diff --git a/meta/main.yml b/meta/main.yml index c8bee80..a2e3209 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,8 +5,6 @@ galaxy_info: min_ansible_version: 2.6 galaxy_tags: [] license: GPL2 - collections: - - community.kubernetes platforms: - name: kubernetes version: diff --git a/tasks/main.yml b/tasks/main.yml index 9844fba..b528a69 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,90 +45,76 @@ when: - traefik_node_selector is defined -# - name: Get Deployment information object -# k8s_info: -# context: "{{ my_context }}" -# api_version: v1 -# kind: DaemonSet -# name: traefik -# namespace: '{{ traefik_namespace }}' -# field_selectors: -# - spec.template.spec.containers.image -# register: traefik_actual_resources -# -# - name: Retreive actual traefik version -# shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq -# register: traefik_actual_version -# -# - name: Remove old traefik version {{ traefik_actual_version.stdout }} -# k8s: -# state: "absent" -# context: "{{ my_context }}" -# resource_definition: "{{ lookup('template', item) | from_yaml }}" -# with_items: -# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" -## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse -# when: -# - not traefik_actual_version.stdout == "[]" -# - not traefik_version == traefik_actual_version.stdout -# - traefik_actual_version.stdout is version(traefik_version, '>') - - - name: Defined traefik repository - community.kubernetes.helm_repository: + - name: Get Deployment information object + k8s_info: + context: "{{ my_context }}" + api_version: v1 + kind: DaemonSet name: traefik - repo_url: "https://helm.traefik.io/traefik" - tags: traefik - - name: Deploy latest version of Traefik - community.kubernetes.helm: - name: traefik - chart_ref: traefik/traefik - release_namespace: traefik - values: - image: - tag: "{{ traefik_version_2_3 }}" - additionalArguments: - - --configFile=/etc/traefik/traefik.yaml - podSecurityPolicy: - enabled: true - service: - enabled: false - ingressRoute: - dashboard: - enabled: false - ingressClass: - enabled: true - isDefaultClass: true - ports: - web: - redirectTo: websecure - hostPort: 80 - websecure: - hostPort: 443 - volumes: - - mountPath: /etc/traefik - name: traefik-conf - type: configMap - - mountPath: /etc/traefik/file - name: traefik-files - type: configMap - - mountPath: /etc/traefik/basic-auth - name: basic-auth - type: secret + namespace: '{{ traefik_namespace }}' + field_selectors: + - spec.template.spec.containers.image + register: traefik_actual_resources - - name: Install traefik configuration + - name: Retreive actual traefik version + shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq + register: traefik_actual_version + + - name: Remove old traefik version {{ traefik_actual_version.stdout }} + k8s: + state: "absent" + context: "{{ my_context }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" +# - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse + when: + - not traefik_actual_version.stdout == "[]" + - not traefik_version == traefik_actual_version.stdout + - traefik_actual_version.stdout is version(traefik_version, '>') + + - name: Install traefik version {{ traefik_version }} k8s: state: "present" context: "{{ my_context }}" namespace: '{{ traefik_namespace }}' -# merge_type: merge - apply: yes + merge_type: merge resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: -# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" + - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" + - traefik-psp.yml.j2 - traefik-cm.yml.j2 - - traefik-files.yml.j2 -# - traefik-sa.yml.j2 + - traefik-sa.yml.j2 + - traefik-dp.yml.j2 +# - traefik-svc.yml.j2 +# - traefik-dashboard-svc.yml.j2 + - traefik-middleware-httpsredirect.yml.j2 + - traefik-middleware-basicauth.yml.j2 + - traefik-middleware-headers.yml.j2 + - traefik-tls-options.yml.j2 - traefik-ingressroute.yml.j2 - - traefik-svc.yml.j2 + - traefik-dashboard-insecure.yml.j2 +# - traefik-ping.yml.j2 + + + - name: Define state of ipwhitelist middleware to present + set_fact: + traefik_ipwhitelist_state: present + when: + - traefik_version | regex_search('(^2.)') + - ingress_whitelist is defined + - name: Define state of ipwhitelist middleware to absent + set_fact: + traefik_ipwhitelist_state: absent + when: + - not ingress_whitelist is defined or traefik_ipwhitelist_state is not defined + - name: IP white list need to be {{ traefik_ipwhitelist_state }} + k8s: + state: "{{ traefik_ipwhitelist_state }}" + context: "{{ my_context }}" + merge_type: merge + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - traefik-middleware-ipwhitelist.yml.j2 tags: traefik diff --git a/templates/2.0/traefik-clusterrole.yml.j2 b/templates/2.0/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..537813c --- /dev/null +++ b/templates/2.0/traefik-clusterrole.yml.j2 @@ -0,0 +1,62 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - ingressroutetcps + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - tlsoptions + verbs: + - get + - list + - watch diff --git a/templates/2.0/traefik-clusterrolebinding.yml.j2 b/templates/2.0/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..9f58700 --- /dev/null +++ b/templates/2.0/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: traefik diff --git a/templates/2.0/traefik-crd-ingressroute.yml.j2 b/templates/2.0/traefik-crd-ingressroute.yml.j2 new file mode 100644 index 0000000..41f70f9 --- /dev/null +++ b/templates/2.0/traefik-crd-ingressroute.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: traefik + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 new file mode 100644 index 0000000..107c4e5 --- /dev/null +++ b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: traefik + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.0/traefik-crd-middleware.yml.j2 b/templates/2.0/traefik-crd-middleware.yml.j2 new file mode 100644 index 0000000..b517ac8 --- /dev/null +++ b/templates/2.0/traefik-crd-middleware.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: traefik + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.0/traefik-crd-tlsoption.yml.j2 b/templates/2.0/traefik-crd-tlsoption.yml.j2 new file mode 100644 index 0000000..1495e0d --- /dev/null +++ b/templates/2.0/traefik-crd-tlsoption.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.1/Ressources-exemple.yml b/templates/2.1/Ressources-exemple.yml new file mode 100644 index 0000000..bf512dd --- /dev/null +++ b/templates/2.1/Ressources-exemple.yml @@ -0,0 +1,157 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr2 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: s1 + weight: 1 + port: 80 + # Optional, as it is the default value + kind: Service + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr1 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: wrr2 + kind: TraefikService + weight: 1 + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror1 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: s1 + port: 80 + mirrors: + - name: s3 + percent: 20 + port: 80 + - name: mirror2 + kind: TraefikService + percent: 20 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror2 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: wrr2 + kind: TraefikService + mirrors: + - name: s2 + # Optional, as it is the default value + kind: Service + percent: 20 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroute +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + priority: 12 + # defining several services is possible and allowed, but for now the servers of + # all the services (for a given route) get merged altogether under the same + # load-balancing strategy. + services: + - name: s1 + port: 80 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + # strategy defines the load balancing strategy between the servers. It defaults + # to Round Robin, and for now only Round Robin is supported anyway. + strategy: RoundRobin + - name: s2 + port: 433 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + - match: PathPrefix(`/misc`) + services: + - name: s3 + port: 80 + middlewares: + - name: stripprefix + - name: addprefix + - match: PathPrefix(`/misc`) + services: + - name: s3 + # Optional, as it is the default value + kind: Service + port: 8443 + # scheme allow to override the scheme for the service. (ex: https or h2c) + scheme: https + - match: PathPrefix(`/lb`) + services: + - name: wrr1 + kind: TraefikService + - match: PathPrefix(`/mirrored`) + services: + - name: mirror1 + kind: TraefikService + # use an empty tls object for TLS with Let's Encrypt + tls: + secretName: supersecret + options: + name: myTLSOption + namespace: default + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcp.crd + namespace: default + +spec: + entryPoints: + - footcp + routes: + - match: HostSNI(`bar.com`) + services: + - name: whoamitcp + port: 8080 + tls: + secretName: foosecret + passthrough: false + options: + name: myTLSOption + namespace: default \ No newline at end of file diff --git a/templates/2.1/traefik-clusterrole.yml.j2 b/templates/2.1/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..fe4f9c9 --- /dev/null +++ b/templates/2.1/traefik-clusterrole.yml.j2 @@ -0,0 +1,42 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - tlsoptions + verbs: + - get + - list + - watch diff --git a/templates/2.1/traefik-clusterrolebinding.yml.j2 b/templates/2.1/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..2a4398a --- /dev/null +++ b/templates/2.1/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: {{ traefik_namespace }} diff --git a/templates/2.1/traefik-crd-ingressroute.yml.j2 b/templates/2.1/traefik-crd-ingressroute.yml.j2 new file mode 100644 index 0000000..f31a6bd --- /dev/null +++ b/templates/2.1/traefik-crd-ingressroute.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 new file mode 100644 index 0000000..a766ed8 --- /dev/null +++ b/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.1/traefik-crd-middleware.yml.j2 b/templates/2.1/traefik-crd-middleware.yml.j2 new file mode 100644 index 0000000..1c0168e --- /dev/null +++ b/templates/2.1/traefik-crd-middleware.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.1/traefik-crd-tlsoption.yml.j2 b/templates/2.1/traefik-crd-tlsoption.yml.j2 new file mode 100644 index 0000000..a1200f0 --- /dev/null +++ b/templates/2.1/traefik-crd-tlsoption.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.1/traefik-crd-traefikservice.yml.j2 b/templates/2.1/traefik-crd-traefikservice.yml.j2 new file mode 100644 index 0000000..46ce7ca --- /dev/null +++ b/templates/2.1/traefik-crd-traefikservice.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced diff --git a/templates/2.2/Ressources-exemple.yml b/templates/2.2/Ressources-exemple.yml new file mode 100644 index 0000000..bf512dd --- /dev/null +++ b/templates/2.2/Ressources-exemple.yml @@ -0,0 +1,157 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr2 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: s1 + weight: 1 + port: 80 + # Optional, as it is the default value + kind: Service + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr1 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: wrr2 + kind: TraefikService + weight: 1 + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror1 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: s1 + port: 80 + mirrors: + - name: s3 + percent: 20 + port: 80 + - name: mirror2 + kind: TraefikService + percent: 20 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror2 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: wrr2 + kind: TraefikService + mirrors: + - name: s2 + # Optional, as it is the default value + kind: Service + percent: 20 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroute +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + priority: 12 + # defining several services is possible and allowed, but for now the servers of + # all the services (for a given route) get merged altogether under the same + # load-balancing strategy. + services: + - name: s1 + port: 80 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + # strategy defines the load balancing strategy between the servers. It defaults + # to Round Robin, and for now only Round Robin is supported anyway. + strategy: RoundRobin + - name: s2 + port: 433 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + - match: PathPrefix(`/misc`) + services: + - name: s3 + port: 80 + middlewares: + - name: stripprefix + - name: addprefix + - match: PathPrefix(`/misc`) + services: + - name: s3 + # Optional, as it is the default value + kind: Service + port: 8443 + # scheme allow to override the scheme for the service. (ex: https or h2c) + scheme: https + - match: PathPrefix(`/lb`) + services: + - name: wrr1 + kind: TraefikService + - match: PathPrefix(`/mirrored`) + services: + - name: mirror1 + kind: TraefikService + # use an empty tls object for TLS with Let's Encrypt + tls: + secretName: supersecret + options: + name: myTLSOption + namespace: default + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcp.crd + namespace: default + +spec: + entryPoints: + - footcp + routes: + - match: HostSNI(`bar.com`) + services: + - name: whoamitcp + port: 8080 + tls: + secretName: foosecret + passthrough: false + options: + name: myTLSOption + namespace: default \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrole.yml.j2 b/templates/2.2/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..bef2410 --- /dev/null +++ b/templates/2.2/traefik-clusterrole.yml.j2 @@ -0,0 +1,48 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['traefik-ingress-controller'] + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrolebinding.yml.j2 b/templates/2.2/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..2a4398a --- /dev/null +++ b/templates/2.2/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: {{ traefik_namespace }} diff --git a/templates/2.2/traefik-crd-ingressroutes.yml.j2 b/templates/2.2/traefik-crd-ingressroutes.yml.j2 new file mode 100644 index 0000000..f31a6bd --- /dev/null +++ b/templates/2.2/traefik-crd-ingressroutes.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 new file mode 100644 index 0000000..a766ed8 --- /dev/null +++ b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 new file mode 100644 index 0000000..535726c --- /dev/null +++ b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced diff --git a/templates/2.2/traefik-crd-middlewares.yml.j2 b/templates/2.2/traefik-crd-middlewares.yml.j2 new file mode 100644 index 0000000..1c0168e --- /dev/null +++ b/templates/2.2/traefik-crd-middlewares.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsoptions.yml.j2 b/templates/2.2/traefik-crd-tlsoptions.yml.j2 new file mode 100644 index 0000000..a1200f0 --- /dev/null +++ b/templates/2.2/traefik-crd-tlsoptions.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsstores.yml.j2 b/templates/2.2/traefik-crd-tlsstores.yml.j2 new file mode 100644 index 0000000..eae918f --- /dev/null +++ b/templates/2.2/traefik-crd-tlsstores.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced diff --git a/templates/2.2/traefik-crd-traefikservices.yml.j2 b/templates/2.2/traefik-crd-traefikservices.yml.j2 new file mode 100644 index 0000000..46ce7ca --- /dev/null +++ b/templates/2.2/traefik-crd-traefikservices.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced diff --git a/templates/2.3/Ressources-exemple.yml b/templates/2.3/Ressources-exemple.yml new file mode 100644 index 0000000..bf512dd --- /dev/null +++ b/templates/2.3/Ressources-exemple.yml @@ -0,0 +1,157 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr2 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: s1 + weight: 1 + port: 80 + # Optional, as it is the default value + kind: Service + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr1 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: wrr2 + kind: TraefikService + weight: 1 + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror1 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: s1 + port: 80 + mirrors: + - name: s3 + percent: 20 + port: 80 + - name: mirror2 + kind: TraefikService + percent: 20 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror2 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: wrr2 + kind: TraefikService + mirrors: + - name: s2 + # Optional, as it is the default value + kind: Service + percent: 20 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroute +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + priority: 12 + # defining several services is possible and allowed, but for now the servers of + # all the services (for a given route) get merged altogether under the same + # load-balancing strategy. + services: + - name: s1 + port: 80 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + # strategy defines the load balancing strategy between the servers. It defaults + # to Round Robin, and for now only Round Robin is supported anyway. + strategy: RoundRobin + - name: s2 + port: 433 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + - match: PathPrefix(`/misc`) + services: + - name: s3 + port: 80 + middlewares: + - name: stripprefix + - name: addprefix + - match: PathPrefix(`/misc`) + services: + - name: s3 + # Optional, as it is the default value + kind: Service + port: 8443 + # scheme allow to override the scheme for the service. (ex: https or h2c) + scheme: https + - match: PathPrefix(`/lb`) + services: + - name: wrr1 + kind: TraefikService + - match: PathPrefix(`/mirrored`) + services: + - name: mirror1 + kind: TraefikService + # use an empty tls object for TLS with Let's Encrypt + tls: + secretName: supersecret + options: + name: myTLSOption + namespace: default + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcp.crd + namespace: default + +spec: + entryPoints: + - footcp + routes: + - match: HostSNI(`bar.com`) + services: + - name: whoamitcp + port: 8080 + tls: + secretName: foosecret + passthrough: false + options: + name: myTLSOption + namespace: default \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrole.yml.j2 b/templates/2.3/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..46bbd16 --- /dev/null +++ b/templates/2.3/traefik-clusterrole.yml.j2 @@ -0,0 +1,50 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['traefik-ingress-controller'] + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrolebinding.yml.j2 b/templates/2.3/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..2a4398a --- /dev/null +++ b/templates/2.3/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: {{ traefik_namespace }} diff --git a/templates/2.3/traefik-crd-ingressroutes.yml.j2 b/templates/2.3/traefik-crd-ingressroutes.yml.j2 new file mode 100644 index 0000000..0bcfd35 --- /dev/null +++ b/templates/2.3/traefik-crd-ingressroutes.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 new file mode 100644 index 0000000..36b202a --- /dev/null +++ b/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 new file mode 100644 index 0000000..d7c2624 --- /dev/null +++ b/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced diff --git a/templates/2.3/traefik-crd-middlewares.yml.j2 b/templates/2.3/traefik-crd-middlewares.yml.j2 new file mode 100644 index 0000000..d1ae35f --- /dev/null +++ b/templates/2.3/traefik-crd-middlewares.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsoptions.yml.j2 b/templates/2.3/traefik-crd-tlsoptions.yml.j2 new file mode 100644 index 0000000..1495e0d --- /dev/null +++ b/templates/2.3/traefik-crd-tlsoptions.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsstores.yml.j2 b/templates/2.3/traefik-crd-tlsstores.yml.j2 new file mode 100644 index 0000000..f9a4005 --- /dev/null +++ b/templates/2.3/traefik-crd-tlsstores.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced diff --git a/templates/2.3/traefik-crd-traefikservices.yml.j2 b/templates/2.3/traefik-crd-traefikservices.yml.j2 new file mode 100644 index 0000000..3262c43 --- /dev/null +++ b/templates/2.3/traefik-crd-traefikservices.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced \ No newline at end of file diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index a29ddaa..37a2ff7 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -1,9 +1,4 @@ apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: traefik - name: traefik-conf data: traefik.yaml: | global: @@ -12,20 +7,6 @@ data: serversTransport: insecureSkipVerify: true entryPoints: - web: - address: ":8000/tcp" - http: - redirections: - entryPoint: - to: websecure - scheme: https - websecure: - address: ":8443/tcp" - http: - tls: - options: default - traefik: - address: ":9000/tcp" {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: address: :{{ traefik_entrypoint.port }} @@ -45,11 +26,18 @@ data: watch: true metrics: prometheus: + buckets: + - 0.1 + - 0.3 + - 1.2 + - 5 entryPoint: traefik ping: entryPoint: traefik api: + insecure: true dashboard: true + debug: true log: level: WARN format: json @@ -61,3 +49,9 @@ data: BackendName: keep BackendURL: keep FrontendName: keep +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik + namespace: {{ traefik_namespace }} diff --git a/templates/traefik-dashboard-insecure.yml.j2 b/templates/traefik-dashboard-insecure.yml.j2 new file mode 100644 index 0000000..4ed4b56 --- /dev/null +++ b/templates/traefik-dashboard-insecure.yml.j2 @@ -0,0 +1,40 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard-insecure + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - http + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} + - name: https-only + services: + - name: api@internal + kind: TraefikService +# - name: traefik-dashboard +# port: 8080 +# # (default 1) A weight used by the weighted round-robin strategy (WRR). +# weight: 1 +# # (default true) PassHostHeader controls whether to leave the request's Host +# # Header as it was before it reached the proxy, or whether to let the proxy set it +# # to the destination (backend) host. +# passHostHeader: true +# responseForwarding: +# # (default 100ms) Interval between flushes of the buffered response body to the client. +# flushInterval: 100ms diff --git a/templates/traefik-dashboard-svc.yml.j2 b/templates/traefik-dashboard-svc.yml.j2 new file mode 100644 index 0000000..f6973c0 --- /dev/null +++ b/templates/traefik-dashboard-svc.yml.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik-dashboard + namespace: {{ traefik_namespace }} + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 +# - name: traefik +# port: 8080 +# protocol: TCP + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: ClusterIP + selector: + app: traefik diff --git a/templates/traefik-dp.yml.j2 b/templates/traefik-dp.yml.j2 new file mode 100644 index 0000000..b7f3a54 --- /dev/null +++ b/templates/traefik-dp.yml.j2 @@ -0,0 +1,93 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + namespace: {{ traefik_namespace }} + name: traefik + labels: + app: traefik + +spec: +# replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} + strategy: + type: Recreate + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller +# securityContext: +# sysctls: +# - name: kernel.net.ipv4.ip_unprivileged_port_start +# value: "80" + containers: + - name: traefik + image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }} + args: + - --configfile=/config/traefik.yaml +# imagePullPolicy: IfNotPresent + ports: +{% for traefik_entrypoint in traefik_entrypoints %} + - name: {{ traefik_entrypoint.name }} + containerPort: {{ traefik_entrypoint.port }} + protocol: {{ traefik_entrypoint.proto }} +{% if traefik_entrypoint.hostport is defined %} + hostPort: {{ traefik_entrypoint.hostport }} +{% endif %} +{% endfor %} + readinessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + resources: + limits: + cpu: {{ traefik_cpu_limit }} + memory: {{ traefik_memory_limit }} + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /config + name: config +{% if traefik_node_selector is defined %} + nodeSelector: + reslinger.net/entrypoint: traefik +{% endif %} + dnsPolicy: ClusterFirst + hostNetwork: false + restartPolicy: Always + terminationGracePeriodSeconds: 1 + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - configMap: + defaultMode: 420 + name: traefik + name: config diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 deleted file mode 100644 index 4a0c27e..0000000 --- a/templates/traefik-files.yml.j2 +++ /dev/null @@ -1,72 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: traefik-files -data: - traefik-middlewares.yaml: | - http: - middlewares: - compress: - compress: - excludedContentTypes: ["text/event-stream"] - rate-limit: - rateLimit: - average: 100 - burst: 50 - security_headers: - headers: - accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] - accessControlAllowOrigin: "origin-list-or-null" - accessControlMaxAge: 100 - addVaryHeader: true - browserXssFilter: true - contentTypeNosniff: true - forceSTSHeader: true - frameDeny: true - stsIncludeSubdomains: true - stsPreload: true - customFrameOptionsValue: "SAMEORIGIN" - referrerPolicy: "same-origin" - featurePolicy: "vibrate 'self'" - stsSeconds: 315360000 - sslRedirect: true - contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" - # customResponseHeaders: - # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," - # server: "" -{% if ingress_whitelist is defined %} - traefik-ipwhitelist: - ipWhiteList: - sourceRange: -{% for acl_whitelist in ingress_whitelist %} - - {{ acl_whitelist }} -{% endfor %} -{% endif %} -{% if basic_auth|bool %} - basic-auth: - basicAuth: - removeHeader: true - usersFile: "/etc/traefik/basic-auth/basic_auth" - # users: - # - {{ basic_auth_data }} -{% endif %} - authelia: - forwardAuth: - address: "http://authelia:9091/api/verify?rd=https://login.example.com/" - trustForwardHeader: true - authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"] - - traefik-tls-defaults-options.yaml: | - tls: - options: - default: - sniStrict: true - minVersion: VersionTLS12 - curvePreferences: - - CurveP521 - - CurveP384 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 587857f..5c8ca55 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -2,6 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik + namespace: {{ traefik_namespace }} labels: app: traefik @@ -29,6 +30,17 @@ spec: services: - name: api@internal kind: TraefikService +# - name: traefik-dashboard +# port: 8080 +# # (default 1) A weight used by the weighted round-robin strategy (WRR). +# weight: 1 +# # (default true) PassHostHeader controls whether to leave the request's Host +# # Header as it was before it reached the proxy, or whether to let the proxy set it +# # to the destination (backend) host. +# passHostHeader: true +# responseForwarding: +# # (default 100ms) Interval between flushes of the buffered response body to the client. +# flushInterval: 100ms - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) kind: Rule services: @@ -46,3 +58,6 @@ spec: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} {% endif %} + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-middleware-basicauth.yml.j2 b/templates/traefik-middleware-basicauth.yml.j2 new file mode 100644 index 0000000..797fe1f --- /dev/null +++ b/templates/traefik-middleware-basicauth.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-auth + namespace: {{ traefik_namespace }} +spec: + basicAuth: + secret: basic-auth \ No newline at end of file diff --git a/templates/traefik-middleware-headers.yml.j2 b/templates/traefik-middleware-headers.yml.j2 new file mode 100644 index 0000000..50172d4 --- /dev/null +++ b/templates/traefik-middleware-headers.yml.j2 @@ -0,0 +1,31 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: security-headers + namespace: {{ traefik_namespace }} +spec: + headers: + browserXssFilter: "true" + contentTypeNosniff: "true" + forceSTSHeader: "true" + frameDeny: "true" + stsIncludeSubdomains: "true" + stsPreload: "true" + stsSeconds: "15768000" + sslRedirect: "true" + contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + customFrameOptionsValue: "SAMEORIGIN" + referrerPolicy: "same-origin" + featurePolicy: "vibrate 'self'" + + # CORS + accessControlAllowMethods: + - "GET" + - "OPTIONS" + - "PUT" + accessControlAllowOrigin: "origin-list-or-null" + #accessControlAllowOriginList: + # - "https://foo.bar.org" + # - "https://example.org" + accessControlMaxAge: 100 + addVaryHeader: "true" \ No newline at end of file diff --git a/templates/traefik-middleware-httpsredirect.yml.j2 b/templates/traefik-middleware-httpsredirect.yml.j2 new file mode 100644 index 0000000..d5f4cb3 --- /dev/null +++ b/templates/traefik-middleware-httpsredirect.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: https-only + namespace: {{ traefik_namespace }} +spec: + redirectScheme: + scheme: https \ No newline at end of file diff --git a/templates/traefik-middleware-ipwhitelist.yml.j2 b/templates/traefik-middleware-ipwhitelist.yml.j2 index 2e987a9..0722f45 100644 --- a/templates/traefik-middleware-ipwhitelist.yml.j2 +++ b/templates/traefik-middleware-ipwhitelist.yml.j2 @@ -2,6 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: traefik-ipwhitelist + namespace: {{ traefik_namespace }} spec: ipWhiteList: sourceRange: diff --git a/templates/traefik-ping.yml.j2 b/templates/traefik-ping.yml.j2 new file mode 100644 index 0000000..86666f8 --- /dev/null +++ b/templates/traefik-ping.yml.j2 @@ -0,0 +1,41 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ping + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 14 + services: + - name: ping@internal + kind: TraefikService +# - name: traefik-dashboard +# port: 8080 +# # (default 1) A weight used by the weighted round-robin strategy (WRR). +# weight: 1 +# # (default true) PassHostHeader controls whether to leave the request's Host +# # Header as it was before it reached the proxy, or whether to let the proxy set it +# # to the destination (backend) host. +# passHostHeader: true +# responseForwarding: +# # (default 100ms) Interval between flushes of the buffered response body to the client. +# flushInterval: 100ms + tls: + secretName: wildcard-cluster + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-psp.yml.j2 b/templates/traefik-psp.yml.j2 new file mode 100644 index 0000000..ac10d3d --- /dev/null +++ b/templates/traefik-psp.yml.j2 @@ -0,0 +1,49 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + name: traefik-ingress-controller +spec: + requiredDropCapabilities: + - ALL + allowedCapabilities: + - NET_BIND_SERVICE + privileged: false + allowPrivilegeEscalation: false + # Allow core volume types. + volumes: + - configMap + - downwardAPI + - secret + - emptyDir + - projected + # - persistentVolumeClaim + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + hostPorts: + readOnlyRootFilesystem: true + seLinux: + rule: 'RunAsAny' + hostPorts: + - max: 65535 + min: 1 + #allowedUnsafeSysctls: + # - kernel.net.ipv4.ip_unprivileged_port_start \ No newline at end of file diff --git a/templates/traefik-sa.yml.j2 b/templates/traefik-sa.yml.j2 index 8a31290..07c38a6 100644 --- a/templates/traefik-sa.yml.j2 +++ b/templates/traefik-sa.yml.j2 @@ -1,4 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: + namespace: {{ traefik_namespace }} name: traefik-ingress-controller diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index dc82b82..7c369da 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -2,23 +2,20 @@ apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/instance: traefik - app.kubernetes.io/name: traefik + app: traefik name: traefik + namespace: {{ traefik_namespace }} spec: ports: - - name: web - hostPort: 80 + - name: http port: 80 protocol: TCP - targetPort: web - - name: websecure - hostPort: 443 + targetPort: 80 + - protocol: TCP port: 443 - protocol: TCP - targetPort: websecure + name: https + targetPort: 443 + type: LoadBalancer selector: - app.kubernetes.io/instance: traefik - app.kubernetes.io/name: traefik - sessionAffinity: None + app: traefik diff --git a/templates/traefik-tls-options.yml.j2 b/templates/traefik-tls-options.yml.j2 new file mode 100644 index 0000000..6f64045 --- /dev/null +++ b/templates/traefik-tls-options.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: {{ traefik_namespace }} + +spec: + sniStrict: true + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + curvePreferences: + - CurveP521 + - CurveP384 \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 3720128..cb917ee 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,35 @@ +traefik_version_2_0: 2.0.7 +traefik_2_0_list: + - 2.0/traefik-clusterrole.yml.j2 + - 2.0/traefik-clusterrolebinding.yml.j2 + - 2.0/traefik-crd-ingressroute.yml.j2 + - 2.0/traefik-crd-ingressroutetcp.yml.j2 + - 2.0/traefik-crd-middleware.yml.j2 + - 2.0/traefik-crd-tlsoption.yml.j2 -traefik_version_2_3: 2.3.7 +traefik_version_2_1: 2.1.9 +traefik_2_1_list: + - 2.1/traefik-clusterrole.yml.j2 + - 2.1/traefik-clusterrolebinding.yml.j2 + - 2.1/traefik-crd-ingressroute.yml.j2 + - 2.1/traefik-crd-ingressroutetcp.yml.j2 + - 2.1/traefik-crd-middleware.yml.j2 + - 2.1/traefik-crd-tlsoption.yml.j2 + - 2.1/traefik-crd-traefikservice.yml.j2 + +traefik_version_2_2: 2.2.11 +traefik_2_2_list: + - 2.2/traefik-crd-ingressroutes.yml.j2 + - 2.2/traefik-crd-ingressroutetcps.yml.j2 + - 2.2/traefik-crd-ingressrouteudps.yml.j2 + - 2.2/traefik-crd-middlewares.yml.j2 + - 2.2/traefik-crd-tlsoptions.yml.j2 + - 2.2/traefik-crd-tlsstores.yml.j2 + - 2.2/traefik-crd-traefikservices.yml.j2 + - 2.2/traefik-clusterrole.yml.j2 + - 2.2/traefik-clusterrolebinding.yml.j2 + +traefik_version_2_3: 2.3.4 traefik_2_3_list: - 2.3/traefik-crd-ingressroutes.yml.j2 - 2.3/traefik-crd-ingressroutetcps.yml.j2