2.0/traefik-dashboard.yml.j2
    - 2.0/traefik-dashboard-insecure.yml.j2
+    - 2.0/traefik-ping.yml.j2
+  tags: traefik
+
+- name: IP white list need to be {{ traefik_2_0_state }} for traefik version {{ traefik_version }} 
+  k8s:
+    state: "{{ traefik_2_0_state }}"
+    context: "{{ my_context }}"
+    resource_definition: "{{ lookup('template', item) | from_yaml }}"
+  with_items:
+    - 2.0/traefik-middleware-ipwhitelist.yml.j2
+  when:
+    - ingress_whitelist is defined or traefik_2_0_state == "absent"
  tags: traefik
--- a/templates/2.0/traefik-dashboard-insecure.yml.j2
+++ b/templates/2.0/traefik-dashboard-insecure.yml.j2
@ -21,6 +21,9 @@ spec:
    # (optional) Priority disambiguates rules of the same length, for route matching.
    priority: 12
    middlewares:
+{% if ingress_whitelist is defined %}
+      - name: traefik-ipwhitelist
+{% endif %}
      - name: https-only
    services:
    - name: traefik-dashboard
--- a/templates/2.0/traefik-dashboard.yml.j2
+++ b/templates/2.0/traefik-dashboard.yml.j2
@ -20,9 +20,14 @@ spec:
    kind: Rule
    # (optional) Priority disambiguates rules of the same length, for route matching.
    priority: 12
-{% if basic_auth is defined %}
+{% if basic_auth is defined or ingress_whitelist is defined %}
    middlewares:
+{% if basic_auth is defined %}
      - name: basic-auth
+{% endif %}
+{% if ingress_whitelist is defined %}
+      - name: traefik-ipwhitelist
+{% endif %}
 {% endif %}
    services:
    - name: traefik-dashboard
@ -38,3 +43,6 @@ spec:
        flushInterval: 100ms
  tls:
    secretName: wildcard-cluster
+    options:
+      name: default
+      namespace: tools
--- a/templates/2.0/traefik-dp.yml.j2
+++ b/templates/2.0/traefik-dp.yml.j2
@ -8,6 +8,8 @@ metadata:

 spec:
  replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} 
+  strategy:
+    type: Recreate
  selector:
    matchLabels:
      app: traefik
--- a/templates/2.0/traefik-middleware-ipwhitelist.yml.j2
+++ b/templates/2.0/traefik-middleware-ipwhitelist.yml.j2
@ -0,0 +1,11 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-ipwhitelist
+  namespace: traefik
+spec:
+  ipWhiteList:
+    sourceRange:
+{% for acl_whitelist in ingress_whitelist %}
+      - {{ acl_whitelist }}
+{% endfor %}
--- a/templates/2.0/traefik-ping.yml.j2
+++ b/templates/2.0/traefik-ping.yml.j2
@ -0,0 +1,39 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ping
+  namespace: traefik
+  labels:
+    app: traefik
+
+spec:
+  entryPoints:
+    - https
+  routes:
+  # Match is the rule corresponding to an underlying router.
+  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
+  # but for now we only support a traefik style matching rule.
+  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
+    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
+    # "Parameter", etc, to support simpler forms of rule matching, but for now we
+    # only support "Rule".
+    kind: Rule
+    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 14
+    services:
+    - name: traefik-dashboard
+      port: 8080
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
+  tls:
+    secretName: wildcard-cluster
+    options:
+      name: default
+      namespace: tools
--- a/templates/2.0/traefik-tls-options.yml.j2
+++ b/templates/2.0/traefik-tls-options.yml.j2
@ -0,0 +1,15 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: traefik
+
+spec:
+  sniStrict: true
+  minVersion: VersionTLS12
+  cipherSuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA