adrien/ansible-role-k8s-traefik
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add traefik 2.1

Browse source
This commit is contained in:
Adrien Reslinger 2020-02-27 18:54:09 +01:00
parent 28b8910ad4
commit a804841f87
27 changed files with 709 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
defaults/main.yml
View file

@ -1,5 +1,5 @@
my_context: kubernetes my_context: kubernetes
traefik_version: 2.0 traefik_version: 2.1
traefik_domain: "local" traefik_domain: "local"
#ingress_whitelist: #ingress_whitelist:
# - 10.96.0.0/12 # - 10.96.0.0/12

9
tasks/main.yml
View file

@ -46,7 +46,7 @@
tags: traefik tags: traefik
- name: Get Deployment information object - name: Get Deployment information object
k8s_facts: k8s_info:
context: "{{ my_context }}" context: "{{ my_context }}"
api_version: v1 api_version: v1
kind: Deployment kind: Deployment
@ -63,4 +63,9 @@
- name: install / uninstall version 2.0 - name: install / uninstall version 2.0
include_tasks: "version_2.0.yml" include_tasks: "version_2.0.yml"
when: when:
- traefik_version | regex_search('(2.)') or traefik_actual_version.stdout | regex_search('(2.)') - traefik_version | regex_search('(^2.0)')
- name: install / uninstall version 2.1
include_tasks: "version_2.1.yml"
when:
- traefik_version | regex_search('(^2.1)') or traefik_actual_version.stdout | regex_search('(^2.)')

6
tasks/main.yml.old
View file

@ -7,7 +7,7 @@
k8s: k8s:
state: present state: present
context: "{{ my_context }}" context: "{{ my_context }}"
name: tools name: {{ traefik_namespace }}
api_version: v1 api_version: v1
kind: Namespace kind: Namespace
@ -20,7 +20,7 @@
kind: Secret kind: Secret
metadata: metadata:
name: basic-auth name: basic-auth
namespace: tools namespace: {{ traefik_namespace }}
type: Opaque type: Opaque
data: data:
basic_auth: "{{ basic_auth_data | b64encode }}" basic_auth: "{{ basic_auth_data | b64encode }}"
@ -34,7 +34,7 @@
api_version: v1 api_version: v1
kind: Deployment kind: Deployment
name: traefik name: traefik
namespace: tools namespace: {{ traefik_namespace }}
field_selectors: field_selectors:
- spec.template.spec.containers.image - spec.template.spec.containers.image
register: traefik_actual_resources register: traefik_actual_resources

6
tasks/version_2.0.yml
View file

@ -2,12 +2,12 @@
- set_fact: - set_fact:
traefik_2_0_state: "present" traefik_2_0_state: "present"
when: when:
- traefik_version | regex_search('(2.)') - traefik_version | regex_search('(^2.0)')
- set_fact: - set_fact:
traefik_2_0_state: "absent" traefik_2_0_state: "absent"
when: when:
- not traefik_version | regex_search('(2.0)') - not traefik_version | regex_search('(^2.0)')
- name: traefik files version {{ traefik_version }} need to be {{ traefik_2_0_state }} - name: traefik files version {{ traefik_version }} need to be {{ traefik_2_0_state }}
k8s: k8s:
@ -34,7 +34,7 @@
- 2.0/traefik-ping.yml.j2 - 2.0/traefik-ping.yml.j2
tags: traefik tags: traefik
- name: IP white list need to be {{ traefik_2_0_state }} for traefik version {{ traefik_version }} - name: IP white list need to be {{ traefik_2_0_state }} for traefik version 2.0
k8s: k8s:
state: "{{ traefik_2_0_state }}" state: "{{ traefik_2_0_state }}"
context: "{{ my_context }}" context: "{{ my_context }}"

47
tasks/version_2.1.yml Normal file
View file

@ -0,0 +1,47 @@
---
- set_fact:
traefik_2_1_state: "present"
when:
- traefik_version | regex_search('(^2.1)')
- set_fact:
traefik_2_1_state: "absent"
when:
- not traefik_version | regex_search('(^2.1)')
- name: traefik files version 2.1 need to be {{ traefik_2_1_state }}
k8s:
state: "{{ traefik_2_1_state }}"
context: "{{ my_context }}"
resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items:
- 2.1/traefik-cm.yml.j2
- 2.1/traefik-sa.yml.j2
- 2.1/traefik-clusterrole.yml.j2
- 2.1/traefik-clusterrolebinding.yml.j2
- 2.1/traefik-crd-ingressroute.yml.j2
- 2.1/traefik-crd-ingressroutetcp.yml.j2
- 2.1/traefik-crd-middleware.yml.j2
- 2.1/traefik-crd-tlsoption.yml.j2
- 2.1/traefik-crd-traefikservice.yml.j2
- 2.1/traefik-dp.yml.j2
- 2.1/traefik-svc.yml.j2
- 2.1/traefik-dashboard-svc.yml.j2
- 2.1/traefik-middleware-httpsredirect.yml.j2
- 2.1/traefik-middleware-basicauth.yml.j2
- 2.1/traefik-tls-options.yml.j2
- 2.1/traefik-dashboard.yml.j2
- 2.1/traefik-dashboard-insecure.yml.j2
- 2.1/traefik-ping.yml.j2
tags: traefik
- name: IP white list need to be {{ traefik_2_1_state }} for traefik version 2.1
k8s:
state: "{{ traefik_2_1_state }}"
context: "{{ my_context }}"
resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items:
- 2.1/traefik-middleware-ipwhitelist.yml.j2
when:
- ingress_whitelist is defined or traefik_2_1_state == "absent"
tags: traefik

2
templates/2.0/traefik-dashboard.yml.j2
View file

@ -45,4 +45,4 @@ spec:
secretName: wildcard-cluster secretName: wildcard-cluster
options: options:
name: default name: default
namespace: tools namespace: {{ traefik_namespace }}

2
templates/2.0/traefik-ping.yml.j2
View file

@ -36,4 +36,4 @@ spec:
secretName: wildcard-cluster secretName: wildcard-cluster
options: options:
name: default name: default
namespace: tools namespace: {{ traefik_namespace }}

157
templates/2.1/Ressources-exemple.yml Normal file
View file

@ -0,0 +1,157 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: wrr2
namespace: {{ traefik_namespace }}
spec:
weighted:
services:
- name: s1
weight: 1
port: 80
# Optional, as it is the default value
kind: Service
- name: s3
weight: 1
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: wrr1
namespace: {{ traefik_namespace }}
spec:
weighted:
services:
- name: wrr2
kind: TraefikService
weight: 1
- name: s3
weight: 1
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: mirror1
namespace: {{ traefik_namespace }}
spec:
mirroring:
name: s1
port: 80
mirrors:
- name: s3
percent: 20
port: 80
- name: mirror2
kind: TraefikService
percent: 20
---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: mirror2
namespace: {{ traefik_namespace }}
spec:
mirroring:
name: wrr2
kind: TraefikService
mirrors:
- name: s2
# Optional, as it is the default value
kind: Service
percent: 20
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
# defining several services is possible and allowed, but for now the servers of
# all the services (for a given route) get merged altogether under the same
# load-balancing strategy.
services:
- name: s1
port: 80
healthCheck:
path: /health
host: baz.com
intervalSeconds: 7
timeoutSeconds: 60
# strategy defines the load balancing strategy between the servers. It defaults
# to Round Robin, and for now only Round Robin is supported anyway.
strategy: RoundRobin
- name: s2
port: 433
healthCheck:
path: /health
host: baz.com
intervalSeconds: 7
timeoutSeconds: 60
- match: PathPrefix(`/misc`)
services:
- name: s3
port: 80
middlewares:
- name: stripprefix
- name: addprefix
- match: PathPrefix(`/misc`)
services:
- name: s3
# Optional, as it is the default value
kind: Service
port: 8443
# scheme allow to override the scheme for the service. (ex: https or h2c)
scheme: https
- match: PathPrefix(`/lb`)
services:
- name: wrr1
kind: TraefikService
- match: PathPrefix(`/mirrored`)
services:
- name: mirror1
kind: TraefikService
# use an empty tls object for TLS with Let's Encrypt
tls:
secretName: supersecret
options:
name: myTLSOption
namespace: default
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcp.crd
namespace: default
spec:
entryPoints:
- footcp
routes:
- match: HostSNI(`bar.com`)
services:
- name: whoamitcp
port: 8080
tls:
secretName: foosecret
passthrough: false
options:
name: myTLSOption
namespace: default

42
templates/2.1/traefik-clusterrole.yml.j2 Normal file
View file

@ -0,0 +1,42 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- ingressroutes
- traefikservices
- ingressroutetcps
- tlsoptions
verbs:
- get
- list
- watch

13
templates/2.1/traefik-clusterrolebinding.yml.j2 Normal file
View file

@ -0,0 +1,13 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: {{ traefik_namespace }}

48
templates/2.1/traefik-cm.yml.j2 Normal file
View file

@ -0,0 +1,48 @@
apiVersion: v1
data:
traefik.yaml: |
global:
checkNewVersion: true
serversTransport:
insecureSkipVerify: true
entryPoints:
http:
address: :80
https:
address: :443
traefik:
address: :8080
providers:
kubernetesCRD:
throttleDuration: 2s
kubernetesIngress: {}
metrics:
prometheus:
buckets:
- 0.1
- 0.3
- 1.2
- 5
entryPoint: traefik
ping:
entryPoint: traefik
api:
insecure: true
dashboard: true
debug: true
log:
level: DEBUG
accessLog:
format: json
fields:
names:
BackendAddr: keep
BackendName: keep
BackendURL: keep
FrontendName: keep
kind: ConfigMap
metadata:
labels:
app: traefik
name: traefik
namespace: {{ traefik_namespace }}

16
templates/2.1/traefik-crd-ingressroute.yml.j2 Normal file
View file

@ -0,0 +1,16 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced

16
templates/2.1/traefik-crd-ingressroutetcp.yml.j2 Normal file
View file

@ -0,0 +1,16 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced

16
templates/2.1/traefik-crd-middleware.yml.j2 Normal file
View file

@ -0,0 +1,16 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced

16
templates/2.1/traefik-crd-tlsoption.yml.j2 Normal file
View file

@ -0,0 +1,16 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced

16
templates/2.1/traefik-crd-traefikservice.yml.j2 Normal file
View file

@ -0,0 +1,16 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
scope: Namespaced

39
templates/2.1/traefik-dashboard-insecure.yml.j2 Normal file
View file

@ -0,0 +1,39 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-insecure
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
entryPoints:
- http
routes:
# Match is the rule corresponding to an underlying router.
# Later on, match could be the simple form of a path prefix, e.g. just "/bar",
# but for now we only support a traefik style matching rule.
- match: Host(`traefik.{{ traefik_domain }}`)
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
# "Parameter", etc, to support simpler forms of rule matching, but for now we
# only support "Rule".
kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12
middlewares:
{% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist
{% endif %}
- name: https-only
services:
- name: traefik-dashboard
port: 8080
# (default 1) A weight used by the weighted round-robin strategy (WRR).
weight: 1
# (default true) PassHostHeader controls whether to leave the request's Host
# Header as it was before it reached the proxy, or whether to let the proxy set it
# to the destination (backend) host.
passHostHeader: true
responseForwarding:
# (default 100ms) Interval between flushes of the buffered response body to the client.
flushInterval: 100ms

24
templates/2.1/traefik-dashboard-svc.yml.j2 Normal file
View file

@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: traefik
name: traefik-dashboard
namespace: {{ traefik_namespace }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: traefik
port: 8080
protocol: TCP
- protocol: TCP
port: 443
name: https
targetPort: 443
type: ClusterIP
selector:
app: traefik

48
templates/2.1/traefik-dashboard.yml.j2 Normal file
View file

@ -0,0 +1,48 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
entryPoints:
- https
routes:
# Match is the rule corresponding to an underlying router.
# Later on, match could be the simple form of a path prefix, e.g. just "/bar",
# but for now we only support a traefik style matching rule.
- match: Host(`traefik.{{ traefik_domain }}`)
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
# "Parameter", etc, to support simpler forms of rule matching, but for now we
# only support "Rule".
kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12
{% if basic_auth is defined or ingress_whitelist is defined %}
middlewares:
{% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist
{% endif %}
{% if basic_auth is defined %}
- name: basic-auth
{% endif %}
{% endif %}
services:
- name: traefik-dashboard
port: 8080
# (default 1) A weight used by the weighted round-robin strategy (WRR).
weight: 1
# (default true) PassHostHeader controls whether to leave the request's Host
# Header as it was before it reached the proxy, or whether to let the proxy set it
# to the destination (backend) host.
passHostHeader: true
responseForwarding:
# (default 100ms) Interval between flushes of the buffered response body to the client.
flushInterval: 100ms
tls:
secretName: wildcard-cluster
options:
name: default
namespace: {{ traefik_namespace }}

88
templates/2.1/traefik-dp.yml.j2 Normal file
View file

@ -0,0 +1,88 @@
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: {{ traefik_namespace }}
name: traefik
labels:
app: traefik
spec:
replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %}
strategy:
type: Recreate
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:{{ traefik_version }}
args:
- --configfile=/config/traefik.yaml
# imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
hostPort: 80
- name: https
containerPort: 443
protocol: TCP
hostPort: 443
- name: traefik
containerPort: 8080
protocol: TCP
hostPort: 8080
readinessProbe:
httpGet:
path: /ping
port: traefik
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
path: /ping
port: traefik
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
resources:
limits:
cpu: {{ traefik_cpu_limit }}
memory: {{ traefik_memory_limit }}
requests:
cpu: 100m
memory: 20Mi
volumeMounts:
- mountPath: /config
name: config
{% if traefik_node_selector is defined %}
nodeSelector:
flaminem.com/entrypoint: traefik
{% endif %}
dnsPolicy: ClusterFirst
{% if my_context == "flamykube" %}
hostNetwork: true
{% else %}
hostNetwork: false
{% endif %}
restartPolicy: Always
terminationGracePeriodSeconds: 1
tolerations:
- effect: NoSchedule
operator: Exists
volumes:
- configMap:
defaultMode: 420
name: traefik
name: config

8
templates/2.1/traefik-middleware-basicauth.yml.j2 Normal file
View file

@ -0,0 +1,8 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-auth
namespace: {{ traefik_namespace }}
spec:
basicAuth:
secret: basic-auth

8
templates/2.1/traefik-middleware-httpsredirect.yml.j2 Normal file
View file

@ -0,0 +1,8 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
namespace: {{ traefik_namespace }}
spec:
redirectScheme:
scheme: https

11
templates/2.1/traefik-middleware-ipwhitelist.yml.j2 Normal file
View file

@ -0,0 +1,11 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-ipwhitelist
namespace: {{ traefik_namespace }}
spec:
ipWhiteList:
sourceRange:
{% for acl_whitelist in ingress_whitelist %}
- {{ acl_whitelist }}
{% endfor %}

39
templates/2.1/traefik-ping.yml.j2 Normal file
View file

@ -0,0 +1,39 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-ping
namespace: {{ traefik_namespace }}
labels:
app: traefik
spec:
entryPoints:
- https
routes:
# Match is the rule corresponding to an underlying router.
# Later on, match could be the simple form of a path prefix, e.g. just "/bar",
# but for now we only support a traefik style matching rule.
- match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
# "Parameter", etc, to support simpler forms of rule matching, but for now we
# only support "Rule".
kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 14
services:
- name: traefik-dashboard
port: 8080
# (default 1) A weight used by the weighted round-robin strategy (WRR).
weight: 1
# (default true) PassHostHeader controls whether to leave the request's Host
# Header as it was before it reached the proxy, or whether to let the proxy set it
# to the destination (backend) host.
passHostHeader: true
responseForwarding:
# (default 100ms) Interval between flushes of the buffered response body to the client.
flushInterval: 100ms
tls:
secretName: wildcard-cluster
options:
name: default
namespace: {{ traefik_namespace }}

5
templates/2.1/traefik-sa.yml.j2 Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: {{ traefik_namespace }}
name: traefik-ingress-controller

21
templates/2.1/traefik-svc.yml.j2 Normal file
View file

@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: traefik
name: traefik
namespace: {{ traefik_namespace }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- protocol: TCP
port: 443
name: https
targetPort: 443
type: LoadBalancer
selector:
app: traefik

15
templates/2.1/traefik-tls-options.yml.j2 Normal file
View file

@ -0,0 +1,15 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: {{ traefik_namespace }}
spec:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA