11 changed files with 51 additions and 130 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,8 +11,8 @@ traefik_namespace: "traefik"
 traefik_cpu_limit: 500m
 traefik_memory_limit: 300Mi
 traefik_entrypoints:
-    - { name: "http", port: 8000, proto: "TCP", hostport: 80 }
-    - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true }
+    - { name: "http", port: 80, proto: "TCP" }
+    - { name: "https", port: 443, proto: "TCP", tls: true }
    - { name: "traefik", port: 8080, proto: "TCP" }

 basic_auth: false
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -49,7 +49,7 @@
    k8s_info:
      context: "{{ my_context }}"
      api_version: v1
-      kind: DaemonSet
+      kind: Deployment
      name: traefik
      namespace: '{{ traefik_namespace }}'
      field_selectors:
@ -82,19 +82,18 @@
      resource_definition: "{{ lookup('template', item) | from_yaml }}"
    with_items:
      - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}"
-      - traefik-psp.yml.j2
      - traefik-cm.yml.j2
      - traefik-sa.yml.j2
      - traefik-dp.yml.j2
-#      - traefik-svc.yml.j2
-#      - traefik-dashboard-svc.yml.j2
+      - traefik-svc.yml.j2
+      - traefik-dashboard-svc.yml.j2
      - traefik-middleware-httpsredirect.yml.j2
      - traefik-middleware-basicauth.yml.j2
      - traefik-middleware-headers.yml.j2
      - traefik-tls-options.yml.j2
-      - traefik-ingressroute.yml.j2
+      - traefik-dashboard.yml.j2
      - traefik-dashboard-insecure.yml.j2
-#      - traefik-ping.yml.j2
+      - traefik-ping.yml.j2


  - name: Define state of ipwhitelist middleware to present
--- a/templates/2.2/traefik-clusterrole.yml.j2
+++ b/templates/2.2/traefik-clusterrole.yml.j2
@ -4,10 +4,6 @@ metadata:
  name: traefik-ingress-controller

 rules:
-  - apiGroups:     ['policy']
-    resources:     ['podsecuritypolicies']
-    verbs:         ['use']
-    resourceNames: ['traefik-ingress-controller']
  - apiGroups:
      - ""
    resources:
--- a/templates/2.3/traefik-clusterrole.yml.j2
+++ b/templates/2.3/traefik-clusterrole.yml.j2
@ -1,5 +1,5 @@
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: traefik-ingress-controller

--- a/templates/traefik-dashboard-insecure.yml.j2
+++ b/templates/traefik-dashboard-insecure.yml.j2
@ -19,22 +19,21 @@ spec:
    # only support "Rule".
    kind: Rule
    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 12
    middlewares:
 {% if ingress_whitelist is defined %}
      - name: traefik-ipwhitelist
 {% endif %}
      - name: https-only
    services:
-    - name: api@internal
-      kind: TraefikService
-#    - name: traefik-dashboard
-#      port: 8080
-#      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-#      weight: 1
-#      # (default true) PassHostHeader controls whether to leave the request's Host
-#      # Header as it was before it reached the proxy, or whether to let the proxy set it
-#      # to the destination (backend) host.
-#      passHostHeader: true
-#      responseForwarding:
-#        # (default 100ms) Interval between flushes of the buffered response body to the client.
-#        flushInterval: 100ms
+    - name: traefik-dashboard
+      port: 8080
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
--- a/templates/traefik-dashboard-svc.yml.j2
+++ b/templates/traefik-dashboard-svc.yml.j2
@ -12,9 +12,9 @@ spec:
    port: 80
    protocol: TCP
    targetPort: 80
-#  - name: traefik
-#    port: 8080
-#    protocol: TCP
+  - name: traefik
+    port: 8080
+    protocol: TCP
  - protocol: TCP
    port: 443
    name: https
--- a/templates/traefik-ingressroute.yml.j2
+++ b/templates/traefik-ingressroute.yml.j2
@ -1,7 +1,7 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: traefik
+  name: traefik-dashboard
  namespace: {{ traefik_namespace }}
  labels:
    app: traefik
@ -13,11 +13,13 @@ spec:
  # Match is the rule corresponding to an underlying router.
  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
  # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+  - match: Host(`traefik.{{ traefik_domain }}`)
    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
    # "Parameter", etc, to support simpler forms of rule matching, but for now we
    # only support "Rule".
    kind: Rule
+    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 12
 {% if basic_auth is defined or ingress_whitelist is defined %}
    middlewares:
 {% if ingress_whitelist is defined %}
@ -28,32 +30,17 @@ spec:
 {% endif %}
 {% endif %}
    services:
-    - name: api@internal
-      kind: TraefikService
-#    - name: traefik-dashboard
-#      port: 8080
-#      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-#      weight: 1
-#      # (default true) PassHostHeader controls whether to leave the request's Host
-#      # Header as it was before it reached the proxy, or whether to let the proxy set it
-#      # to the destination (backend) host.
-#      passHostHeader: true
-#      responseForwarding:
-#        # (default 100ms) Interval between flushes of the buffered response body to the client.
-#        flushInterval: 100ms
-  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
-    kind: Rule
-    services:
-    - name: ping@internal
-      kind: TraefikService
-  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/metrics`)
-    kind: Rule
-    services:
-    - name: prometheus@internal
-      kind: TraefikService
-
-
-
+    - name: traefik-dashboard
+      port: 8080
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
  tls:
 {% if traefik_dashboard_certificate is defined %}
    secretName: {{ traefik_dashboard_certificate }}
--- a/templates/traefik-dp.yml.j2
+++ b/templates/traefik-dp.yml.j2
@ -19,10 +19,6 @@ spec:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
-#      securityContext:
-#        sysctls:
-#        - name: kernel.net.ipv4.ip_unprivileged_port_start
-#          value: "80"
      containers:
        - name: traefik
          image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }}
@ -34,9 +30,7 @@ spec:
            - name: {{ traefik_entrypoint.name }}
              containerPort: {{ traefik_entrypoint.port }}
              protocol: {{ traefik_entrypoint.proto }}
-{% if traefik_entrypoint.hostport is defined %}
-              hostPort: {{ traefik_entrypoint.hostport }}
-{% endif %}
+              hostPort: {{ traefik_entrypoint.port }}
 {% endfor %}
          readinessProbe:
            httpGet:
@ -62,9 +56,6 @@ spec:
                - ALL
              add:
                - NET_BIND_SERVICE
-            runAsUser: 1000
-            runAsGroup: 1000
-            allowPrivilegeEscalation: true
          resources:
            limits:
              cpu: {{ traefik_cpu_limit }}
--- a/templates/traefik-ping.yml.j2
+++ b/templates/traefik-ping.yml.j2
@ -21,19 +21,17 @@ spec:
    # (optional) Priority disambiguates rules of the same length, for route matching.
    priority: 14
    services:
-    - name: ping@internal
-      kind: TraefikService
-#    - name: traefik-dashboard
-#      port: 8080
-#      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-#      weight: 1
-#      # (default true) PassHostHeader controls whether to leave the request's Host
-#      # Header as it was before it reached the proxy, or whether to let the proxy set it
-#      # to the destination (backend) host.
-#      passHostHeader: true
-#      responseForwarding:
-#        # (default 100ms) Interval between flushes of the buffered response body to the client.
-#        flushInterval: 100ms
+    - name: traefik-dashboard
+      port: 8080
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
  tls:
    secretName: wildcard-cluster
    options:
--- a/templates/traefik-psp.yml.j2
+++ b/templates/traefik-psp.yml.j2
@ -1,49 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
-  name: traefik-ingress-controller
-spec:
-  requiredDropCapabilities:
-    - ALL
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  privileged: false
-  allowPrivilegeEscalation: false
-  # Allow core volume types.
-  volumes:
-    - configMap
-    - downwardAPI
-    - secret
-    - emptyDir
-    - projected
-  #  - persistentVolumeClaim
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    # Require the container to run without root privileges.
-    rule: 'MustRunAsNonRoot'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-    hostPorts:
-  readOnlyRootFilesystem: true
-  seLinux:
-    rule: 'RunAsAny'
-  hostPorts:
-    - max: 65535
-      min: 1
-  #allowedUnsafeSysctls:
-  #  - kernel.net.ipv4.ip_unprivileged_port_start
--- a/vars/main.yml
+++ b/vars/main.yml
@ -29,7 +29,7 @@ traefik_2_2_list:
  - 2.2/traefik-clusterrole.yml.j2
  - 2.2/traefik-clusterrolebinding.yml.j2

-traefik_version_2_3: 2.3.2
+traefik_version_2_3: 2.3.1
 traefik_2_3_list:
  - 2.3/traefik-crd-ingressroutes.yml.j2
  - 2.3/traefik-crd-ingressroutetcps.yml.j2