From d7b7e958607e68d21b2de3ad192a20bea79170f1 Mon Sep 17 00:00:00 2001 From: Adrien Date: Thu, 26 Mar 2020 17:39:18 +0100 Subject: [PATCH] Update traefik 2.2 --- defaults/main.yml | 3 +- tasks/main.yml | 7 +- tasks/version_2.2.yml | 49 ++++++ templates/2.2/Ressources-exemple.yml | 157 ++++++++++++++++++ templates/2.2/traefik-clusterrole.yml.j2 | 44 +++++ .../2.2/traefik-clusterrolebinding.yml.j2 | 13 ++ templates/2.2/traefik-cm.yml.j2 | 48 ++++++ .../2.2/traefik-crd-ingressroutes.yml.j2 | 16 ++ .../2.2/traefik-crd-ingressroutetcps.yml.j2 | 16 ++ .../2.2/traefik-crd-ingressrouteudps.yml.j2 | 16 ++ templates/2.2/traefik-crd-middlewares.yml.j2 | 16 ++ templates/2.2/traefik-crd-tlsoptions.yml.j2 | 16 ++ templates/2.2/traefik-crd-tlsstores.yml.j2 | 16 ++ .../2.2/traefik-crd-traefikservices.yml.j2 | 16 ++ .../2.2/traefik-dashboard-insecure.yml.j2 | 39 +++++ templates/2.2/traefik-dashboard-svc.yml.j2 | 24 +++ templates/2.2/traefik-dashboard.yml.j2 | 50 ++++++ templates/2.2/traefik-dp.yml.j2 | 88 ++++++++++ .../2.2/traefik-middleware-basicauth.yml.j2 | 8 + .../traefik-middleware-httpsredirect.yml.j2 | 8 + .../2.2/traefik-middleware-ipwhitelist.yml.j2 | 11 ++ templates/2.2/traefik-ping.yml.j2 | 39 +++++ templates/2.2/traefik-sa.yml.j2 | 5 + templates/2.2/traefik-svc.yml.j2 | 21 +++ templates/2.2/traefik-tls-options.yml.j2 | 15 ++ 25 files changed, 739 insertions(+), 2 deletions(-) create mode 100644 tasks/version_2.2.yml create mode 100644 templates/2.2/Ressources-exemple.yml create mode 100644 templates/2.2/traefik-clusterrole.yml.j2 create mode 100644 templates/2.2/traefik-clusterrolebinding.yml.j2 create mode 100644 templates/2.2/traefik-cm.yml.j2 create mode 100644 templates/2.2/traefik-crd-ingressroutes.yml.j2 create mode 100644 templates/2.2/traefik-crd-ingressroutetcps.yml.j2 create mode 100644 templates/2.2/traefik-crd-ingressrouteudps.yml.j2 create mode 100644 templates/2.2/traefik-crd-middlewares.yml.j2 create mode 100644 templates/2.2/traefik-crd-tlsoptions.yml.j2 create mode 100644 templates/2.2/traefik-crd-tlsstores.yml.j2 create mode 100644 templates/2.2/traefik-crd-traefikservices.yml.j2 create mode 100644 templates/2.2/traefik-dashboard-insecure.yml.j2 create mode 100644 templates/2.2/traefik-dashboard-svc.yml.j2 create mode 100644 templates/2.2/traefik-dashboard.yml.j2 create mode 100644 templates/2.2/traefik-dp.yml.j2 create mode 100644 templates/2.2/traefik-middleware-basicauth.yml.j2 create mode 100644 templates/2.2/traefik-middleware-httpsredirect.yml.j2 create mode 100644 templates/2.2/traefik-middleware-ipwhitelist.yml.j2 create mode 100644 templates/2.2/traefik-ping.yml.j2 create mode 100644 templates/2.2/traefik-sa.yml.j2 create mode 100644 templates/2.2/traefik-svc.yml.j2 create mode 100644 templates/2.2/traefik-tls-options.yml.j2 diff --git a/defaults/main.yml b/defaults/main.yml index deca14b..e962414 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ my_context: kubernetes -traefik_version: 2.1 +traefik_version: "2.2" traefik_domain: "local" +traefik_namespace: "traefik" #ingress_whitelist: # - 10.96.0.0/12 # - 10.244.0.0/16 diff --git a/tasks/main.yml b/tasks/main.yml index 2b51843..3b2cd96 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,4 +68,9 @@ - name: install / uninstall version 2.1 include_tasks: "version_2.1.yml" when: - - traefik_version | regex_search('(^2.1)') or traefik_actual_version.stdout | regex_search('(^2.)') + - traefik_version | regex_search('(^2.1)') + + - name: install / uninstall version 2.2 + include_tasks: "version_2.2.yml" + when: + - traefik_version | regex_search('(^2.2)') or traefik_actual_version.stdout | regex_search('(^2.)') diff --git a/tasks/version_2.2.yml b/tasks/version_2.2.yml new file mode 100644 index 0000000..ec4e175 --- /dev/null +++ b/tasks/version_2.2.yml @@ -0,0 +1,49 @@ +--- +- set_fact: + traefik_2_2_state: "present" + when: + - traefik_version | regex_search('(^2.)') + +- set_fact: + traefik_2_2_state: "absent" + when: + - traefik_version | regex_search('(^1.)') + +- name: traefik files version 2.2 need to be {{ traefik_2_2_state }} + k8s: + state: "{{ traefik_2_2_state }}" + context: "{{ my_context }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - 2.2/traefik-crd-ingressroutes.yml.j2 + - 2.2/traefik-crd-ingressroutetcps.yml.j2 + - 2.2/traefik-crd-ingressrouteudps.yml.j2 + - 2.2/traefik-crd-middlewares.yml.j2 + - 2.2/traefik-crd-tlsoptions.yml.j2 + - 2.2/traefik-crd-tlsstores.yml.j2 + - 2.2/traefik-crd-traefikservices.yml.j2 + - 2.2/traefik-cm.yml.j2 + - 2.2/traefik-sa.yml.j2 + - 2.2/traefik-clusterrole.yml.j2 + - 2.2/traefik-clusterrolebinding.yml.j2 + - 2.2/traefik-dp.yml.j2 + - 2.2/traefik-svc.yml.j2 + - 2.2/traefik-dashboard-svc.yml.j2 + - 2.2/traefik-middleware-httpsredirect.yml.j2 + - 2.2/traefik-middleware-basicauth.yml.j2 + - 2.2/traefik-tls-options.yml.j2 + - 2.2/traefik-dashboard.yml.j2 + - 2.2/traefik-dashboard-insecure.yml.j2 + - 2.2/traefik-ping.yml.j2 + tags: traefik + +- name: IP white list need to be {{ traefik_2_2_state }} for traefik version 2.2 + k8s: + state: "{{ traefik_2_2_state }}" + context: "{{ my_context }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - 2.2/traefik-middleware-ipwhitelist.yml.j2 + when: + - ingress_whitelist is defined or traefik_2_2_state == "absent" + tags: traefik diff --git a/templates/2.2/Ressources-exemple.yml b/templates/2.2/Ressources-exemple.yml new file mode 100644 index 0000000..bf512dd --- /dev/null +++ b/templates/2.2/Ressources-exemple.yml @@ -0,0 +1,157 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr2 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: s1 + weight: 1 + port: 80 + # Optional, as it is the default value + kind: Service + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr1 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: wrr2 + kind: TraefikService + weight: 1 + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror1 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: s1 + port: 80 + mirrors: + - name: s3 + percent: 20 + port: 80 + - name: mirror2 + kind: TraefikService + percent: 20 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror2 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: wrr2 + kind: TraefikService + mirrors: + - name: s2 + # Optional, as it is the default value + kind: Service + percent: 20 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroute +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + priority: 12 + # defining several services is possible and allowed, but for now the servers of + # all the services (for a given route) get merged altogether under the same + # load-balancing strategy. + services: + - name: s1 + port: 80 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + # strategy defines the load balancing strategy between the servers. It defaults + # to Round Robin, and for now only Round Robin is supported anyway. + strategy: RoundRobin + - name: s2 + port: 433 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + - match: PathPrefix(`/misc`) + services: + - name: s3 + port: 80 + middlewares: + - name: stripprefix + - name: addprefix + - match: PathPrefix(`/misc`) + services: + - name: s3 + # Optional, as it is the default value + kind: Service + port: 8443 + # scheme allow to override the scheme for the service. (ex: https or h2c) + scheme: https + - match: PathPrefix(`/lb`) + services: + - name: wrr1 + kind: TraefikService + - match: PathPrefix(`/mirrored`) + services: + - name: mirror1 + kind: TraefikService + # use an empty tls object for TLS with Let's Encrypt + tls: + secretName: supersecret + options: + name: myTLSOption + namespace: default + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcp.crd + namespace: default + +spec: + entryPoints: + - footcp + routes: + - match: HostSNI(`bar.com`) + services: + - name: whoamitcp + port: 8080 + tls: + secretName: foosecret + passthrough: false + options: + name: myTLSOption + namespace: default \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrole.yml.j2 b/templates/2.2/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..519d0dc --- /dev/null +++ b/templates/2.2/traefik-clusterrole.yml.j2 @@ -0,0 +1,44 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrolebinding.yml.j2 b/templates/2.2/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..2a4398a --- /dev/null +++ b/templates/2.2/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: {{ traefik_namespace }} diff --git a/templates/2.2/traefik-cm.yml.j2 b/templates/2.2/traefik-cm.yml.j2 new file mode 100644 index 0000000..0366a14 --- /dev/null +++ b/templates/2.2/traefik-cm.yml.j2 @@ -0,0 +1,48 @@ +apiVersion: v1 +data: + traefik.yaml: | + global: + checkNewVersion: true + serversTransport: + insecureSkipVerify: true + entryPoints: + http: + address: :80 + https: + address: :443 + traefik: + address: :8080 + providers: + kubernetesCRD: + throttleDuration: 2s + kubernetesIngress: {} + metrics: + prometheus: + buckets: + - 0.1 + - 0.3 + - 1.2 + - 5 + entryPoint: traefik + ping: + entryPoint: traefik + api: + insecure: true + dashboard: true + debug: true + log: + level: DEBUG + accessLog: + format: json + fields: + names: + BackendAddr: keep + BackendName: keep + BackendURL: keep + FrontendName: keep +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik + namespace: {{ traefik_namespace }} diff --git a/templates/2.2/traefik-crd-ingressroutes.yml.j2 b/templates/2.2/traefik-crd-ingressroutes.yml.j2 new file mode 100644 index 0000000..f31a6bd --- /dev/null +++ b/templates/2.2/traefik-crd-ingressroutes.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 new file mode 100644 index 0000000..a766ed8 --- /dev/null +++ b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 new file mode 100644 index 0000000..535726c --- /dev/null +++ b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced diff --git a/templates/2.2/traefik-crd-middlewares.yml.j2 b/templates/2.2/traefik-crd-middlewares.yml.j2 new file mode 100644 index 0000000..1c0168e --- /dev/null +++ b/templates/2.2/traefik-crd-middlewares.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsoptions.yml.j2 b/templates/2.2/traefik-crd-tlsoptions.yml.j2 new file mode 100644 index 0000000..a1200f0 --- /dev/null +++ b/templates/2.2/traefik-crd-tlsoptions.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsstores.yml.j2 b/templates/2.2/traefik-crd-tlsstores.yml.j2 new file mode 100644 index 0000000..eae918f --- /dev/null +++ b/templates/2.2/traefik-crd-tlsstores.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced diff --git a/templates/2.2/traefik-crd-traefikservices.yml.j2 b/templates/2.2/traefik-crd-traefikservices.yml.j2 new file mode 100644 index 0000000..46ce7ca --- /dev/null +++ b/templates/2.2/traefik-crd-traefikservices.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced diff --git a/templates/2.2/traefik-dashboard-insecure.yml.j2 b/templates/2.2/traefik-dashboard-insecure.yml.j2 new file mode 100644 index 0000000..a37a302 --- /dev/null +++ b/templates/2.2/traefik-dashboard-insecure.yml.j2 @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard-insecure + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - http + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} + - name: https-only + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms diff --git a/templates/2.2/traefik-dashboard-svc.yml.j2 b/templates/2.2/traefik-dashboard-svc.yml.j2 new file mode 100644 index 0000000..d89d096 --- /dev/null +++ b/templates/2.2/traefik-dashboard-svc.yml.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik-dashboard + namespace: {{ traefik_namespace }} + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: traefik + port: 8080 + protocol: TCP + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: ClusterIP + selector: + app: traefik diff --git a/templates/2.2/traefik-dashboard.yml.j2 b/templates/2.2/traefik-dashboard.yml.j2 new file mode 100644 index 0000000..d755f8b --- /dev/null +++ b/templates/2.2/traefik-dashboard.yml.j2 @@ -0,0 +1,50 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 +{% if basic_auth is defined or ingress_whitelist is defined %} + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} +{% if basic_auth is defined %} + - name: basic-auth +{% endif %} +{% endif %} + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + tls: + store: + name: default + namespace: {{ traefik_namespace }} + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.2/traefik-dp.yml.j2 b/templates/2.2/traefik-dp.yml.j2 new file mode 100644 index 0000000..b9e18a1 --- /dev/null +++ b/templates/2.2/traefik-dp.yml.j2 @@ -0,0 +1,88 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: {{ traefik_namespace }} + name: traefik + labels: + app: traefik + +spec: + replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} + strategy: + type: Recreate + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:{{ traefik_version }} + args: + - --configfile=/config/traefik.yaml +# imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 80 + protocol: TCP + hostPort: 80 + - name: https + containerPort: 443 + protocol: TCP + hostPort: 443 + - name: traefik + containerPort: 8080 + protocol: TCP + hostPort: 8080 + readinessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: {{ traefik_cpu_limit }} + memory: {{ traefik_memory_limit }} + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /config + name: config +{% if traefik_node_selector is defined %} + nodeSelector: + flaminem.com/entrypoint: traefik +{% endif %} + dnsPolicy: ClusterFirst +{% if my_context == "flamykube" %} + hostNetwork: true +{% else %} + hostNetwork: false +{% endif %} + restartPolicy: Always + terminationGracePeriodSeconds: 1 + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - configMap: + defaultMode: 420 + name: traefik + name: config diff --git a/templates/2.2/traefik-middleware-basicauth.yml.j2 b/templates/2.2/traefik-middleware-basicauth.yml.j2 new file mode 100644 index 0000000..797fe1f --- /dev/null +++ b/templates/2.2/traefik-middleware-basicauth.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-auth + namespace: {{ traefik_namespace }} +spec: + basicAuth: + secret: basic-auth \ No newline at end of file diff --git a/templates/2.2/traefik-middleware-httpsredirect.yml.j2 b/templates/2.2/traefik-middleware-httpsredirect.yml.j2 new file mode 100644 index 0000000..d5f4cb3 --- /dev/null +++ b/templates/2.2/traefik-middleware-httpsredirect.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: https-only + namespace: {{ traefik_namespace }} +spec: + redirectScheme: + scheme: https \ No newline at end of file diff --git a/templates/2.2/traefik-middleware-ipwhitelist.yml.j2 b/templates/2.2/traefik-middleware-ipwhitelist.yml.j2 new file mode 100644 index 0000000..60fa6ad --- /dev/null +++ b/templates/2.2/traefik-middleware-ipwhitelist.yml.j2 @@ -0,0 +1,11 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-ipwhitelist + namespace: {{ traefik_namespace }} +spec: + ipWhiteList: + sourceRange: +{% for acl_whitelist in ingress_whitelist %} + - {{ acl_whitelist }} +{% endfor %} diff --git a/templates/2.2/traefik-ping.yml.j2 b/templates/2.2/traefik-ping.yml.j2 new file mode 100644 index 0000000..1703002 --- /dev/null +++ b/templates/2.2/traefik-ping.yml.j2 @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ping + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 14 + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + tls: + secretName: wildcard-cluster + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.2/traefik-sa.yml.j2 b/templates/2.2/traefik-sa.yml.j2 new file mode 100644 index 0000000..07c38a6 --- /dev/null +++ b/templates/2.2/traefik-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ traefik_namespace }} + name: traefik-ingress-controller diff --git a/templates/2.2/traefik-svc.yml.j2 b/templates/2.2/traefik-svc.yml.j2 new file mode 100644 index 0000000..7c369da --- /dev/null +++ b/templates/2.2/traefik-svc.yml.j2 @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik + namespace: {{ traefik_namespace }} + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: LoadBalancer + selector: + app: traefik diff --git a/templates/2.2/traefik-tls-options.yml.j2 b/templates/2.2/traefik-tls-options.yml.j2 new file mode 100644 index 0000000..533ff39 --- /dev/null +++ b/templates/2.2/traefik-tls-options.yml.j2 @@ -0,0 +1,15 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: {{ traefik_namespace }} + +spec: + sniStrict: true + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA