diff --git a/defaults/main.yml b/defaults/main.yml index c56661e..4cd513a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.4.1" +traefik_version: "2.5.6" traefik_domain: "local" traefik_namespace: "traefik" #ingress_whitelist: @@ -10,10 +10,12 @@ traefik_namespace: "traefik" # - localhost traefik_cpu_limit: 500m traefik_memory_limit: 300Mi -traefik_entrypoints: - - { name: "http", port: 8000, proto: "TCP", hostport: 80 } - - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true } - - { name: "traefik", port: 8080, proto: "TCP" } +traefik_entrypoints: [] +# - { name: "http", port: 8000, proto: "TCP", hostport: 80 } +# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true } +# - { name: "traefik", port: 8080, proto: "TCP" } +#traefik_external_ips: [] +# - 1.2.3.4 basic_auth: false #traefik_dashboard_certificate: wildcard-cluster \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index c8bee80..65154b8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,7 +6,7 @@ galaxy_info: galaxy_tags: [] license: GPL2 collections: - - community.kubernetes + - kubernetes.core platforms: - name: kubernetes version: diff --git a/tasks/main.yml b/tasks/main.yml index 60c4ef3..c997bc5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,7 +9,7 @@ api_version: v1 kind: Namespace metadata: - name: traefik + name: '{{ traefik_namespace }}' labels: namespace: '{{ traefik_namespace }}' @@ -17,12 +17,12 @@ k8s: state: present context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' definition: apiVersion: v1 kind: Secret metadata: name: basic-auth - namespace: '{{ traefik_namespace }}' type: Opaque data: basic_auth: "{{ basic_auth_data | b64encode }}" @@ -74,12 +74,12 @@ # - traefik_actual_version.stdout is version(traefik_version, '>') - name: Defined traefik repository - community.kubernetes.helm_repository: + kubernetes.core.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" tags: traefik - name: Deploy latest version of Traefik - community.kubernetes.helm: + kubernetes.core.helm: context: "{{ my_context }}" name: traefik chart_ref: traefik/traefik @@ -99,12 +99,15 @@ ingressClass: enabled: true isDefaultClass: true - ports: - web: - redirectTo: websecure - hostPort: 80 - websecure: - hostPort: 443 +# ports: +# web: +# redirectTo: websecure +# hostPort: 80 +# websecure: +# hostPort: 443 +# tls: +# enabled: true +# options: default volumes: - mountPath: /etc/traefik name: traefik-conf @@ -115,6 +118,11 @@ - mountPath: /etc/traefik/basic-auth name: basic-auth type: secret + deployment: + replicas: 1 + podAnnotations: + prometheus.io/port: '9000' + prometheus.io/scrape: 'true' - name: Install traefik configuration k8s: @@ -126,6 +134,7 @@ resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: # - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" + - traefik-certificate.yml.j2 - traefik-cm.yml.j2 - traefik-files.yml.j2 # - traefik-sa.yml.j2 diff --git a/templates/traefik-certificate.yml.j2 b/templates/traefik-certificate.yml.j2 new file mode 100644 index 0000000..3042d55 --- /dev/null +++ b/templates/traefik-certificate.yml.j2 @@ -0,0 +1,12 @@ +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: traefik.{{ traefik_domain }} +spec: + dnsNames: + - traefik.{{ traefik_domain }} + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + secretName: traefik.{{ traefik_domain }} diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index a29ddaa..9d831ce 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -15,6 +15,9 @@ data: web: address: ":8000/tcp" http: +# middlewares: +# - auth@file +# - secure_headers@file redirections: entryPoint: to: websecure diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 4a0c27e..aacb804 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -70,3 +70,16 @@ data: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +{% if false %} + stores: + default: + defaultCertificate: + certFile: path/to/wildcardcert.crt + keyFile: path/to/wildcardcert.key + + certificates: + - certFile: /path/to/domain.cert + keyFile: /path/to/domain.key + - certFile: /path/to/other-domain.cert + keyFile: /path/to/other-domain.key +{% endif %} diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 587857f..dded99b 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -7,7 +7,7 @@ metadata: spec: entryPoints: - - https + - websecure routes: # Match is the rule corresponding to an underlying router. # Later on, match could be the simple form of a path prefix, e.g. just "/bar", @@ -45,4 +45,6 @@ spec: tls: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} +{% else %} + secretName: traefik.{{ traefik_domain }} {% endif %} diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index dc82b82..1397dd8 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -9,15 +9,19 @@ metadata: spec: ports: - name: web - hostPort: 80 port: 80 protocol: TCP targetPort: web - name: websecure - hostPort: 443 port: 443 protocol: TCP targetPort: websecure +{% if traefik_external_ips is defined %} + externalIPs: +{% for traefik_external_ip in traefik_external_ips %} + - {{ traefik_external_ip }} +{% endfor %} +{% endif %} selector: app.kubernetes.io/instance: traefik app.kubernetes.io/name: traefik