Deploy without hostport

defaults/main.yml

@@ -1,5 +1,5 @@
 my_context: kubernetes
-traefik_version: "2.4.1"
+traefik_version: "2.5.6"
 traefik_domain: "local"
 traefik_namespace: "traefik"
 #ingress_whitelist:
@@ -10,10 +10,12 @@ traefik_namespace: "traefik"
 #  - localhost
 traefik_cpu_limit: 500m
 traefik_memory_limit: 300Mi
-traefik_entrypoints:
-    - { name: "http", port: 8000, proto: "TCP", hostport: 80 }
-    - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true }
-    - { name: "traefik", port: 8080, proto: "TCP" }
+traefik_entrypoints: []
+#    - { name: "http", port: 8000, proto: "TCP", hostport: 80 }
+#    - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true }
+#    - { name: "traefik", port: 8080, proto: "TCP" }
+#traefik_external_ips: []
+#   - 1.2.3.4
 
 basic_auth: false
 #traefik_dashboard_certificate: wildcard-cluster

meta/main.yml

@@ -6,7 +6,7 @@ galaxy_info:
   galaxy_tags: []
   license: GPL2
   collections:
-    - community.kubernetes
+    - kubernetes.core
   platforms:
   - name: kubernetes
     version:

tasks/main.yml

@@ -9,7 +9,7 @@
         api_version: v1
         kind: Namespace
         metadata:
-          name: traefik
+          name: '{{ traefik_namespace }}'
           labels:
             namespace: '{{ traefik_namespace }}'
 
@@ -17,12 +17,12 @@
     k8s:
       state: present
       context: "{{ my_context }}"
+      namespace: '{{ traefik_namespace }}'
       definition:
         apiVersion: v1
         kind: Secret
         metadata:
           name: basic-auth
-          namespace: '{{ traefik_namespace }}'
         type: Opaque
         data:
           basic_auth: "{{ basic_auth_data | b64encode }}"
@@ -74,12 +74,12 @@
 #      - traefik_actual_version.stdout is version(traefik_version, '>')
 
   - name: Defined traefik repository
-    community.kubernetes.helm_repository:
+    kubernetes.core.helm_repository:
       name: traefik
       repo_url: "https://helm.traefik.io/traefik"
     tags: traefik
   - name: Deploy latest version of Traefik
-    community.kubernetes.helm:
+    kubernetes.core.helm:
       context: "{{ my_context }}"
       name: traefik
       chart_ref: traefik/traefik
@@ -99,12 +99,15 @@
         ingressClass:
           enabled: true
           isDefaultClass: true
-        ports:
-          web:
-            redirectTo: websecure
-            hostPort: 80
-          websecure:
-            hostPort: 443
+#        ports:
+#          web:
+#            redirectTo: websecure
+#            hostPort: 80
+#          websecure:
+#            hostPort: 443
+#            tls:
+#              enabled: true
+#              options: default
         volumes:
           - mountPath: /etc/traefik
             name: traefik-conf
@@ -115,6 +118,11 @@
           - mountPath: /etc/traefik/basic-auth
             name: basic-auth
             type: secret
+        deployment:
+          replicas: 1
+          podAnnotations: 
+            prometheus.io/port: '9000'
+            prometheus.io/scrape: 'true'
 
   - name: Install traefik configuration
     k8s:
@@ -126,6 +134,7 @@
       resource_definition: "{{ lookup('template', item) | from_yaml }}"
     with_items:
 #      - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}"
+      - traefik-certificate.yml.j2
       - traefik-cm.yml.j2
       - traefik-files.yml.j2
 #      - traefik-sa.yml.j2

templates/traefik-certificate.yml.j2

@@ -0,0 +1,12 @@
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: traefik.{{ traefik_domain }}
+spec:
+  dnsNames:
+  - traefik.{{ traefik_domain }}
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  secretName: traefik.{{ traefik_domain }}

templates/traefik-cm.yml.j2

@@ -15,6 +15,9 @@ data:
       web:
         address: ":8000/tcp"
         http:
+#          middlewares:
+#            - auth@file
+#            - secure_headers@file
           redirections:
             entryPoint:
               to: websecure

templates/traefik-files.yml.j2

@@ -70,3 +70,16 @@ data:
               - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
               - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
               - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+{% if false %}
+      stores:
+        default:
+          defaultCertificate:
+            certFile: path/to/wildcardcert.crt
+            keyFile: path/to/wildcardcert.key
+
+      certificates:
+      - certFile: /path/to/domain.cert
+        keyFile: /path/to/domain.key
+      - certFile: /path/to/other-domain.cert
+        keyFile: /path/to/other-domain.key
+{% endif %}

templates/traefik-ingressroute.yml.j2

@@ -7,7 +7,7 @@ metadata:
 
 spec:
   entryPoints:
-    - https
+    - websecure
   routes:
   # Match is the rule corresponding to an underlying router.
   # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
@@ -45,4 +45,6 @@ spec:
   tls:
 {% if traefik_dashboard_certificate is defined %}
     secretName: {{ traefik_dashboard_certificate }}
+{% else %}
+    secretName: traefik.{{ traefik_domain }}
 {% endif %}

templates/traefik-svc.yml.j2

@@ -9,15 +9,19 @@ metadata:
 spec:
   ports:
   - name: web
-    hostPort: 80
     port: 80
     protocol: TCP
     targetPort: web
   - name: websecure
-    hostPort: 443
     port: 443
     protocol: TCP
     targetPort: websecure
+{% if traefik_external_ips is defined %}
+  externalIPs:
+{% for traefik_external_ip in traefik_external_ips %}
+    - {{ traefik_external_ip }}
+{% endfor %}
+{% endif %}
   selector:
     app.kubernetes.io/instance: traefik
     app.kubernetes.io/name: traefik