First commit

2019-11-25 18:46:15 +01:00 · 2019-11-25 18:46:15 +01:00 · 9fa90d889e
commit 9fa90d889e
parent dabdda6a9c
20 changed files with 508 additions and 0 deletions
--- a/templates/2.0/traefik-clusterrole.yml.j2
+++ b/templates/2.0/traefik-clusterrole.yml.j2
@ -0,0 +1,62 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutetcps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
--- a/templates/2.0/traefik-clusterrolebinding.yml.j2
+++ b/templates/2.0/traefik-clusterrolebinding.yml.j2
@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: tools
--- a/templates/2.0/traefik-cm.yml.j2
+++ b/templates/2.0/traefik-cm.yml.j2
@ -0,0 +1,48 @@
+apiVersion: v1
+data:
+  traefik.yaml: |
+    global:
+      checkNewVersion: true
+    serversTransport:
+      insecureSkipVerify: true
+    entryPoints:
+      http:
+        address: :80
+      https:
+        address: :443
+      traefik:
+        address: :8080
+    providers:
+      kubernetesCRD:
+        throttleDuration: 2s
+      kubernetesIngress: {}
+    metrics:
+      prometheus:
+        buckets:
+        - 0.1
+        - 0.3
+        - 1.2
+        - 5
+        entryPoint: traefik
+    ping:
+      entryPoint: traefik
+    api:
+      insecure: true
+      dashboard: true
+      debug: true
+    log:
+      level: DEBUG
+    accessLog:
+      format: json
+      fields:
+        names:
+          BackendAddr: keep
+          BackendName: keep
+          BackendURL: keep
+          FrontendName: keep
+kind: ConfigMap
+metadata:
+  labels:
+    app: traefik
+  name: traefik
+  namespace: tools
--- a/templates/2.0/traefik-crd-ingressroute.yml.j2
+++ b/templates/2.0/traefik-crd-ingressroute.yml.j2
@ -0,0 +1,16 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.traefik.containo.us
+  namespace: tools
+  labels:
+    app: traefik
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRoute
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
--- a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2
+++ b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2
@ -0,0 +1,16 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+  namespace: tools
+  labels:
+    app: traefik
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
--- a/templates/2.0/traefik-crd-middleware.yml.j2
+++ b/templates/2.0/traefik-crd-middleware.yml.j2
@ -0,0 +1,16 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+  namespace: tools
+  labels:
+    app: traefik
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
--- a/templates/2.0/traefik-crd-tlsoption.yml.j2
+++ b/templates/2.0/traefik-crd-tlsoption.yml.j2
@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
--- a/templates/2.0/traefik-dashboard-insecure.yml.j2
+++ b/templates/2.0/traefik-dashboard-insecure.yml.j2
@ -0,0 +1,36 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard-insecure
+  namespace: tools
+  labels:
+    app: traefik
+
+spec:
+  entryPoints:
+    - http
+  routes:
+  # Match is the rule corresponding to an underlying router.
+  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
+  # but for now we only support a traefik style matching rule.
+  - match: Host(`traefik.{{ traefik_domain }}`)
+    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
+    # "Parameter", etc, to support simpler forms of rule matching, but for now we
+    # only support "Rule".
+    kind: Rule
+    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 12
+    middlewares:
+      - name: https-only
+    services:
+    - name: traefik-dashboard
+      port: 8080
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
--- a/templates/2.0/traefik-dashboard-svc.yml.j2
+++ b/templates/2.0/traefik-dashboard-svc.yml.j2
@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: traefik
+  name: traefik-dashboard
+  namespace: tools
+
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - name: traefik
+    port: 8080
+    protocol: TCP
+  - protocol: TCP
+    port: 443
+    name: https
+    targetPort: 443
+  type: ClusterIP
+  selector:
+    app: traefik
--- a/templates/2.0/traefik-dashboard.yml.j2
+++ b/templates/2.0/traefik-dashboard.yml.j2
@ -0,0 +1,40 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: tools
+  labels:
+    app: traefik
+
+spec:
+  entryPoints:
+    - https
+  routes:
+  # Match is the rule corresponding to an underlying router.
+  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
+  # but for now we only support a traefik style matching rule.
+  - match: Host(`traefik.{{ traefik_domain }}`)
+    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
+    # "Parameter", etc, to support simpler forms of rule matching, but for now we
+    # only support "Rule".
+    kind: Rule
+    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 12
+{% if basic_auth is defined %}
+    middlewares:
+      - name: basic-auth
+{% endif %}
+    services:
+    - name: traefik-dashboard
+      port: 8080
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
+  tls:
+    secretName: wildcard-cluster
--- a/templates/2.0/traefik-dp.yml.j2
+++ b/templates/2.0/traefik-dp.yml.j2
@ -0,0 +1,82 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  namespace: tools
+  name: traefik
+  labels:
+    app: traefik
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      containers:
+        - name: traefik
+          image: traefik:{{ traefik_version }}
+          args:
+            - --configfile=/config/traefik.yaml
+#          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+#              hostPort: 80
+            - name: https
+              containerPort: 443
+              protocol: TCP
+#              hostPort: 443
+            - name: traefik
+              containerPort: 8080
+              protocol: TCP
+#              hostPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: traefik
+            failureThreshold: 1
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: traefik
+            failureThreshold: 3
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          resources:
+            limits:
+              cpu: {{ traefik_cpu_limit }}
+              memory: {{ traefik_memory_limit }}
+            requests:
+              cpu: 100m
+              memory: 20Mi
+          volumeMounts:
+            - mountPath: /config
+              name: config
+{% if traefik_node_selector is defined %}
+      nodeSelector:
+        kubernetes.io/hostname: "{% for node_selector in traefik_node_selector %}{{ node_selector }}{% if not loop.last %}, {% endif %}{% endfor %}"
+{% endif %}
+      dnsPolicy: ClusterFirst
+      hostNetwork: false
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 1
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: traefik
+          name: config
--- a/templates/2.0/traefik-middleware-basicauth.yml.j2
+++ b/templates/2.0/traefik-middleware-basicauth.yml.j2
@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: basic-auth
+spec:
+  basicAuth:
+    secret: basic-auth
--- a/templates/2.0/traefik-middleware-httpsredirect.yml.j2
+++ b/templates/2.0/traefik-middleware-httpsredirect.yml.j2
@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: https-only
+spec:
+  redirectScheme:
+    scheme: https
--- a/templates/2.0/traefik-sa.yml.j2
+++ b/templates/2.0/traefik-sa.yml.j2
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: tools
+  name: traefik-ingress-controller
--- a/templates/2.0/traefik-svc.yml.j2
+++ b/templates/2.0/traefik-svc.yml.j2
@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: traefik
+  name: traefik
+  namespace: tools
+
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - protocol: TCP
+    port: 443
+    name: https
+    targetPort: 443
+  type: LoadBalancer
+  selector:
+    app: traefik