From c0b4a9d16df9b24807224dbf124c6b8ea84caad6 Mon Sep 17 00:00:00 2001 From: Adrien Date: Mon, 13 Jul 2020 15:21:19 +0200 Subject: [PATCH] Reduce maintenance --- tasks/main.yml | 16 +++- templates/2.0/traefik-cm.yml.j2 | 46 --------- .../2.0/traefik-dashboard-insecure.yml.j2 | 39 -------- templates/2.0/traefik-dashboard-svc.yml.j2 | 24 ----- templates/2.0/traefik-dashboard.yml.j2 | 48 ---------- templates/2.0/traefik-dp.yml.j2 | 84 ----------------- .../2.0/traefik-middleware-basicauth.yml.j2 | 8 -- .../traefik-middleware-httpsredirect.yml.j2 | 8 -- .../2.0/traefik-middleware-ipwhitelist.yml.j2 | 11 --- templates/2.0/traefik-ping.yml.j2 | 39 -------- templates/2.0/traefik-sa.yml.j2 | 5 - templates/2.0/traefik-svc.yml.j2 | 21 ----- templates/2.0/traefik-tls-options.yml.j2 | 15 --- templates/2.1/traefik-cm.yml.j2 | 48 ---------- templates/2.1/traefik-dp.yml.j2 | 94 ------------------- .../2.1/traefik-middleware-headers.yml.j2 | 31 ------ .../2.1/traefik-middleware-ipwhitelist.yml.j2 | 11 --- .../2.2/traefik-dashboard-insecure.yml.j2 | 39 -------- templates/2.2/traefik-dashboard-svc.yml.j2 | 24 ----- templates/2.2/traefik-dashboard.yml.j2 | 50 ---------- .../2.2/traefik-middleware-basicauth.yml.j2 | 8 -- .../traefik-middleware-httpsredirect.yml.j2 | 8 -- templates/2.2/traefik-ping.yml.j2 | 39 -------- templates/2.2/traefik-sa.yml.j2 | 5 - templates/2.2/traefik-svc.yml.j2 | 21 ----- templates/2.2/traefik-tls-options.yml.j2 | 16 ---- templates/{2.2 => }/traefik-cm.yml.j2 | 2 +- .../traefik-dashboard-insecure.yml.j2 | 0 .../{2.1 => }/traefik-dashboard-svc.yml.j2 | 0 templates/{2.1 => }/traefik-dashboard.yml.j2 | 0 templates/{2.2 => }/traefik-dp.yml.j2 | 24 ++--- .../traefik-middleware-basicauth.yml.j2 | 0 .../traefik-middleware-headers.yml.j2 | 16 ++-- .../traefik-middleware-httpsredirect.yml.j2 | 0 templates/{2.1 => }/traefik-ping.yml.j2 | 0 templates/{2.1 => }/traefik-sa.yml.j2 | 0 templates/{2.1 => }/traefik-svc.yml.j2 | 0 .../{2.1 => }/traefik-tls-options.yml.j2 | 0 38 files changed, 33 insertions(+), 767 deletions(-) delete mode 100644 templates/2.0/traefik-cm.yml.j2 delete mode 100644 templates/2.0/traefik-dashboard-insecure.yml.j2 delete mode 100644 templates/2.0/traefik-dashboard-svc.yml.j2 delete mode 100644 templates/2.0/traefik-dashboard.yml.j2 delete mode 100644 templates/2.0/traefik-dp.yml.j2 delete mode 100644 templates/2.0/traefik-middleware-basicauth.yml.j2 delete mode 100644 templates/2.0/traefik-middleware-httpsredirect.yml.j2 delete mode 100644 templates/2.0/traefik-middleware-ipwhitelist.yml.j2 delete mode 100644 templates/2.0/traefik-ping.yml.j2 delete mode 100644 templates/2.0/traefik-sa.yml.j2 delete mode 100644 templates/2.0/traefik-svc.yml.j2 delete mode 100644 templates/2.0/traefik-tls-options.yml.j2 delete mode 100644 templates/2.1/traefik-cm.yml.j2 delete mode 100644 templates/2.1/traefik-dp.yml.j2 delete mode 100644 templates/2.1/traefik-middleware-headers.yml.j2 delete mode 100644 templates/2.1/traefik-middleware-ipwhitelist.yml.j2 delete mode 100644 templates/2.2/traefik-dashboard-insecure.yml.j2 delete mode 100644 templates/2.2/traefik-dashboard-svc.yml.j2 delete mode 100644 templates/2.2/traefik-dashboard.yml.j2 delete mode 100644 templates/2.2/traefik-middleware-basicauth.yml.j2 delete mode 100644 templates/2.2/traefik-middleware-httpsredirect.yml.j2 delete mode 100644 templates/2.2/traefik-ping.yml.j2 delete mode 100644 templates/2.2/traefik-sa.yml.j2 delete mode 100644 templates/2.2/traefik-svc.yml.j2 delete mode 100644 templates/2.2/traefik-tls-options.yml.j2 rename templates/{2.2 => }/traefik-cm.yml.j2 (98%) rename templates/{2.1 => }/traefik-dashboard-insecure.yml.j2 (100%) rename templates/{2.1 => }/traefik-dashboard-svc.yml.j2 (100%) rename templates/{2.1 => }/traefik-dashboard.yml.j2 (100%) rename templates/{2.2 => }/traefik-dp.yml.j2 (78%) rename templates/{2.1 => }/traefik-middleware-basicauth.yml.j2 (100%) rename templates/{2.2 => }/traefik-middleware-headers.yml.j2 (62%) rename templates/{2.1 => }/traefik-middleware-httpsredirect.yml.j2 (100%) rename templates/{2.1 => }/traefik-ping.yml.j2 (100%) rename templates/{2.1 => }/traefik-sa.yml.j2 (100%) rename templates/{2.1 => }/traefik-svc.yml.j2 (100%) rename templates/{2.1 => }/traefik-tls-options.yml.j2 (100%) diff --git a/tasks/main.yml b/tasks/main.yml index 4194da7..a6708ad 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -49,7 +49,7 @@ k8s_info: context: "{{ my_context }}" api_version: v1 - kind: Deployment + kind: DaemonSet name: traefik namespace: '{{ traefik_namespace }}' field_selectors: @@ -71,6 +71,7 @@ when: - not traefik_actual_version.stdout == "[]" - not traefik_version == traefik_actual_version.stdout + - traefik_actual_version.stdout is version(traefik_version, '>') - name: Install traefik version {{ traefik_version }} k8s: @@ -80,6 +81,19 @@ resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: - "{{ lookup('vars', 'traefik_' + traefik_version + '_list') }}" + - traefik-cm.yml.j2 + - traefik-sa.yml.j2 + - traefik-dp.yml.j2 + - traefik-svc.yml.j2 + - traefik-dashboard-svc.yml.j2 + - traefik-middleware-httpsredirect.yml.j2 + - traefik-middleware-basicauth.yml.j2 + - traefik-middleware-headers.yml.j2 + - traefik-tls-options.yml.j2 + - traefik-dashboard.yml.j2 + - traefik-dashboard-insecure.yml.j2 + - traefik-ping.yml.j2 + - name: Define state of ipwhitelist middleware to present set_fact: diff --git a/templates/2.0/traefik-cm.yml.j2 b/templates/2.0/traefik-cm.yml.j2 deleted file mode 100644 index e830531..0000000 --- a/templates/2.0/traefik-cm.yml.j2 +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -data: - traefik.yaml: | - global: - checkNewVersion: true - serversTransport: - insecureSkipVerify: true - entryPoints: -{% for traefik_entrypoint in traefik_entrypoints %} - {{ traefik_entrypoint.name }}: - address: :{{ traefik_entrypoint.port }} -{% endfor %} - providers: - kubernetesCRD: - throttleDuration: 2s - kubernetesIngress: {} - metrics: - prometheus: - buckets: - - 0.1 - - 0.3 - - 1.2 - - 5 - entryPoint: traefik - ping: - entryPoint: traefik - api: - insecure: true - dashboard: true - debug: true - log: - level: DEBUG - accessLog: - format: json - fields: - names: - BackendAddr: keep - BackendName: keep - BackendURL: keep - FrontendName: keep -kind: ConfigMap -metadata: - labels: - app: traefik - name: traefik - namespace: traefik diff --git a/templates/2.0/traefik-dashboard-insecure.yml.j2 b/templates/2.0/traefik-dashboard-insecure.yml.j2 deleted file mode 100644 index 9b64270..0000000 --- a/templates/2.0/traefik-dashboard-insecure.yml.j2 +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard-insecure - namespace: traefik - labels: - app: traefik - -spec: - entryPoints: - - http - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 12 - middlewares: -{% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist -{% endif %} - - name: https-only - services: - - name: traefik-dashboard - port: 8080 - # (default 1) A weight used by the weighted round-robin strategy (WRR). - weight: 1 - # (default true) PassHostHeader controls whether to leave the request's Host - # Header as it was before it reached the proxy, or whether to let the proxy set it - # to the destination (backend) host. - passHostHeader: true - responseForwarding: - # (default 100ms) Interval between flushes of the buffered response body to the client. - flushInterval: 100ms diff --git a/templates/2.0/traefik-dashboard-svc.yml.j2 b/templates/2.0/traefik-dashboard-svc.yml.j2 deleted file mode 100644 index 2091a13..0000000 --- a/templates/2.0/traefik-dashboard-svc.yml.j2 +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: traefik - name: traefik-dashboard - namespace: traefik - -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - name: traefik - port: 8080 - protocol: TCP - - protocol: TCP - port: 443 - name: https - targetPort: 443 - type: ClusterIP - selector: - app: traefik diff --git a/templates/2.0/traefik-dashboard.yml.j2 b/templates/2.0/traefik-dashboard.yml.j2 deleted file mode 100644 index d1f503b..0000000 --- a/templates/2.0/traefik-dashboard.yml.j2 +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard - namespace: traefik - labels: - app: traefik - -spec: - entryPoints: - - https - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 12 -{% if basic_auth is defined or ingress_whitelist is defined %} - middlewares: -{% if basic_auth is defined %} - - name: basic-auth -{% endif %} -{% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist -{% endif %} -{% endif %} - services: - - name: traefik-dashboard - port: 8080 - # (default 1) A weight used by the weighted round-robin strategy (WRR). - weight: 1 - # (default true) PassHostHeader controls whether to leave the request's Host - # Header as it was before it reached the proxy, or whether to let the proxy set it - # to the destination (backend) host. - passHostHeader: true - responseForwarding: - # (default 100ms) Interval between flushes of the buffered response body to the client. - flushInterval: 100ms - tls: - secretName: wildcard-cluster - options: - name: default - namespace: {{ traefik_namespace }} diff --git a/templates/2.0/traefik-dp.yml.j2 b/templates/2.0/traefik-dp.yml.j2 deleted file mode 100644 index 11209c3..0000000 --- a/templates/2.0/traefik-dp.yml.j2 +++ /dev/null @@ -1,84 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - namespace: traefik - name: traefik - labels: - app: traefik - -spec: - replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} - strategy: - type: Recreate - selector: - matchLabels: - app: traefik - template: - metadata: - labels: - app: traefik - spec: - serviceAccountName: traefik-ingress-controller - containers: - - name: traefik - image: traefik:{{ traefik_version_2_0 }} - args: - - --configfile=/config/traefik.yaml -# imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 80 - protocol: TCP - hostPort: 80 - - name: https - containerPort: 443 - protocol: TCP - hostPort: 443 - - name: traefik - containerPort: 8080 - protocol: TCP - hostPort: 8080 - readinessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: - limits: - cpu: {{ traefik_cpu_limit }} - memory: {{ traefik_memory_limit }} - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /config - name: config -{% if traefik_node_selector is defined %} - nodeSelector: - entrypoint: traefik -{% endif %} - dnsPolicy: ClusterFirst - hostNetwork: false - restartPolicy: Always - terminationGracePeriodSeconds: 1 - tolerations: - - effect: NoSchedule - operator: Exists - volumes: - - configMap: - defaultMode: 420 - name: traefik - name: config diff --git a/templates/2.0/traefik-middleware-basicauth.yml.j2 b/templates/2.0/traefik-middleware-basicauth.yml.j2 deleted file mode 100644 index 2b3ff9f..0000000 --- a/templates/2.0/traefik-middleware-basicauth.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: basic-auth - namespace: traefik -spec: - basicAuth: - secret: basic-auth \ No newline at end of file diff --git a/templates/2.0/traefik-middleware-httpsredirect.yml.j2 b/templates/2.0/traefik-middleware-httpsredirect.yml.j2 deleted file mode 100644 index 812c1a4..0000000 --- a/templates/2.0/traefik-middleware-httpsredirect.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: https-only - namespace: traefik -spec: - redirectScheme: - scheme: https \ No newline at end of file diff --git a/templates/2.0/traefik-middleware-ipwhitelist.yml.j2 b/templates/2.0/traefik-middleware-ipwhitelist.yml.j2 deleted file mode 100644 index 00ee429..0000000 --- a/templates/2.0/traefik-middleware-ipwhitelist.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: traefik-ipwhitelist - namespace: traefik -spec: - ipWhiteList: - sourceRange: -{% for acl_whitelist in ingress_whitelist %} - - {{ acl_whitelist }} -{% endfor %} diff --git a/templates/2.0/traefik-ping.yml.j2 b/templates/2.0/traefik-ping.yml.j2 deleted file mode 100644 index eff1623..0000000 --- a/templates/2.0/traefik-ping.yml.j2 +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-ping - namespace: traefik - labels: - app: traefik - -spec: - entryPoints: - - https - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 14 - services: - - name: traefik-dashboard - port: 8080 - # (default 1) A weight used by the weighted round-robin strategy (WRR). - weight: 1 - # (default true) PassHostHeader controls whether to leave the request's Host - # Header as it was before it reached the proxy, or whether to let the proxy set it - # to the destination (backend) host. - passHostHeader: true - responseForwarding: - # (default 100ms) Interval between flushes of the buffered response body to the client. - flushInterval: 100ms - tls: - secretName: wildcard-cluster - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.0/traefik-sa.yml.j2 b/templates/2.0/traefik-sa.yml.j2 deleted file mode 100644 index 16505c8..0000000 --- a/templates/2.0/traefik-sa.yml.j2 +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: traefik - name: traefik-ingress-controller diff --git a/templates/2.0/traefik-svc.yml.j2 b/templates/2.0/traefik-svc.yml.j2 deleted file mode 100644 index afff84c..0000000 --- a/templates/2.0/traefik-svc.yml.j2 +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: traefik - name: traefik - namespace: traefik - -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - protocol: TCP - port: 443 - name: https - targetPort: 443 - type: LoadBalancer - selector: - app: traefik diff --git a/templates/2.0/traefik-tls-options.yml.j2 b/templates/2.0/traefik-tls-options.yml.j2 deleted file mode 100644 index a37696e..0000000 --- a/templates/2.0/traefik-tls-options.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: default - namespace: traefik - -spec: - sniStrict: true - minVersion: VersionTLS12 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA diff --git a/templates/2.1/traefik-cm.yml.j2 b/templates/2.1/traefik-cm.yml.j2 deleted file mode 100644 index 3ccb24a..0000000 --- a/templates/2.1/traefik-cm.yml.j2 +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -data: - traefik.yaml: | - global: - checkNewVersion: true - serversTransport: - insecureSkipVerify: true - entryPoints: -{% for traefik_entrypoint in traefik_entrypoints %} - {{ traefik_entrypoint.name }}: - address: :{{ traefik_entrypoint.port }} -{% endfor %} - providers: - kubernetesCRD: - ingressClass: "traefik" - throttleDuration: 2s - kubernetesIngress: - ingressClass: "traefik" - metrics: - prometheus: - buckets: - - 0.1 - - 0.3 - - 1.2 - - 5 - entryPoint: traefik - ping: - entryPoint: traefik - api: - insecure: true - dashboard: true - debug: true - log: - level: DEBUG - accessLog: - format: json - fields: - names: - BackendAddr: keep - BackendName: keep - BackendURL: keep - FrontendName: keep -kind: ConfigMap -metadata: - labels: - app: traefik - name: traefik - namespace: {{ traefik_namespace }} diff --git a/templates/2.1/traefik-dp.yml.j2 b/templates/2.1/traefik-dp.yml.j2 deleted file mode 100644 index 5aef66e..0000000 --- a/templates/2.1/traefik-dp.yml.j2 +++ /dev/null @@ -1,94 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - namespace: {{ traefik_namespace }} - name: traefik - labels: - app: traefik - -spec: - replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} - strategy: - type: Recreate - selector: - matchLabels: - app: traefik - template: - metadata: - labels: - app: traefik - spec: - serviceAccountName: traefik-ingress-controller - containers: - - name: traefik - image: traefik:{{ traefik_version_2_1 }} - args: - - --configfile=/config/traefik.yaml -# imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 80 - protocol: TCP - hostPort: 80 - - name: https - containerPort: 443 - protocol: TCP - hostPort: 443 - - name: traefik - containerPort: 8080 - protocol: TCP - hostPort: 8080 - readinessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - resources: - limits: - cpu: {{ traefik_cpu_limit }} - memory: {{ traefik_memory_limit }} - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /config - name: config -{% if traefik_node_selector is defined %} - nodeSelector: - flaminem.com/entrypoint: traefik -{% endif %} - dnsPolicy: ClusterFirst -{% if my_context == "flamykube" %} - hostNetwork: true -{% else %} - hostNetwork: false -{% endif %} - restartPolicy: Always - terminationGracePeriodSeconds: 1 - tolerations: - - effect: NoSchedule - operator: Exists - volumes: - - configMap: - defaultMode: 420 - name: traefik - name: config diff --git a/templates/2.1/traefik-middleware-headers.yml.j2 b/templates/2.1/traefik-middleware-headers.yml.j2 deleted file mode 100644 index e0906fb..0000000 --- a/templates/2.1/traefik-middleware-headers.yml.j2 +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: security-headers - namespace: {{ traefik_namespace }} -spec: - headers: - browserXssFilter: "true" - contentTypeNosniff: "true" - forceSTSHeader: "true" - frameDeny = "true" - stsIncludeSubdomains: "true" - stsPreload: "true" - stsSeconds: "15768000" - sslRedirect: "true" - contentSecurityPolicy = "default-src 'self' 'unsafe-inline'" - customFrameOptionsValue: "SAMEORIGIN" - referrerPolicy = "same-origin" - featurePolicy = "vibrate 'self'" - - # CORS - accessControlAllowMethods: - - "GET" - - "OPTIONS" - - "PUT" - accessControlAllowOrigin = "origin-list-or-null" -# accessControlAllowOriginList: -# - "https://foo.bar.org" -# - "https://example.org" - accessControlMaxAge: 100 - addVaryHeader: "true" \ No newline at end of file diff --git a/templates/2.1/traefik-middleware-ipwhitelist.yml.j2 b/templates/2.1/traefik-middleware-ipwhitelist.yml.j2 deleted file mode 100644 index 60fa6ad..0000000 --- a/templates/2.1/traefik-middleware-ipwhitelist.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: traefik-ipwhitelist - namespace: {{ traefik_namespace }} -spec: - ipWhiteList: - sourceRange: -{% for acl_whitelist in ingress_whitelist %} - - {{ acl_whitelist }} -{% endfor %} diff --git a/templates/2.2/traefik-dashboard-insecure.yml.j2 b/templates/2.2/traefik-dashboard-insecure.yml.j2 deleted file mode 100644 index a37a302..0000000 --- a/templates/2.2/traefik-dashboard-insecure.yml.j2 +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard-insecure - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - entryPoints: - - http - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 12 - middlewares: -{% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist -{% endif %} - - name: https-only - services: - - name: traefik-dashboard - port: 8080 - # (default 1) A weight used by the weighted round-robin strategy (WRR). - weight: 1 - # (default true) PassHostHeader controls whether to leave the request's Host - # Header as it was before it reached the proxy, or whether to let the proxy set it - # to the destination (backend) host. - passHostHeader: true - responseForwarding: - # (default 100ms) Interval between flushes of the buffered response body to the client. - flushInterval: 100ms diff --git a/templates/2.2/traefik-dashboard-svc.yml.j2 b/templates/2.2/traefik-dashboard-svc.yml.j2 deleted file mode 100644 index d89d096..0000000 --- a/templates/2.2/traefik-dashboard-svc.yml.j2 +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: traefik - name: traefik-dashboard - namespace: {{ traefik_namespace }} - -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - name: traefik - port: 8080 - protocol: TCP - - protocol: TCP - port: 443 - name: https - targetPort: 443 - type: ClusterIP - selector: - app: traefik diff --git a/templates/2.2/traefik-dashboard.yml.j2 b/templates/2.2/traefik-dashboard.yml.j2 deleted file mode 100644 index d755f8b..0000000 --- a/templates/2.2/traefik-dashboard.yml.j2 +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - entryPoints: - - https - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 12 -{% if basic_auth is defined or ingress_whitelist is defined %} - middlewares: -{% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist -{% endif %} -{% if basic_auth is defined %} - - name: basic-auth -{% endif %} -{% endif %} - services: - - name: traefik-dashboard - port: 8080 - # (default 1) A weight used by the weighted round-robin strategy (WRR). - weight: 1 - # (default true) PassHostHeader controls whether to leave the request's Host - # Header as it was before it reached the proxy, or whether to let the proxy set it - # to the destination (backend) host. - passHostHeader: true - responseForwarding: - # (default 100ms) Interval between flushes of the buffered response body to the client. - flushInterval: 100ms - tls: - store: - name: default - namespace: {{ traefik_namespace }} - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.2/traefik-middleware-basicauth.yml.j2 b/templates/2.2/traefik-middleware-basicauth.yml.j2 deleted file mode 100644 index 797fe1f..0000000 --- a/templates/2.2/traefik-middleware-basicauth.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: basic-auth - namespace: {{ traefik_namespace }} -spec: - basicAuth: - secret: basic-auth \ No newline at end of file diff --git a/templates/2.2/traefik-middleware-httpsredirect.yml.j2 b/templates/2.2/traefik-middleware-httpsredirect.yml.j2 deleted file mode 100644 index d5f4cb3..0000000 --- a/templates/2.2/traefik-middleware-httpsredirect.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: https-only - namespace: {{ traefik_namespace }} -spec: - redirectScheme: - scheme: https \ No newline at end of file diff --git a/templates/2.2/traefik-ping.yml.j2 b/templates/2.2/traefik-ping.yml.j2 deleted file mode 100644 index 1703002..0000000 --- a/templates/2.2/traefik-ping.yml.j2 +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-ping - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - entryPoints: - - https - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 14 - services: - - name: traefik-dashboard - port: 8080 - # (default 1) A weight used by the weighted round-robin strategy (WRR). - weight: 1 - # (default true) PassHostHeader controls whether to leave the request's Host - # Header as it was before it reached the proxy, or whether to let the proxy set it - # to the destination (backend) host. - passHostHeader: true - responseForwarding: - # (default 100ms) Interval between flushes of the buffered response body to the client. - flushInterval: 100ms - tls: - secretName: wildcard-cluster - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.2/traefik-sa.yml.j2 b/templates/2.2/traefik-sa.yml.j2 deleted file mode 100644 index 07c38a6..0000000 --- a/templates/2.2/traefik-sa.yml.j2 +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{ traefik_namespace }} - name: traefik-ingress-controller diff --git a/templates/2.2/traefik-svc.yml.j2 b/templates/2.2/traefik-svc.yml.j2 deleted file mode 100644 index 7c369da..0000000 --- a/templates/2.2/traefik-svc.yml.j2 +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: traefik - name: traefik - namespace: {{ traefik_namespace }} - -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - protocol: TCP - port: 443 - name: https - targetPort: 443 - type: LoadBalancer - selector: - app: traefik diff --git a/templates/2.2/traefik-tls-options.yml.j2 b/templates/2.2/traefik-tls-options.yml.j2 deleted file mode 100644 index 6f64045..0000000 --- a/templates/2.2/traefik-tls-options.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: default - namespace: {{ traefik_namespace }} - -spec: - sniStrict: true - minVersion: VersionTLS12 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - curvePreferences: - - CurveP521 - - CurveP384 \ No newline at end of file diff --git a/templates/2.2/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 similarity index 98% rename from templates/2.2/traefik-cm.yml.j2 rename to templates/traefik-cm.yml.j2 index 3ccb24a..3b1ce68 100644 --- a/templates/2.2/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -31,7 +31,7 @@ data: dashboard: true debug: true log: - level: DEBUG + level: WARN accessLog: format: json fields: diff --git a/templates/2.1/traefik-dashboard-insecure.yml.j2 b/templates/traefik-dashboard-insecure.yml.j2 similarity index 100% rename from templates/2.1/traefik-dashboard-insecure.yml.j2 rename to templates/traefik-dashboard-insecure.yml.j2 diff --git a/templates/2.1/traefik-dashboard-svc.yml.j2 b/templates/traefik-dashboard-svc.yml.j2 similarity index 100% rename from templates/2.1/traefik-dashboard-svc.yml.j2 rename to templates/traefik-dashboard-svc.yml.j2 diff --git a/templates/2.1/traefik-dashboard.yml.j2 b/templates/traefik-dashboard.yml.j2 similarity index 100% rename from templates/2.1/traefik-dashboard.yml.j2 rename to templates/traefik-dashboard.yml.j2 diff --git a/templates/2.2/traefik-dp.yml.j2 b/templates/traefik-dp.yml.j2 similarity index 78% rename from templates/2.2/traefik-dp.yml.j2 rename to templates/traefik-dp.yml.j2 index 6501a07..9cdec37 100644 --- a/templates/2.2/traefik-dp.yml.j2 +++ b/templates/traefik-dp.yml.j2 @@ -1,4 +1,4 @@ -kind: Deployment +kind: DaemonSet apiVersion: apps/v1 metadata: namespace: {{ traefik_namespace }} @@ -7,7 +7,7 @@ metadata: app: traefik spec: - replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} +# replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} strategy: type: Recreate selector: @@ -21,23 +21,17 @@ spec: serviceAccountName: traefik-ingress-controller containers: - name: traefik - image: traefik:{{ traefik_version_2_2 }} + image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_') ) }} args: - --configfile=/config/traefik.yaml # imagePullPolicy: IfNotPresent ports: - - name: http - containerPort: 80 - protocol: TCP - hostPort: 80 - - name: https - containerPort: 443 - protocol: TCP - hostPort: 443 - - name: traefik - containerPort: 8080 - protocol: TCP - hostPort: 8080 +{% for traefik_entrypoint in traefik_entrypoints %} + - name: {{ traefik_entrypoint.name }} + containerPort: {{ traefik_entrypoint.port }} + protocol: {{ traefik_entrypoint.proto }} + hostPort: {{ traefik_entrypoint.port }} +{% endfor %} readinessProbe: httpGet: path: /ping diff --git a/templates/2.1/traefik-middleware-basicauth.yml.j2 b/templates/traefik-middleware-basicauth.yml.j2 similarity index 100% rename from templates/2.1/traefik-middleware-basicauth.yml.j2 rename to templates/traefik-middleware-basicauth.yml.j2 diff --git a/templates/2.2/traefik-middleware-headers.yml.j2 b/templates/traefik-middleware-headers.yml.j2 similarity index 62% rename from templates/2.2/traefik-middleware-headers.yml.j2 rename to templates/traefik-middleware-headers.yml.j2 index e0906fb..50172d4 100644 --- a/templates/2.2/traefik-middleware-headers.yml.j2 +++ b/templates/traefik-middleware-headers.yml.j2 @@ -8,24 +8,24 @@ spec: browserXssFilter: "true" contentTypeNosniff: "true" forceSTSHeader: "true" - frameDeny = "true" + frameDeny: "true" stsIncludeSubdomains: "true" stsPreload: "true" stsSeconds: "15768000" sslRedirect: "true" - contentSecurityPolicy = "default-src 'self' 'unsafe-inline'" + contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" customFrameOptionsValue: "SAMEORIGIN" - referrerPolicy = "same-origin" - featurePolicy = "vibrate 'self'" + referrerPolicy: "same-origin" + featurePolicy: "vibrate 'self'" # CORS accessControlAllowMethods: - "GET" - "OPTIONS" - "PUT" - accessControlAllowOrigin = "origin-list-or-null" -# accessControlAllowOriginList: -# - "https://foo.bar.org" -# - "https://example.org" + accessControlAllowOrigin: "origin-list-or-null" + #accessControlAllowOriginList: + # - "https://foo.bar.org" + # - "https://example.org" accessControlMaxAge: 100 addVaryHeader: "true" \ No newline at end of file diff --git a/templates/2.1/traefik-middleware-httpsredirect.yml.j2 b/templates/traefik-middleware-httpsredirect.yml.j2 similarity index 100% rename from templates/2.1/traefik-middleware-httpsredirect.yml.j2 rename to templates/traefik-middleware-httpsredirect.yml.j2 diff --git a/templates/2.1/traefik-ping.yml.j2 b/templates/traefik-ping.yml.j2 similarity index 100% rename from templates/2.1/traefik-ping.yml.j2 rename to templates/traefik-ping.yml.j2 diff --git a/templates/2.1/traefik-sa.yml.j2 b/templates/traefik-sa.yml.j2 similarity index 100% rename from templates/2.1/traefik-sa.yml.j2 rename to templates/traefik-sa.yml.j2 diff --git a/templates/2.1/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 similarity index 100% rename from templates/2.1/traefik-svc.yml.j2 rename to templates/traefik-svc.yml.j2 diff --git a/templates/2.1/traefik-tls-options.yml.j2 b/templates/traefik-tls-options.yml.j2 similarity index 100% rename from templates/2.1/traefik-tls-options.yml.j2 rename to templates/traefik-tls-options.yml.j2