diff --git a/.drone.yml b/.drone.yml index c8ff368..f366012 100644 --- a/.drone.yml +++ b/.drone.yml @@ -1,7 +1,7 @@ --- kind: pipeline type: kubernetes -# type: docker +#type: docker name: default steps: diff --git a/defaults/main.yml b/defaults/main.yml index 173d4a1..4636822 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,29 +1,19 @@ my_context: kubernetes -traefik_version: "3.3.6" -traefik_helm_chart_version: "35.0.1" -traefikcrds_helm_chart_version: "1.6.0" -cluster_domain: "local" +traefik_version: "2.3" +traefik_domain: "local" traefik_namespace: "traefik" -traefik_service_type: LoadBalancer -# ingress_whitelist: -# - 10.96.0.0/12 -# - 10.244.0.0/16 -# - 192.168.0.0/24 -# traefik_node_selector: -# - localhost +#ingress_whitelist: +# - 10.96.0.0/12 +# - 10.244.0.0/16 +# - 192.168.0.0/24 +#traefik_node_selector: +# - localhost traefik_cpu_limit: 500m traefik_memory_limit: 300Mi -traefik_entrypoints: [] -# - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } -# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } -# - { name: "traefik", port: 8080, proto: "TCP" } -# traefik_external_ips: [] -# - 1.2.3.4 +traefik_entrypoints: + - { name: "http", port: 8000, proto: "TCP", hostport: 80 } + - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true } + - { name: "traefik", port: 8080, proto: "TCP" } basic_auth: false -# traefik_dashboard_certificate: wildcard-cluster - -crowdsec_namespace: "crowdsec" -crowdsec_traefik_bouncer_chart_version: "0.1.3" - -traefik_sabblier_version: "1.9.0" +#traefik_dashboard_certificate: wildcard-cluster \ No newline at end of file diff --git a/files/grafana-dashboard.yml b/files/grafana-dashboard.yml deleted file mode 100644 index 22ecb26..0000000 --- a/files/grafana-dashboard.yml +++ /dev/null @@ -1,1523 +0,0 @@ -# file from https://github.com/traefik/traefik/blob/master/contrib/grafana/traefik-kubernetes.json -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - grafana_dashboard: "1" - name: traefik-grafana-dashboard -data: - traefik-kubernetes.json: |- - { - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "9.3.1" - }, - { - "type": "panel", - "id": "piechart", - "name": "Pie chart", - "version": "" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "target": { - "limit": 100, - "matchAny": false, - "tags": [], - "type": "dashboard" - }, - "type": "dashboard" - } - ] - }, - "description": "Official dashboard for Traefik on Kubernetes", - "editable": false, - "fiscalYearStartMonth": 0, - "gnetId": 17347, - "graphTooltip": 0, - "id": null, - "links": [], - "liveNow": false, - "panels": [ - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 9, - "panels": [], - "title": "General", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 2, - "w": 5, - "x": 0, - "y": 1 - }, - "id": 13, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "textMode": "auto" - }, - "pluginVersion": "9.3.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "count(traefik_config_reloads_total)", - "legendFormat": "__auto", - "range": true, - "refId": "A" - } - ], - "title": "Traefik Instances", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "reqps" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 7, - "x": 5, - "y": 1 - }, - "id": 7, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "bottom", - "showLegend": true, - "sortBy": "Max", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[1m])) by (entrypoint)", - "legendFormat": "{{entrypoint}}", - "range": true, - "refId": "A" - } - ], - "title": "Requests per Entrypoint", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "https://medium.com/@tristan_96324/prometheus-apdex-alerting-d17a065e39d0", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 1 - }, - "id": 6, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "bottom", - "showLegend": true, - "sortBy": "Max", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)\n", - "legendFormat": "{{method}}", - "range": true, - "refId": "A" - } - ], - "title": "Apdex score", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Mean Distribution", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - } - }, - "mappings": [], - "unit": "reqps" - }, - "overrides": [] - }, - "gridPos": { - "h": 6, - "w": 5, - "x": 0, - "y": 3 - }, - "id": 14, - "options": { - "legend": { - "displayMode": "list", - "placement": "right", - "showLegend": true, - "values": [ - "percent" - ] - }, - "pieType": "pie", - "reduceOptions": { - "calcs": [ - "mean" - ], - "fields": "", - "values": false - }, - "tooltip": { - "mode": "multi", - "sort": "asc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[1m])) by (method, code)", - "legendFormat": "{{method}}[{{code}}]", - "range": true, - "refId": "A" - } - ], - "title": "Http Code ", - "type": "piechart" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 9 - }, - "id": 23, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "right", - "showLegend": true, - "sortBy": "Mean", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "topk(15,\n label_replace(\n traefik_service_request_duration_seconds_sum{service=~\"$service.*\",protocol=\"http\"} / \n traefik_service_request_duration_seconds_count{service=~\"$service.*\",protocol=\"http\"},\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)\n\n", - "legendFormat": "{{method}}[{{code}}] on {{service}}", - "range": true, - "refId": "A" - } - ], - "title": "Top slow services", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "reqps" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 9 - }, - "id": 5, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "right", - "showLegend": true, - "sortBy": "Mean", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "topk(15,\n label_replace(\n sum by (service,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", - "legendFormat": "[{{code}}] on {{service}}", - "range": true, - "refId": "A" - } - ], - "title": "Most requested services", - "type": "timeseries" - }, - { - "collapsed": true, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 17 - }, - "id": 11, - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 18 - }, - "id": 3, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "right", - "showLegend": true, - "sortBy": "Max", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "label_replace(\n 1 - (sum by (service)\n (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[5m])) / sum by (service) \n (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n ) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)", - "legendFormat": "{{service}}", - "range": true, - "refId": "A" - } - ], - "title": "Services failing SLO of 1200ms", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 18 - }, - "id": 4, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "right", - "showLegend": true, - "sortBy": "Max", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "label_replace(\n 1 - (sum by (service)\n (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[5m])) / sum by (service) \n (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n ) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)", - "legendFormat": "{{service}}", - "range": true, - "refId": "A" - } - ], - "title": "Services failing SLO of 300ms", - "type": "timeseries" - } - ], - "title": "SLO", - "type": "row" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 18 - }, - "id": 16, - "panels": [], - "title": "HTTP Details", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "reqps" - }, - "overrides": [] - }, - "gridPos": { - "h": 12, - "w": 8, - "x": 0, - "y": 19 - }, - "id": 17, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "bottom", - "showLegend": true, - "sortBy": "Mean", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "topk(15,\n label_replace(\n sum by (service,method,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", - "legendFormat": "{{method}}[{{code}}] on {{service}}", - "range": true, - "refId": "A" - } - ], - "title": "2xx over 5 min", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisGridShow": true, - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "reqps" - }, - "overrides": [] - }, - "gridPos": { - "h": 12, - "w": 8, - "x": 8, - "y": 19 - }, - "id": 18, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "bottom", - "showLegend": true, - "sortBy": "Mean", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "topk(15,\n label_replace(\n sum by (service,method,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", - "legendFormat": "{{method}}[{{code}}] on {{service}}", - "range": true, - "refId": "A" - } - ], - "title": "5xx over 5 min", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisGridShow": true, - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "reqps" - }, - "overrides": [] - }, - "gridPos": { - "h": 12, - "w": 8, - "x": 16, - "y": 19 - }, - "id": 19, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "bottom", - "showLegend": true, - "sortBy": "Mean", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "topk(15,\n label_replace(\n sum by (service,method,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", - "legendFormat": "{{method}}[{{code}}] on {{service}}", - "range": true, - "refId": "A" - } - ], - "title": "Other codes over 5 min", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisGridShow": true, - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "binBps" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 31 - }, - "id": 20, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "right", - "showLegend": true, - "sortBy": "Mean", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "topk(15,\n label_replace(\n sum by (service,method) \n (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", - "legendFormat": "{{method}} on {{service}}", - "range": true, - "refId": "A" - } - ], - "title": "Requests Size", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisGridShow": true, - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "binBps" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 31 - }, - "id": 24, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "right", - "showLegend": true, - "sortBy": "Mean", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "topk(15,\n label_replace(\n sum by (service,method) \n (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", - "legendFormat": "{{method}} on {{service}}", - "range": true, - "refId": "A" - } - ], - "title": "Responses Size", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 39 - }, - "id": 21, - "options": { - "legend": { - "calcs": [ - "mean", - "max" - ], - "displayMode": "table", - "placement": "right", - "showLegend": true, - "sortBy": "Max", - "sortDesc": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(traefik_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n", - "legendFormat": "{{entrypoint}}", - "range": true, - "refId": "A" - } - ], - "title": "Connections per Entrypoint", - "type": "timeseries" - } - ], - "refresh": false, - "schemaVersion": 37, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "Prometheus" - }, - "hide": 0, - "includeAll": false, - "multi": false, - "name": "DS_PROMETHEUS", - "label": "datasource", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(traefik_open_connections, entrypoint)", - "hide": 0, - "includeAll": true, - "multi": false, - "name": "entrypoint", - "options": [], - "query": { - "query": "label_values(traefik_open_connections, entrypoint)", - "refId": "StandardVariableQuery" - }, - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - }, - { - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(traefik_service_requests_total, service)", - "hide": 0, - "includeAll": true, - "multi": false, - "name": "service", - "options": [], - "query": { - "query": "label_values(traefik_service_requests_total, service)", - "refId": "StandardVariableQuery" - }, - "refresh": 2, - "regex": "/([^@]+)@.*/", - "skipUrlSync": false, - "sort": 1, - "type": "query" - } - ] - }, - "time": { - "from": "now-6h", - "to": "now" - }, - "timepicker": {}, - "timezone": "", - "title": "Traefik Official Kubernetes Dashboard", - "uid": "n5bu_kv4k", - "version": 7, - "weekStart": "" - } diff --git a/meta/main.yml b/meta/main.yml index 22bf70c..a2e3209 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,9 +5,7 @@ galaxy_info: min_ansible_version: 2.6 galaxy_tags: [] license: GPL2 - collections: - - kubernetes.core platforms: - - name: kubernetes - version: - - all + - name: kubernetes + version: + - all diff --git a/tasks/main.yml b/tasks/main.yml index 28b44c9..b528a69 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,257 +1,120 @@ - name: traefik setup block: -# - name: Deploy Traefik CRDs -# kubernetes.core.k8s: -# state: present -# context: "{{ my_context }}" -# apply: true -# definition: "{{ lookup('url', item , split_lines=False) | from_yaml_all }}" -# with_items: -## - "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml" -# - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" -## - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" -## ansible.builtin.command: > -## kubectl --context "{{ my_context }}" apply --server-side --force-conflicts -k -## https://github.com/traefik/traefik-helm-chart/tree/v{{ traefik_helm_chart_version }}/traefik/crds/ - - name: namespace - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - merge_type: merge - definition: - api_version: v1 - kind: Namespace - metadata: - name: '{{ traefik_namespace }}' - labels: - namespace: '{{ traefik_namespace }}' + - name: namespace + k8s: + state: present + context: "{{ my_context }}" + merge_type: merge + definition: + api_version: v1 + kind: Namespace + metadata: + name: traefik + labels: + namespace: '{{ traefik_namespace }}' - - name: Create a Secret object for basic authentification - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' - definition: - apiVersion: v1 - kind: Secret - metadata: - name: basic-auth - type: Opaque - data: - basic_auth: "{{ basic_auth_data | b64encode }}" - when: - - basic_auth|bool + - name: Create a Secret object for basic authentification + k8s: + state: present + context: "{{ my_context }}" + definition: + apiVersion: v1 + kind: Secret + metadata: + name: basic-auth + namespace: '{{ traefik_namespace }}' + type: Opaque + data: + basic_auth: "{{ basic_auth_data | b64encode }}" + when: + - basic_auth|bool - - name: Add host label for traefik deployment - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - definition: - apiVersion: v1 - kind: Node - metadata: - name: "{{ item }}" - labels: - entrypoint: traefik - with_items: - - '{{ traefik_node_selector }}' - when: - - traefik_node_selector is defined + - name: Add host label for traefik deployment + k8s: + state: present + context: "{{ my_context }}" + definition: + apiVersion: v1 + kind: Node + metadata: + name: "{{ item }}" + labels: + entrypoint: traefik + with_items: + - '{{ traefik_node_selector }}' + when: + - traefik_node_selector is defined - - name: Deploy latest version of CrowdSec Traefik bouncer - kubernetes.core.helm: - context: "{{ my_context }}" - name: crowdsec-traefik-bouncer - release_namespace: "{{ traefik_namespace }}" - create_namespace: true - chart_ref: crowdsec/crowdsec-traefik-bouncer - chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" - values: - image: - tag: "0.5.0" - bouncer: - crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}" - crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080" - crowdsec_bouncer_gin_mode: "release" - replicaCount: 1 - podSecurityContext: - fsGroup: 2000 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - when: - - traefik_crowdsec_bouncer_apikey is defined + - name: Get Deployment information object + k8s_info: + context: "{{ my_context }}" + api_version: v1 + kind: DaemonSet + name: traefik + namespace: '{{ traefik_namespace }}' + field_selectors: + - spec.template.spec.containers.image + register: traefik_actual_resources -# - name: Get Deployment information object -# kubernetes.core.k8s_info: -# context: "{{ my_context }}" -# api_version: v1 -# kind: DaemonSet -# name: traefik -# namespace: '{{ traefik_namespace }}' -# field_selectors: -# - spec.template.spec.containers.image -# register: traefik_actual_resources -# -# - name: Retreive actual traefik version -# ansible.builtin.shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq -# register: traefik_actual_version -# -# - name: Remove old traefik version {{ traefik_actual_version.stdout }} -# kubernetes.core.k8s: -# state: "absent" -# context: "{{ my_context }}" -# resource_definition: "{{ lookup('template', item) | from_yaml }}" -# with_items: -# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" -## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse -# when: -# - not traefik_actual_version.stdout == "[]" -# - not traefik_version == traefik_actual_version.stdout -# - traefik_actual_version.stdout is version(traefik_version, '>') + - name: Retreive actual traefik version + shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq + register: traefik_actual_version -# https://github.com/traefik/traefik-helm-chart - - name: Defined traefik repository - kubernetes.core.helm_repository: - name: traefik - repo_url: "https://helm.traefik.io/traefik" - - name: Deploy Traefik CRDs - kubernetes.core.helm: - context: "{{ my_context }}" - name: traefik-crds - chart_ref: traefik/traefik-crds - chart_version: "{{ traefikcrds_helm_chart_version }}" - release_namespace: "{{ traefik_namespace }}" - create_namespace: true -# - name: show templating results -# ansible.builtin.debug: -# msg: "{{ lookup('ansible.builtin.template', 'traefik-helm-value.yaml.j2') }}" - - name: Deploy latest version of Traefik - kubernetes.core.helm: - context: "{{ my_context }}" - name: traefik - chart_ref: traefik/traefik - chart_version: "{{ traefik_helm_chart_version }}" - release_namespace: "{{ traefik_namespace }}" - create_namespace: true - skip_crds: true - values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" + - name: Remove old traefik version {{ traefik_actual_version.stdout }} + k8s: + state: "absent" + context: "{{ my_context }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" +# - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse + when: + - not traefik_actual_version.stdout == "[]" + - not traefik_version == traefik_actual_version.stdout + - traefik_actual_version.stdout is version(traefik_version, '>') - - name: Install traefik configuration - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' -# merge_type: merge - apply: true - resource_definition: "{{ lookup('template', item) | from_yaml_all }}" - with_items: - - default-network-dns-policy.yaml.j2 -# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - - traefik-certificate.yml.j2 - - traefik-cm.yml.j2 - - traefik-files.yml.j2 -# - traefik-sa.yml.j2 - - traefik-ingressroute.yml.j2 -# - traefik-svc.yml.j2 -# - traefik-defaultbackend.yml.j2 + - name: Install traefik version {{ traefik_version }} + k8s: + state: "present" + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' + merge_type: merge + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" + - traefik-psp.yml.j2 + - traefik-cm.yml.j2 + - traefik-sa.yml.j2 + - traefik-dp.yml.j2 +# - traefik-svc.yml.j2 +# - traefik-dashboard-svc.yml.j2 + - traefik-middleware-httpsredirect.yml.j2 + - traefik-middleware-basicauth.yml.j2 + - traefik-middleware-headers.yml.j2 + - traefik-tls-options.yml.j2 + - traefik-ingressroute.yml.j2 + - traefik-dashboard-insecure.yml.j2 +# - traefik-ping.yml.j2 - - name: Install traefik plugin's - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' -# merge_type: merge - apply: true - resource_definition: "{{ lookup('template', item) | from_yaml_all }}" - with_items: - - traefik-ondemand-plugin.yml.j2 - when: - - traefik_ondemand is defined - - name: ReInstall traefik-hub certificate if already know - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' -# merge_type: merge -# apply: true - resource_definition: "{{ lookup('template', item) | from_yaml_all }}" - with_items: - - traefik-hub-certificate.yml.j2 - when: - - traefik_hub_tlscrt is defined - - traefik_hub_tlskey is defined - - name: Defined traefik-hub repository - kubernetes.core.helm_repository: - name: traefik-hub - repo_url: "https://helm.traefik.io/hub" - when: - - traefik_hub_token is defined - - name: Deploy latest version of Traefik-hub - kubernetes.core.helm: - context: "{{ my_context }}" - name: hub-agent - chart_ref: traefik-hub/hub-agent - release_namespace: "{{ traefik_namespace }}" - values: - token: "{{ traefik_hub_token }}" - when: - - traefik_hub_token is defined - -# echo 'apiVersion: v1 -# kind: Service -# metadata: -# annotations: -# # external-dns.alpha.kubernetes.io/endpoints-type: HostIP -# external-dns.alpha.kubernetes.io/hostname: traefik.ibm.reslinger.net -# external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP -# # external-dns.alpha.kubernetes.io/target: "1.2.3.4" -# name: traefik-dns -# namespace: traefik -# spec: -# clusterIP: None -# ports: -# - name: web -# port: 80 -# protocol: TCP -# targetPort: web -# - name: websecure -# port: 443 -# protocol: TCP -# targetPort: websecure -# selector: -# app.kubernetes.io/instance: traefik-traefik -# app.kubernetes.io/name: traefik' | kubectl --context kubeibm -n traefik apply -f - - -# - name: Deploy latest version of Switchboard -# kubernetes.core.helm: -# context: "{{ my_context }}" -# name: switchboard -# chart_ref: oci://ghcr.io/borchero/charts/switchboard -# release_namespace: "{{ traefik_namespace }}" -# # values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" -# values: -# integrations: -# # certManager: -# # enabled: true -# # issuer: "letsencrypt-prod" -# externalDNS: -# enabled: true -# targetIPs: [10.144.217.172] - - - name: Install traefik grafana dashboard - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: 'traefik' - apply: yes - resource_definition: "{{ lookup('file', item) | from_yaml_all }}" - with_items: - - grafana-dashboard.yml + - name: Define state of ipwhitelist middleware to present + set_fact: + traefik_ipwhitelist_state: present + when: + - traefik_version | regex_search('(^2.)') + - ingress_whitelist is defined + - name: Define state of ipwhitelist middleware to absent + set_fact: + traefik_ipwhitelist_state: absent + when: + - not ingress_whitelist is defined or traefik_ipwhitelist_state is not defined + - name: IP white list need to be {{ traefik_ipwhitelist_state }} + k8s: + state: "{{ traefik_ipwhitelist_state }}" + context: "{{ my_context }}" + merge_type: merge + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - traefik-middleware-ipwhitelist.yml.j2 tags: traefik diff --git a/templates/2.0/traefik-clusterrole.yml.j2 b/templates/2.0/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..537813c --- /dev/null +++ b/templates/2.0/traefik-clusterrole.yml.j2 @@ -0,0 +1,62 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - ingressroutetcps + verbs: + - get + - list + - watch + - apiGroups: + - traefik.containo.us + resources: + - tlsoptions + verbs: + - get + - list + - watch diff --git a/templates/2.0/traefik-clusterrolebinding.yml.j2 b/templates/2.0/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..9f58700 --- /dev/null +++ b/templates/2.0/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: traefik diff --git a/templates/2.0/traefik-crd-ingressroute.yml.j2 b/templates/2.0/traefik-crd-ingressroute.yml.j2 new file mode 100644 index 0000000..41f70f9 --- /dev/null +++ b/templates/2.0/traefik-crd-ingressroute.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: traefik + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 new file mode 100644 index 0000000..107c4e5 --- /dev/null +++ b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: traefik + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.0/traefik-crd-middleware.yml.j2 b/templates/2.0/traefik-crd-middleware.yml.j2 new file mode 100644 index 0000000..b517ac8 --- /dev/null +++ b/templates/2.0/traefik-crd-middleware.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: traefik + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.0/traefik-crd-tlsoption.yml.j2 b/templates/2.0/traefik-crd-tlsoption.yml.j2 new file mode 100644 index 0000000..1495e0d --- /dev/null +++ b/templates/2.0/traefik-crd-tlsoption.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.1/Ressources-exemple.yml b/templates/2.1/Ressources-exemple.yml new file mode 100644 index 0000000..bf512dd --- /dev/null +++ b/templates/2.1/Ressources-exemple.yml @@ -0,0 +1,157 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr2 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: s1 + weight: 1 + port: 80 + # Optional, as it is the default value + kind: Service + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr1 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: wrr2 + kind: TraefikService + weight: 1 + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror1 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: s1 + port: 80 + mirrors: + - name: s3 + percent: 20 + port: 80 + - name: mirror2 + kind: TraefikService + percent: 20 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror2 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: wrr2 + kind: TraefikService + mirrors: + - name: s2 + # Optional, as it is the default value + kind: Service + percent: 20 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroute +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + priority: 12 + # defining several services is possible and allowed, but for now the servers of + # all the services (for a given route) get merged altogether under the same + # load-balancing strategy. + services: + - name: s1 + port: 80 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + # strategy defines the load balancing strategy between the servers. It defaults + # to Round Robin, and for now only Round Robin is supported anyway. + strategy: RoundRobin + - name: s2 + port: 433 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + - match: PathPrefix(`/misc`) + services: + - name: s3 + port: 80 + middlewares: + - name: stripprefix + - name: addprefix + - match: PathPrefix(`/misc`) + services: + - name: s3 + # Optional, as it is the default value + kind: Service + port: 8443 + # scheme allow to override the scheme for the service. (ex: https or h2c) + scheme: https + - match: PathPrefix(`/lb`) + services: + - name: wrr1 + kind: TraefikService + - match: PathPrefix(`/mirrored`) + services: + - name: mirror1 + kind: TraefikService + # use an empty tls object for TLS with Let's Encrypt + tls: + secretName: supersecret + options: + name: myTLSOption + namespace: default + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcp.crd + namespace: default + +spec: + entryPoints: + - footcp + routes: + - match: HostSNI(`bar.com`) + services: + - name: whoamitcp + port: 8080 + tls: + secretName: foosecret + passthrough: false + options: + name: myTLSOption + namespace: default \ No newline at end of file diff --git a/templates/2.1/traefik-clusterrole.yml.j2 b/templates/2.1/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..fe4f9c9 --- /dev/null +++ b/templates/2.1/traefik-clusterrole.yml.j2 @@ -0,0 +1,42 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - tlsoptions + verbs: + - get + - list + - watch diff --git a/templates/2.1/traefik-clusterrolebinding.yml.j2 b/templates/2.1/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..2a4398a --- /dev/null +++ b/templates/2.1/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: {{ traefik_namespace }} diff --git a/templates/2.1/traefik-crd-ingressroute.yml.j2 b/templates/2.1/traefik-crd-ingressroute.yml.j2 new file mode 100644 index 0000000..f31a6bd --- /dev/null +++ b/templates/2.1/traefik-crd-ingressroute.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 new file mode 100644 index 0000000..a766ed8 --- /dev/null +++ b/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.1/traefik-crd-middleware.yml.j2 b/templates/2.1/traefik-crd-middleware.yml.j2 new file mode 100644 index 0000000..1c0168e --- /dev/null +++ b/templates/2.1/traefik-crd-middleware.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.1/traefik-crd-tlsoption.yml.j2 b/templates/2.1/traefik-crd-tlsoption.yml.j2 new file mode 100644 index 0000000..a1200f0 --- /dev/null +++ b/templates/2.1/traefik-crd-tlsoption.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.1/traefik-crd-traefikservice.yml.j2 b/templates/2.1/traefik-crd-traefikservice.yml.j2 new file mode 100644 index 0000000..46ce7ca --- /dev/null +++ b/templates/2.1/traefik-crd-traefikservice.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced diff --git a/templates/2.2/Ressources-exemple.yml b/templates/2.2/Ressources-exemple.yml new file mode 100644 index 0000000..bf512dd --- /dev/null +++ b/templates/2.2/Ressources-exemple.yml @@ -0,0 +1,157 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr2 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: s1 + weight: 1 + port: 80 + # Optional, as it is the default value + kind: Service + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr1 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: wrr2 + kind: TraefikService + weight: 1 + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror1 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: s1 + port: 80 + mirrors: + - name: s3 + percent: 20 + port: 80 + - name: mirror2 + kind: TraefikService + percent: 20 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror2 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: wrr2 + kind: TraefikService + mirrors: + - name: s2 + # Optional, as it is the default value + kind: Service + percent: 20 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroute +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + priority: 12 + # defining several services is possible and allowed, but for now the servers of + # all the services (for a given route) get merged altogether under the same + # load-balancing strategy. + services: + - name: s1 + port: 80 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + # strategy defines the load balancing strategy between the servers. It defaults + # to Round Robin, and for now only Round Robin is supported anyway. + strategy: RoundRobin + - name: s2 + port: 433 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + - match: PathPrefix(`/misc`) + services: + - name: s3 + port: 80 + middlewares: + - name: stripprefix + - name: addprefix + - match: PathPrefix(`/misc`) + services: + - name: s3 + # Optional, as it is the default value + kind: Service + port: 8443 + # scheme allow to override the scheme for the service. (ex: https or h2c) + scheme: https + - match: PathPrefix(`/lb`) + services: + - name: wrr1 + kind: TraefikService + - match: PathPrefix(`/mirrored`) + services: + - name: mirror1 + kind: TraefikService + # use an empty tls object for TLS with Let's Encrypt + tls: + secretName: supersecret + options: + name: myTLSOption + namespace: default + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcp.crd + namespace: default + +spec: + entryPoints: + - footcp + routes: + - match: HostSNI(`bar.com`) + services: + - name: whoamitcp + port: 8080 + tls: + secretName: foosecret + passthrough: false + options: + name: myTLSOption + namespace: default \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrole.yml.j2 b/templates/2.2/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..bef2410 --- /dev/null +++ b/templates/2.2/traefik-clusterrole.yml.j2 @@ -0,0 +1,48 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['traefik-ingress-controller'] + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrolebinding.yml.j2 b/templates/2.2/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..2a4398a --- /dev/null +++ b/templates/2.2/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: {{ traefik_namespace }} diff --git a/templates/2.2/traefik-crd-ingressroutes.yml.j2 b/templates/2.2/traefik-crd-ingressroutes.yml.j2 new file mode 100644 index 0000000..f31a6bd --- /dev/null +++ b/templates/2.2/traefik-crd-ingressroutes.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 new file mode 100644 index 0000000..a766ed8 --- /dev/null +++ b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 new file mode 100644 index 0000000..535726c --- /dev/null +++ b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced diff --git a/templates/2.2/traefik-crd-middlewares.yml.j2 b/templates/2.2/traefik-crd-middlewares.yml.j2 new file mode 100644 index 0000000..1c0168e --- /dev/null +++ b/templates/2.2/traefik-crd-middlewares.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsoptions.yml.j2 b/templates/2.2/traefik-crd-tlsoptions.yml.j2 new file mode 100644 index 0000000..a1200f0 --- /dev/null +++ b/templates/2.2/traefik-crd-tlsoptions.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsstores.yml.j2 b/templates/2.2/traefik-crd-tlsstores.yml.j2 new file mode 100644 index 0000000..eae918f --- /dev/null +++ b/templates/2.2/traefik-crd-tlsstores.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced diff --git a/templates/2.2/traefik-crd-traefikservices.yml.j2 b/templates/2.2/traefik-crd-traefikservices.yml.j2 new file mode 100644 index 0000000..46ce7ca --- /dev/null +++ b/templates/2.2/traefik-crd-traefikservices.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced diff --git a/templates/2.3/Ressources-exemple.yml b/templates/2.3/Ressources-exemple.yml new file mode 100644 index 0000000..bf512dd --- /dev/null +++ b/templates/2.3/Ressources-exemple.yml @@ -0,0 +1,157 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr2 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: s1 + weight: 1 + port: 80 + # Optional, as it is the default value + kind: Service + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: wrr1 + namespace: {{ traefik_namespace }} + +spec: + weighted: + services: + - name: wrr2 + kind: TraefikService + weight: 1 + - name: s3 + weight: 1 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror1 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: s1 + port: 80 + mirrors: + - name: s3 + percent: 20 + port: 80 + - name: mirror2 + kind: TraefikService + percent: 20 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TraefikService +metadata: + name: mirror2 + namespace: {{ traefik_namespace }} + +spec: + mirroring: + name: wrr2 + kind: TraefikService + mirrors: + - name: s2 + # Optional, as it is the default value + kind: Service + percent: 20 + port: 80 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroute +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + priority: 12 + # defining several services is possible and allowed, but for now the servers of + # all the services (for a given route) get merged altogether under the same + # load-balancing strategy. + services: + - name: s1 + port: 80 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + # strategy defines the load balancing strategy between the servers. It defaults + # to Round Robin, and for now only Round Robin is supported anyway. + strategy: RoundRobin + - name: s2 + port: 433 + healthCheck: + path: /health + host: baz.com + intervalSeconds: 7 + timeoutSeconds: 60 + - match: PathPrefix(`/misc`) + services: + - name: s3 + port: 80 + middlewares: + - name: stripprefix + - name: addprefix + - match: PathPrefix(`/misc`) + services: + - name: s3 + # Optional, as it is the default value + kind: Service + port: 8443 + # scheme allow to override the scheme for the service. (ex: https or h2c) + scheme: https + - match: PathPrefix(`/lb`) + services: + - name: wrr1 + kind: TraefikService + - match: PathPrefix(`/mirrored`) + services: + - name: mirror1 + kind: TraefikService + # use an empty tls object for TLS with Let's Encrypt + tls: + secretName: supersecret + options: + name: myTLSOption + namespace: default + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcp.crd + namespace: default + +spec: + entryPoints: + - footcp + routes: + - match: HostSNI(`bar.com`) + services: + - name: whoamitcp + port: 8080 + tls: + secretName: foosecret + passthrough: false + options: + name: myTLSOption + namespace: default \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrole.yml.j2 b/templates/2.3/traefik-clusterrole.yml.j2 new file mode 100644 index 0000000..46bbd16 --- /dev/null +++ b/templates/2.3/traefik-clusterrole.yml.j2 @@ -0,0 +1,50 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['traefik-ingress-controller'] + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrolebinding.yml.j2 b/templates/2.3/traefik-clusterrolebinding.yml.j2 new file mode 100644 index 0000000..2a4398a --- /dev/null +++ b/templates/2.3/traefik-clusterrolebinding.yml.j2 @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: {{ traefik_namespace }} diff --git a/templates/2.3/traefik-crd-ingressroutes.yml.j2 b/templates/2.3/traefik-crd-ingressroutes.yml.j2 new file mode 100644 index 0000000..0bcfd35 --- /dev/null +++ b/templates/2.3/traefik-crd-ingressroutes.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 new file mode 100644 index 0000000..36b202a --- /dev/null +++ b/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 new file mode 100644 index 0000000..d7c2624 --- /dev/null +++ b/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced diff --git a/templates/2.3/traefik-crd-middlewares.yml.j2 b/templates/2.3/traefik-crd-middlewares.yml.j2 new file mode 100644 index 0000000..d1ae35f --- /dev/null +++ b/templates/2.3/traefik-crd-middlewares.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsoptions.yml.j2 b/templates/2.3/traefik-crd-tlsoptions.yml.j2 new file mode 100644 index 0000000..1495e0d --- /dev/null +++ b/templates/2.3/traefik-crd-tlsoptions.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsstores.yml.j2 b/templates/2.3/traefik-crd-tlsstores.yml.j2 new file mode 100644 index 0000000..f9a4005 --- /dev/null +++ b/templates/2.3/traefik-crd-tlsstores.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced diff --git a/templates/2.3/traefik-crd-traefikservices.yml.j2 b/templates/2.3/traefik-crd-traefikservices.yml.j2 new file mode 100644 index 0000000..3262c43 --- /dev/null +++ b/templates/2.3/traefik-crd-traefikservices.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced \ No newline at end of file diff --git a/templates/default-network-dns-policy.yaml.j2 b/templates/default-network-dns-policy.yaml.j2 deleted file mode 100644 index 185500e..0000000 --- a/templates/default-network-dns-policy.yaml.j2 +++ /dev/null @@ -1,46 +0,0 @@ -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: intra-namespace -spec: - podSelector: {} - ingress: - - from: - - namespaceSelector: - matchLabels: - name: {{ traefik_namespace }} - -#--- -#apiVersion: networking.k8s.io/v1 -#kind: NetworkPolicy -#metadata: -# name: allow-dns-access -#spec: -# podSelector: -# matchLabels: {} -# policyTypes: -# - Egress -# egress: -# - to: -# - namespaceSelector: -# matchLabels: -# kubernetes.io/metadata.name: kube-system -# podSelector: -# matchLabels: -# k8s-app: kube-dns -# ports: -# - protocol: UDP -# port: 53 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-all-traefik-v121-ingress -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: traefik - ingress: - - {} - policyTypes: - - Ingress diff --git a/templates/traefik-certificate.yml.j2 b/templates/traefik-certificate.yml.j2 deleted file mode 100644 index 799ef52..0000000 --- a/templates/traefik-certificate.yml.j2 +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: traefik.{{ cluster_domain }} -spec: - dnsNames: - - traefik.{{ cluster_domain }} - issuerRef: - name: letsencrypt-prod - kind: ClusterIssuer - secretName: traefik.{{ cluster_domain }} diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index c4b25ad..37a2ff7 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -1,9 +1,4 @@ apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: traefik - name: traefik-conf data: traefik.yaml: | global: @@ -12,114 +7,51 @@ data: serversTransport: insecureSkipVerify: true entryPoints: - web: - address: ":8000/tcp" - http: - # middlewares: - # - auth@file - # - secure_headers@file - # - crowdsec-bouncer@file - # - {{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd - redirections: - entryPoint: - to: websecure - scheme: https - permanent: true - websecure: - address: ":8443" - http: - tls: - options: default - # middlewares: - # - auth@file - # - secure_headers@file - # - crowdsec-bouncer@file - http3: - advertisedPort: 443 - traefik: - address: ":8080/tcp" - metrics: - address: ":9100/tcp" -{% if traefik_hub_token is defined %} - traefikhub-api: - address: ":9900" - traefikhub-tunl: - address: ":9901/tcp" -{% endif%} {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: -{% if traefik_entrypoint.proto is defined %} - address: ":{{ traefik_entrypoint.port }}/{{ traefik_entrypoint.proto | lower }}" -{% else %} - address: ":{{ traefik_entrypoint.port }}" -{% endif %} -{% if traefik_entrypoint.tls is defined or traefik_entrypoint.middlewares is defined %} - http: -{% if traefik_entrypoint.middlewares is defined %} - middlewares: -{% for middleware in traefik_entrypoint.middlewares %} - - {{ middleware }} -{% endfor %} -{% endif %} + address: :{{ traefik_entrypoint.port }} {% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %} + http: tls: {} {% endif %} -{% endif %} {% endfor %} providers: kubernetesCRD: # ingressClass: "traefik" throttleDuration: 2s -{% if traefik_ondemand is defined %} - allowEmptyServices: true -{% endif%} kubernetesIngress: ingressClass: "traefik" -{% if traefik_hub_token is defined %} - allowExternalNameServices: true -{% endif%} -{% if traefik_ondemand is defined %} - allowEmptyServices: true -{% endif%} - kubernetesGateway: {} file: directory: /etc/traefik/file/ watch: true metrics: prometheus: - entryPoint: metrics - addRoutersLabels: true + buckets: + - 0.1 + - 0.3 + - 1.2 + - 5 + entryPoint: traefik ping: entryPoint: traefik api: + insecure: true dashboard: true -{% if traefik_hub_token is defined %} - hub: {} -{% endif %} + debug: true log: - level: ERROR - # format: json - accessLog: {} - #accessLog: - # filePath: "/var/log/traefik/access.log" - # bufferingSize: 50 - ## format: json - ## fields: - ## names: - ## BackendAddr: keep - ## BackendName: keep - ## BackendURL: keep - ## FrontendName: keep -{% if traefik_hub_token is defined or traefik_ondemand is defined %} - experimental: - # kubernetesGateway: true -{% if traefik_hub_token is defined %} - hub: true -{% endif %} -{% if traefik_ondemand is defined %} - plugins: - sablier: - moduleName: github.com/sablierapp/sablier - version: v{{ traefik_sabblier_version }} -{% endif %} -{% endif %} + level: WARN + format: json + accessLog: + format: json + fields: + names: + BackendAddr: keep + BackendName: keep + BackendURL: keep + FrontendName: keep +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik + namespace: {{ traefik_namespace }} diff --git a/templates/traefik-dashboard-insecure.yml.j2 b/templates/traefik-dashboard-insecure.yml.j2 new file mode 100644 index 0000000..4ed4b56 --- /dev/null +++ b/templates/traefik-dashboard-insecure.yml.j2 @@ -0,0 +1,40 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard-insecure + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - http + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} + - name: https-only + services: + - name: api@internal + kind: TraefikService +# - name: traefik-dashboard +# port: 8080 +# # (default 1) A weight used by the weighted round-robin strategy (WRR). +# weight: 1 +# # (default true) PassHostHeader controls whether to leave the request's Host +# # Header as it was before it reached the proxy, or whether to let the proxy set it +# # to the destination (backend) host. +# passHostHeader: true +# responseForwarding: +# # (default 100ms) Interval between flushes of the buffered response body to the client. +# flushInterval: 100ms diff --git a/templates/traefik-dashboard-svc.yml.j2 b/templates/traefik-dashboard-svc.yml.j2 new file mode 100644 index 0000000..f6973c0 --- /dev/null +++ b/templates/traefik-dashboard-svc.yml.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik-dashboard + namespace: {{ traefik_namespace }} + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 +# - name: traefik +# port: 8080 +# protocol: TCP + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: ClusterIP + selector: + app: traefik diff --git a/templates/traefik-defaultbackend.yml.j2 b/templates/traefik-defaultbackend.yml.j2 deleted file mode 100644 index 40ad31d..0000000 --- a/templates/traefik-defaultbackend.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cheese - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: web,websecure - traefik.ingress.kubernetes.io/router.priority: "1" - traefik.ingress.kubernetes.io/router.middlewares: security_headers@file,compress@file - -spec: - defaultBackend: - service: - name: stilton - port: - number: 80 diff --git a/templates/traefik-dp.yml.j2 b/templates/traefik-dp.yml.j2 new file mode 100644 index 0000000..b7f3a54 --- /dev/null +++ b/templates/traefik-dp.yml.j2 @@ -0,0 +1,93 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + namespace: {{ traefik_namespace }} + name: traefik + labels: + app: traefik + +spec: +# replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} + strategy: + type: Recreate + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller +# securityContext: +# sysctls: +# - name: kernel.net.ipv4.ip_unprivileged_port_start +# value: "80" + containers: + - name: traefik + image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }} + args: + - --configfile=/config/traefik.yaml +# imagePullPolicy: IfNotPresent + ports: +{% for traefik_entrypoint in traefik_entrypoints %} + - name: {{ traefik_entrypoint.name }} + containerPort: {{ traefik_entrypoint.port }} + protocol: {{ traefik_entrypoint.proto }} +{% if traefik_entrypoint.hostport is defined %} + hostPort: {{ traefik_entrypoint.hostport }} +{% endif %} +{% endfor %} + readinessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + resources: + limits: + cpu: {{ traefik_cpu_limit }} + memory: {{ traefik_memory_limit }} + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /config + name: config +{% if traefik_node_selector is defined %} + nodeSelector: + reslinger.net/entrypoint: traefik +{% endif %} + dnsPolicy: ClusterFirst + hostNetwork: false + restartPolicy: Always + terminationGracePeriodSeconds: 1 + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - configMap: + defaultMode: 420 + name: traefik + name: config diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 deleted file mode 100644 index c046713..0000000 --- a/templates/traefik-files.yml.j2 +++ /dev/null @@ -1,155 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: traefik-files -data: - traefik-middlewares.yaml: | - http: - middlewares: - min_security: - chain: - middlewares: - - security_headers -{% if ingress_whitelist is defined %} - - traefik-ipwhitelist -{% endif %} - - rate-limit - - compress -{% if false %} -{% if basic_auth|bool %} - - basic-auth -{% endif %} - - authelia -{% endif %} - compress: - compress: - excludedContentTypes: ["text/event-stream"] - rate-limit: - rateLimit: - average: 100 - burst: 50 - security_headers: - headers: - accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] - # accessControlAllowOrigin: "origin-list-or-null" - accessControlMaxAge: 100 - addVaryHeader: true - browserXssFilter: true - contentTypeNosniff: true - forceSTSHeader: true - frameDeny: true - stsIncludeSubdomains: true - stsPreload: true - customFrameOptionsValue: "SAMEORIGIN" - referrerPolicy: "same-origin" - # permissionsPolicy: "vibrate 'self'" - permissionsPolicy: "camera 'none'; microphone 'none'; geolocation 'none'; payment 'none';" - stsSeconds: 315360000 - # contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" - # customResponseHeaders: - # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," - # server: "" - hostsProxyHeaders: - - "X-Forwarded-Host" -{% if ingress_whitelist is defined %} - traefik-ipwhitelist: - ipWhiteList: - sourceRange: -{% for acl_whitelist in ingress_whitelist %} - - {{ acl_whitelist }} -{% endfor %} -{% endif %} -{% if traefik_ondemand is defined %} - ondemand: - plugin: - sablier: - #group: default - dynamic: - displayName: Application is starting - refreshFrequency: 5s - showDetails: "true" - theme: hacker-terminal - sablierUrl: http://sablier:10000 - sessionDuration: 1m -{% endif %} -{% if basic_auth|bool %} - basic-auth: - basicAuth: - removeHeader: true - usersFile: "/etc/traefik/basic-auth/basic_auth" - # users: - # - {{ basic_auth_data }} -{% endif %} - authelia: - forwardAuth: - address: "http://authelia:9091/api/verify?rd=https://login.example.com/" - trustForwardHeader: true - authResponseHeaders: - - "Remote-User" - - "Remote-Groups" - - "Remote-Name" - - "Remote-Email" - authelia-basic: - forwardAuth: - address: "http://authelia:9091/api/verify?auth=basic" - trustForwardHeader: true - authResponseHeaders: - - "Remote-User" - - "Remote-Groups" - - "Remote-Name" - - "Remote-Email" - crowdsec-bouncer: - forwardAuth: - address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth" - trustForwardHeader: true - - traefik-servers-transport.yaml: | - http: - serversTransports: - skip-verify-https-backend: - insecureSkipVerify: true - - traefik-tls-defaults-options.yaml: | - tls: - options: - default: - sniStrict: true - minVersion: VersionTLS12 - curvePreferences: - - CurveP521 - - CurveP384 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - alpnProtocols: - - h2 - - http/1.1 -{% if false %} - stores: - default: - defaultCertificate: - certFile: path/to/wildcardcert.crt - keyFile: path/to/wildcardcert.key - - certificates: - - certFile: /path/to/domain.cert - keyFile: /path/to/domain.key - - certFile: /path/to/other-domain.cert - keyFile: /path/to/other-domain.key -{% endif %} - -# dashboard.yaml: | -# http: -# routers: -# traefik: -# rule: "Host(`traefik.{{ domain | lower }}`)" -# entryPoints: -# - "websecure" -# middlewares: -# - "min_security@file" -#{% if basic_auth|bool %} -# - "basic-auth@file" -#{% endif %} -# service: "api@internal" diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 deleted file mode 100644 index 718ad26..0000000 --- a/templates/traefik-helm-value.yaml.j2 +++ /dev/null @@ -1,184 +0,0 @@ -# https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml -{% if traefik_version is defined %} -image: - tag: "{{ traefik_version }}" -{% endif %} -#fullnameOverride: "{{ my_context }}" -additionalArguments: - - --configFile=/etc/traefik/traefik.yaml -#podSecurityPolicy: -# enabled: true -service: - type: {{ traefik_service_type }} -{% if traefik_external_ips is defined %} - externalIPs: -{% for external_ip in traefik_external_ips %} - - {{ external_ip }} -{% endfor %} -{% endif %} -{% if traefik_service_type == "LoadBalancer" %} - annotations: - external-dns.alpha.kubernetes.io/hostname: traefik.{{ cluster_domain }} -{% endif %} -ingressRoute: - dashboard: - enabled: false -podDisruptionBudget: - enabled: true - minAvailable: 1 -ingressClass: - enabled: true - isDefaultClass: true -{% if false %} -autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 60 - - type: Resource - resource: - name: memory - targetAverageUtilization: 60 -{% endif %} -{% if traefik_service_type == "NodePort" or (traefik_hostport is defined and traefik_hostport == true) or traefik_hub_token is defined %} -ports: -{% if traefik_service_type == "NodePort" or (traefik_hostport is defined and traefik_hostport == true) %} - web: -# redirectTo: websecure -{% if traefik_hostport is defined and traefik_hostport == true %} - hostPort: 80 -{% endif %} -{% if traefik_service_type == "NodePort" %} - nodePort: 80 -{% endif %} - websecure: -{% if traefik_hostport is defined and traefik_hostport == true %} - hostPort: 443 -{% endif %} -{% if traefik_service_type == "NodePort" %} - nodePort: 443 -{% endif %} - http3: - enabled: true - advertisedPort: 443 -# tls: -# enabled: true -# options: default -{% endif %} -{% if traefik_hub_token is defined %} - traefikhub-tunl: - port: 9901 - expose: true - exposedPort: 9901 - protocol: "TCP" -{% endif %} -{% endif %} -volumes: - - mountPath: /etc/traefik - name: traefik-conf - type: configMap - - mountPath: /etc/traefik/file - name: traefik-files - type: configMap - - mountPath: /etc/traefik/basic-auth - name: basic-auth - type: secret -deployment: -{% if traefik_hostport is defined and traefik_hostport == true %} - kind: DaemonSet -{% else %} - replicas: 1 -{% endif %} - revisionHistoryLimit: 3 -# podAnnotations: -# prometheus.io/port: '9100' -# prometheus.io/scrape: 'true' -# prometheus.io/path: "/metrics" -{% if traefik_hostport is defined and traefik_hostport == true %} -updateStrategy: - type: OnDelete -{% endif %} -metrics: - prometheus: - service: - enabled: true - serviceMonitor: - metricRelabelings: [] -# # - sourceLabels: [__name__] -# # separator: ; -# # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ -# # replacement: $1 -# # action: drop - relabelings: [] -# # - sourceLabels: [__meta_kubernetes_pod_node_name] -# # separator: ; -# # regex: ^(.*)$ -# # targetLabel: nodename -# # replacement: $1 -# # action: replace -# jobLabel: traefik -# interval: 30s -# honorLabels: true -# # (Optional) -# # scrapeTimeout: 5s -# # honorTimestamps: true -# # enableHttp2: true -# # followRedirects: true -# # additionalLabels: -# # foo: bar -# # namespace: "another-namespace" -# # namespaceSelector: {} -# prometheusRule: -# enabled: true -# additionalLabels: {} -# namespace: "{{ traefik_namespace }}" -# rules: -# - alert: TraefikDown -# expr: up{job="traefik"} == 0 -# for: 5m -# labels: -# context: traefik -# severity: warning -# annotations: -# summary: "Traefik Down" -# description: "{% raw %}{{ $labels.pod }} on {{ $labels.nodename }} is down{% endraw %}" -experimental: -{% if traefik_ondemand is defined %} - plugins: - sablier: - moduleName: "github.com/sablierapp/sablier" - version: "v1.8.1" -{% endif %} -{% if traefik_hub_token is defined %} - hub: - enabled: true -{% endif %} -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: [ALL] - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault -{% if false %} -{% raw %} -extraObjects: - - apiVersion: v1 - kind: ConfigMap - metadata: - name: "extra" - data: - something: "extra" - - | - apiVersion: v1 - kind: ConfigMap - metadata: - name: "templated" - data: - something: {{ printf "templated" }} -{% endraw %} -{% endif %} diff --git a/templates/traefik-hub-certificate.yml.j2 b/templates/traefik-hub-certificate.yml.j2 deleted file mode 100644 index 72997c3..0000000 --- a/templates/traefik-hub-certificate.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: List -items: -- apiVersion: v1 - kind: Secret - metadata: - annotations: - app.kubernetes.io/managed-by: traefik-hub - name: hub-certificate - namespace: {{ traefik_namespace }} - type: kubernetes.io/tls - data: - tls.crt: {{ traefik_hub_tlscrt | b64encode }} - tls.key: {{ traefik_hub_tlskey | b64encode }} diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 7e27fde..5c8ca55 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -1,29 +1,19 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik + namespace: {{ traefik_namespace }} labels: app: traefik - annotations: - kubernetes.io/ingress.class: traefik -{% if false %} - external-dns.alpha.kubernetes.io/hostname: traefik.{{ cluster_domain }} - external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP - # external-dns.alpha.kubernetes.io/endpoints-type: HostIP - # external-dns.alpha.kubernetes.io/target: "1.2.3.4" - - # external-dns.alpha.kubernetes.io/ttl: "120" - # external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" -{% endif %} spec: entryPoints: - - websecure + - https routes: # Match is the rule corresponding to an underlying router. # Later on, match could be the simple form of a path prefix, e.g. just "/bar", # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ cluster_domain }}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + - match: Host(`traefik.{{ traefik_domain }}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", # "Parameter", etc, to support simpler forms of rule matching, but for now we # only support "Rule". @@ -31,31 +21,43 @@ spec: {% if basic_auth is defined or ingress_whitelist is defined %} middlewares: {% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist@file + - name: traefik-ipwhitelist {% endif %} {% if basic_auth is defined %} - - name: basic-auth@file + - name: basic-auth {% endif %} {% endif %} services: - name: api@internal kind: TraefikService - - match: Host(`traefik.{{ cluster_domain }}`) && PathPrefix(`/ping`) +# - name: traefik-dashboard +# port: 8080 +# # (default 1) A weight used by the weighted round-robin strategy (WRR). +# weight: 1 +# # (default true) PassHostHeader controls whether to leave the request's Host +# # Header as it was before it reached the proxy, or whether to let the proxy set it +# # to the destination (backend) host. +# passHostHeader: true +# responseForwarding: +# # (default 100ms) Interval between flushes of the buffered response body to the client. +# flushInterval: 100ms + - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) kind: Rule services: - name: ping@internal kind: TraefikService -# - match: Host(`traefik.{{ cluster_domain }}`) && PathPrefix(`/metrics`) -# kind: Rule -# services: -# - name: prometheus@internal -# kind: TraefikService + - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/metrics`) + kind: Rule + services: + - name: prometheus@internal + kind: TraefikService tls: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} -{% else %} - secretName: traefik.{{ cluster_domain }} {% endif %} + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-middleware-basicauth.yml.j2 b/templates/traefik-middleware-basicauth.yml.j2 new file mode 100644 index 0000000..797fe1f --- /dev/null +++ b/templates/traefik-middleware-basicauth.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-auth + namespace: {{ traefik_namespace }} +spec: + basicAuth: + secret: basic-auth \ No newline at end of file diff --git a/templates/traefik-middleware-headers.yml.j2 b/templates/traefik-middleware-headers.yml.j2 new file mode 100644 index 0000000..50172d4 --- /dev/null +++ b/templates/traefik-middleware-headers.yml.j2 @@ -0,0 +1,31 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: security-headers + namespace: {{ traefik_namespace }} +spec: + headers: + browserXssFilter: "true" + contentTypeNosniff: "true" + forceSTSHeader: "true" + frameDeny: "true" + stsIncludeSubdomains: "true" + stsPreload: "true" + stsSeconds: "15768000" + sslRedirect: "true" + contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + customFrameOptionsValue: "SAMEORIGIN" + referrerPolicy: "same-origin" + featurePolicy: "vibrate 'self'" + + # CORS + accessControlAllowMethods: + - "GET" + - "OPTIONS" + - "PUT" + accessControlAllowOrigin: "origin-list-or-null" + #accessControlAllowOriginList: + # - "https://foo.bar.org" + # - "https://example.org" + accessControlMaxAge: 100 + addVaryHeader: "true" \ No newline at end of file diff --git a/templates/traefik-middleware-httpsredirect.yml.j2 b/templates/traefik-middleware-httpsredirect.yml.j2 new file mode 100644 index 0000000..d5f4cb3 --- /dev/null +++ b/templates/traefik-middleware-httpsredirect.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: https-only + namespace: {{ traefik_namespace }} +spec: + redirectScheme: + scheme: https \ No newline at end of file diff --git a/templates/traefik-middleware-ipwhitelist.yml.j2 b/templates/traefik-middleware-ipwhitelist.yml.j2 new file mode 100644 index 0000000..0722f45 --- /dev/null +++ b/templates/traefik-middleware-ipwhitelist.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-ipwhitelist + namespace: {{ traefik_namespace }} +spec: + ipWhiteList: + sourceRange: +{% if ingress_whitelist is defined %} +{% for acl_whitelist in ingress_whitelist %} + - {{ acl_whitelist }} +{% endfor %} +{% endif %} \ No newline at end of file diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 deleted file mode 100644 index 76fdb93..0000000 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ /dev/null @@ -1,134 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sablier - labels: - app.kubernetes.io/name: sablier -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: sablier - template: - metadata: - labels: - app.kubernetes.io/name: sablier - spec: - serviceAccountName: sablier - serviceAccount: sablier - containers: - - name: sablier - image: sablierapp/sablier:{{ traefik_sabblier_version }} - args: - - "start" - - "--provider.name=kubernetes" - - "--server.port=10000" - - "--storage.file=/dev/shm/state.json" - ports: - - containerPort: 10000 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: [ALL] - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - securityContext: - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 -# --configFile=path/to/myconfigfile.yml ---- -apiVersion: v1 -kind: Service -metadata: - name: sablier -spec: - selector: - app.kubernetes.io/name: sablier - ports: - - protocol: TCP - port: 10000 - targetPort: 10000 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sablier ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: sablier -# namespace: {{ traefik_namespace }} -rules: - - apiGroups: - - apps - - "" - resources: - - deployments - - statefulsets - verbs: - - get # Retrieve info about specific dep - - list # Events - - watch # Events - - apiGroups: - - apps - - "" - resources: - - deployments/scale - - statefulsets/scale - verbs: - - patch # Scale up and down - - get # Retrieve info about specific dep - - update # Scale up and down - - list # Events - - watch # Events ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: sablier -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: sablier -subjects: - - kind: ServiceAccount - name: sablier - namespace: {{ traefik_namespace }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-traefik-to-sablier -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: sablier - ingress: - - ports: - - port: 10000 - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: traefik - policyTypes: - - Ingress -#--- -#apiVersion: traefik.io/v1alpha1 -#kind: Middleware -#metadata: -# name: ondemand -#spec: -# plugin: -# names: toto # Comma separated names of containers/services/deployments etc. -# group: default # Group name to use to filter by label, ignored if names is set -# dynamic: -# displayName: My Title # (Optional) Defaults to the middleware name -# refreshFrequency: 5s # (Optional) The loading page refresh frequency -# showDetails: "true" # (Optional) Set to true or false to show details specifcally for this middleware, unset to use Sablier server defaults -# theme: hacker-terminal # (Optional) The theme to use -# sablierUrl: http://sablier.{{ traefik_namespace }}:10000 # The sablier URL service, must be reachable from the Traefik instance -# sessionDuration: 1m # The session duration after which containers/services/deployments instances are shutdown - diff --git a/templates/traefik-ping.yml.j2 b/templates/traefik-ping.yml.j2 new file mode 100644 index 0000000..86666f8 --- /dev/null +++ b/templates/traefik-ping.yml.j2 @@ -0,0 +1,41 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ping + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 14 + services: + - name: ping@internal + kind: TraefikService +# - name: traefik-dashboard +# port: 8080 +# # (default 1) A weight used by the weighted round-robin strategy (WRR). +# weight: 1 +# # (default true) PassHostHeader controls whether to leave the request's Host +# # Header as it was before it reached the proxy, or whether to let the proxy set it +# # to the destination (backend) host. +# passHostHeader: true +# responseForwarding: +# # (default 100ms) Interval between flushes of the buffered response body to the client. +# flushInterval: 100ms + tls: + secretName: wildcard-cluster + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-psp.yml.j2 b/templates/traefik-psp.yml.j2 new file mode 100644 index 0000000..ac10d3d --- /dev/null +++ b/templates/traefik-psp.yml.j2 @@ -0,0 +1,49 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + name: traefik-ingress-controller +spec: + requiredDropCapabilities: + - ALL + allowedCapabilities: + - NET_BIND_SERVICE + privileged: false + allowPrivilegeEscalation: false + # Allow core volume types. + volumes: + - configMap + - downwardAPI + - secret + - emptyDir + - projected + # - persistentVolumeClaim + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + hostPorts: + readOnlyRootFilesystem: true + seLinux: + rule: 'RunAsAny' + hostPorts: + - max: 65535 + min: 1 + #allowedUnsafeSysctls: + # - kernel.net.ipv4.ip_unprivileged_port_start \ No newline at end of file diff --git a/templates/traefik-sa.yml.j2 b/templates/traefik-sa.yml.j2 index 8a31290..07c38a6 100644 --- a/templates/traefik-sa.yml.j2 +++ b/templates/traefik-sa.yml.j2 @@ -1,4 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: + namespace: {{ traefik_namespace }} name: traefik-ingress-controller diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index b206f0e..7c369da 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -2,31 +2,20 @@ apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/instance: traefik - app.kubernetes.io/name: traefik + app: traefik name: traefik + namespace: {{ traefik_namespace }} spec: ports: - - name: web + - name: http port: 80 protocol: TCP - targetPort: web - - name: websecure + targetPort: 80 + - protocol: TCP port: 443 - protocol: TCP - targetPort: websecure - - name: websecure-http3 - port: 443 - protocol: UDP - targetPort: websecure -{% if traefik_external_ips is defined %} - externalIPs: -{% for traefik_external_ip in traefik_external_ips %} - - {{ traefik_external_ip }} -{% endfor %} -{% endif %} + name: https + targetPort: 443 + type: LoadBalancer selector: - app.kubernetes.io/instance: traefik - app.kubernetes.io/name: traefik - sessionAffinity: None + app: traefik diff --git a/templates/traefik-tls-options.yml.j2 b/templates/traefik-tls-options.yml.j2 new file mode 100644 index 0000000..6f64045 --- /dev/null +++ b/templates/traefik-tls-options.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: {{ traefik_namespace }} + +spec: + sniStrict: true + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + curvePreferences: + - CurveP521 + - CurveP384 \ No newline at end of file diff --git a/todo.sh b/todo.sh deleted file mode 100644 index 3cab209..0000000 --- a/todo.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bash - -cat << 'EOF' | kubectl --context my_context apply -f - ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: traefik -spec: - controller: traefik.io/ingress-controller -EOF - diff --git a/vars/main.yml b/vars/main.yml index ed97d53..836d770 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1 +1,42 @@ ---- +traefik_version_2_0: 2.0.7 +traefik_2_0_list: + - 2.0/traefik-clusterrole.yml.j2 + - 2.0/traefik-clusterrolebinding.yml.j2 + - 2.0/traefik-crd-ingressroute.yml.j2 + - 2.0/traefik-crd-ingressroutetcp.yml.j2 + - 2.0/traefik-crd-middleware.yml.j2 + - 2.0/traefik-crd-tlsoption.yml.j2 + +traefik_version_2_1: 2.1.9 +traefik_2_1_list: + - 2.1/traefik-clusterrole.yml.j2 + - 2.1/traefik-clusterrolebinding.yml.j2 + - 2.1/traefik-crd-ingressroute.yml.j2 + - 2.1/traefik-crd-ingressroutetcp.yml.j2 + - 2.1/traefik-crd-middleware.yml.j2 + - 2.1/traefik-crd-tlsoption.yml.j2 + - 2.1/traefik-crd-traefikservice.yml.j2 + +traefik_version_2_2: 2.2.11 +traefik_2_2_list: + - 2.2/traefik-crd-ingressroutes.yml.j2 + - 2.2/traefik-crd-ingressroutetcps.yml.j2 + - 2.2/traefik-crd-ingressrouteudps.yml.j2 + - 2.2/traefik-crd-middlewares.yml.j2 + - 2.2/traefik-crd-tlsoptions.yml.j2 + - 2.2/traefik-crd-tlsstores.yml.j2 + - 2.2/traefik-crd-traefikservices.yml.j2 + - 2.2/traefik-clusterrole.yml.j2 + - 2.2/traefik-clusterrolebinding.yml.j2 + +traefik_version_2_3: 2.3.2 +traefik_2_3_list: + - 2.3/traefik-crd-ingressroutes.yml.j2 + - 2.3/traefik-crd-ingressroutetcps.yml.j2 + - 2.3/traefik-crd-ingressrouteudps.yml.j2 + - 2.3/traefik-crd-middlewares.yml.j2 + - 2.3/traefik-crd-tlsoptions.yml.j2 + - 2.3/traefik-crd-tlsstores.yml.j2 + - 2.3/traefik-crd-traefikservices.yml.j2 + - 2.3/traefik-clusterrole.yml.j2 + - 2.3/traefik-clusterrolebinding.yml.j2