diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..7431326 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,13 @@ +my_context: kubernetes +traefik_version: 2.0 +traefik_domain: "local" +#ingress_whitelist: +# - 10.96.0.0/12 +# - 10.244.0.0/16 +# - 192.168.0.0/24 +traefik_node_selector: + - localhost +traefik_cpu_limit: 500m +traefik_memory_limit: 300Mi + +basic_auth: false diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..46714f0 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,7 @@ +galaxy_info: + author: Adrien Reslinger + description: Install traefik to a kubernetes cluster + company: Personnal + min_ansible_version: 2.6 + galaxy_tags: [] + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..1e1d118 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,49 @@ +#- debug: var=my_context +# tags: traefik + +- name: traefik setup + block: + - name: namespace + k8s: + state: present + context: "{{ my_context }}" + name: tools + api_version: v1 + kind: Namespace + + - name: Create a Secret object for basic authentification + k8s: + state: present + context: "{{ my_context }}" + definition: + apiVersion: v1 + kind: Secret + metadata: + name: basic-auth + namespace: tools + type: Opaque + data: + basic_auth: "{{ basic_auth_data | b64encode }}" + when: + - basic_auth == true + tags: traefik + + - name: Get Deployment information object + k8s_facts: + context: "{{ my_context }}" + api_version: v1 + kind: Deployment + name: traefik + namespace: tools + field_selectors: + - spec.template.spec.containers.image + register: traefik_actual_resources + + - name: Retreive actual traefik version + shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:v\([.0-9]*\).*/\1/" | uniq + register: traefik_actual_version + + - name: install / uninstall version 2.0 + include_tasks: "version_2.0.yml" + when: + - traefik_version == 2.0 or traefik_actual_version.stdout == 2.0 diff --git a/tasks/version_2.0.yml b/tasks/version_2.0.yml new file mode 100644 index 0000000..9ba5e12 --- /dev/null +++ b/tasks/version_2.0.yml @@ -0,0 +1,33 @@ +--- +- set_fact: + traefik_2_0_state: "present" + when: + - traefik_version == "2.0" + +- set_fact: + traefik_2_0_state: "absent" + when: + - traefik_version != "2.0" + +- name: traefik files + k8s: + state: "{{ traefik_2_0_state }}" + context: "{{ my_context }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - 2.0/traefik-cm.yml.j2 + - 2.0/traefik-sa.yml.j2 + - 2.0/traefik-clusterrole.yml.j2 + - 2.0/traefik-clusterrolebinding.yml.j2 + - 2.0/traefik-crd-ingressroute.yml.j2 + - 2.0/traefik-crd-ingressroutetcp.yml.j2 + - 2.0/traefik-crd-middleware.yml.j2 + - 2.0/traefik-crd-tlsoption.yml.j2 + - 2.0/traefik-middleware-httpsredirect.yml.j2 + - 2.0/traefik-middleware-basicauth.yml.j2 + - 2.0/traefik-dp.yml.j2 + - 2.0/traefik-svc.yml.j2 + - 2.0/traefik-dashboard-svc.yml.j2 + - 2.0/traefik-dashboard.yml.j2 + - 2.0/traefik-dashboard-insecure.yml.j2 + tags: traefik diff --git a/templates/2.0/traefik-clusterrole.yml.j2 b/templates/2.0/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..537813c --- /dev/null +++ b/templates/2.0/traefik-clusterrole.yml.j2 @@ -0,0 +1,62 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - ingressroutetcps + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - tlsoptions + verbs: + - get + - list + - watch diff --git a/templates/2.0/traefik-clusterrolebinding.yml.j2 b/templates/2.0/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..4719e69 --- /dev/null +++ b/templates/2.0/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: tools diff --git a/templates/2.0/traefik-cm.yml.j2 b/templates/2.0/traefik-cm.yml.j2 new file mode 100644 index 0000000..ade2719 --- /dev/null +++ b/templates/2.0/traefik-cm.yml.j2 @@ -0,0 +1,48 @@ +apiVersion: v1 +data: + traefik.yaml: | + global: + checkNewVersion: true + serversTransport: + insecureSkipVerify: true + entryPoints: + http: + address: :80 + https: + address: :443 + traefik: + address: :8080 + providers: + kubernetesCRD: + throttleDuration: 2s + kubernetesIngress: {} + metrics: + prometheus: + buckets: + - 0.1 + - 0.3 + - 1.2 + - 5 + entryPoint: traefik + ping: + entryPoint: traefik + api: + insecure: true + dashboard: true + debug: true + log: + level: DEBUG + accessLog: + format: json + fields: + names: + BackendAddr: keep + BackendName: keep + BackendURL: keep + FrontendName: keep +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik + namespace: tools diff --git a/templates/2.0/traefik-crd-ingressroute.yml.j2 b/templates/2.0/traefik-crd-ingressroute.yml.j2 new file mode 100644 index 0000000..4e83639 --- /dev/null +++ b/templates/2.0/traefik-crd-ingressroute.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: tools + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 new file mode 100644 index 0000000..3900786 --- /dev/null +++ b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: tools + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.0/traefik-crd-middleware.yml.j2 b/templates/2.0/traefik-crd-middleware.yml.j2 new file mode 100644 index 0000000..0a0cf65 --- /dev/null +++ b/templates/2.0/traefik-crd-middleware.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: tools + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.0/traefik-crd-tlsoption.yml.j2 b/templates/2.0/traefik-crd-tlsoption.yml.j2 new file mode 100644 index 0000000..1495e0d --- /dev/null +++ b/templates/2.0/traefik-crd-tlsoption.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.0/traefik-dashboard-insecure.yml.j2 b/templates/2.0/traefik-dashboard-insecure.yml.j2 new file mode 100644 index 0000000..98293d6 --- /dev/null +++ b/templates/2.0/traefik-dashboard-insecure.yml.j2 @@ -0,0 +1,36 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard-insecure + namespace: tools + labels: + app: traefik + +spec: + entryPoints: + - http + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 + middlewares: + - name: https-only + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms diff --git a/templates/2.0/traefik-dashboard-svc.yml.j2 b/templates/2.0/traefik-dashboard-svc.yml.j2 new file mode 100644 index 0000000..efef8b5 --- /dev/null +++ b/templates/2.0/traefik-dashboard-svc.yml.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik-dashboard + namespace: tools + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: traefik + port: 8080 + protocol: TCP + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: ClusterIP + selector: + app: traefik diff --git a/templates/2.0/traefik-dashboard.yml.j2 b/templates/2.0/traefik-dashboard.yml.j2 new file mode 100644 index 0000000..a08b11e --- /dev/null +++ b/templates/2.0/traefik-dashboard.yml.j2 @@ -0,0 +1,40 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + namespace: tools + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 +{% if basic_auth is defined %} + middlewares: + - name: basic-auth +{% endif %} + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + tls: + secretName: wildcard-cluster diff --git a/templates/2.0/traefik-dp.yml.j2 b/templates/2.0/traefik-dp.yml.j2 new file mode 100644 index 0000000..1a64b11 --- /dev/null +++ b/templates/2.0/traefik-dp.yml.j2 @@ -0,0 +1,82 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: tools + name: traefik + labels: + app: traefik + +spec: + replicas: 1 + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:{{ traefik_version }} + args: + - --configfile=/config/traefik.yaml +# imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 80 + protocol: TCP +# hostPort: 80 + - name: https + containerPort: 443 + protocol: TCP +# hostPort: 443 + - name: traefik + containerPort: 8080 + protocol: TCP +# hostPort: 8080 + readinessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: {{ traefik_cpu_limit }} + memory: {{ traefik_memory_limit }} + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /config + name: config +{% if traefik_node_selector is defined %} + nodeSelector: + kubernetes.io/hostname: "{% for node_selector in traefik_node_selector %}{{ node_selector }}{% if not loop.last %}, {% endif %}{% endfor %}" +{% endif %} + dnsPolicy: ClusterFirst + hostNetwork: false + restartPolicy: Always + terminationGracePeriodSeconds: 1 + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - configMap: + defaultMode: 420 + name: traefik + name: config diff --git a/templates/2.0/traefik-middleware-basicauth.yml.j2 b/templates/2.0/traefik-middleware-basicauth.yml.j2 new file mode 100644 index 0000000..b3701d4 --- /dev/null +++ b/templates/2.0/traefik-middleware-basicauth.yml.j2 @@ -0,0 +1,7 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-auth +spec: + basicAuth: + secret: basic-auth \ No newline at end of file diff --git a/templates/2.0/traefik-middleware-httpsredirect.yml.j2 b/templates/2.0/traefik-middleware-httpsredirect.yml.j2 new file mode 100644 index 0000000..07af55a --- /dev/null +++ b/templates/2.0/traefik-middleware-httpsredirect.yml.j2 @@ -0,0 +1,7 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: https-only +spec: + redirectScheme: + scheme: https \ No newline at end of file diff --git a/templates/2.0/traefik-sa.yml.j2 b/templates/2.0/traefik-sa.yml.j2 new file mode 100644 index 0000000..7ca4339 --- /dev/null +++ b/templates/2.0/traefik-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: tools + name: traefik-ingress-controller diff --git a/templates/2.0/traefik-svc.yml.j2 b/templates/2.0/traefik-svc.yml.j2 new file mode 100644 index 0000000..b2306bd --- /dev/null +++ b/templates/2.0/traefik-svc.yml.j2 @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik + namespace: tools + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: LoadBalancer + selector: + app: traefik diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..e69de29