From d44bea3d667caa945aafd844f4898b630ee1916e Mon Sep 17 00:00:00 2001 From: Adrien Date: Thu, 26 Nov 2020 22:09:21 +0100 Subject: [PATCH 01/88] Update traefik version --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 836d770..cb917ee 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,7 @@ traefik_2_2_list: - 2.2/traefik-clusterrole.yml.j2 - 2.2/traefik-clusterrolebinding.yml.j2 -traefik_version_2_3: 2.3.2 +traefik_version_2_3: 2.3.4 traefik_2_3_list: - 2.3/traefik-crd-ingressroutes.yml.j2 - 2.3/traefik-crd-ingressroutetcps.yml.j2 From 0e6f763db5cbf9c13326ddbe5102911c45148f6d Mon Sep 17 00:00:00 2001 From: Adrien Date: Sat, 19 Dec 2020 13:20:57 +0100 Subject: [PATCH 02/88] Use helm and local provider --- meta/main.yml | 2 + tasks/main.yml | 135 ++++++++++++++----------- templates/traefik-cm.yml.j2 | 21 ++-- templates/traefik-file-provider.yml.j2 | 73 +++++++++++++ templates/traefik-ingressroute.yml.j2 | 14 --- templates/traefik-svc.yml.j2 | 20 ++-- vars/main.yml | 2 +- 7 files changed, 177 insertions(+), 90 deletions(-) create mode 100644 templates/traefik-file-provider.yml.j2 diff --git a/meta/main.yml b/meta/main.yml index a2e3209..c8bee80 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,8 @@ galaxy_info: min_ansible_version: 2.6 galaxy_tags: [] license: GPL2 + collections: + - community.kubernetes platforms: - name: kubernetes version: diff --git a/tasks/main.yml b/tasks/main.yml index b528a69..a4c6b05 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,35 +45,72 @@ when: - traefik_node_selector is defined - - name: Get Deployment information object - k8s_info: - context: "{{ my_context }}" - api_version: v1 - kind: DaemonSet +# - name: Get Deployment information object +# k8s_info: +# context: "{{ my_context }}" +# api_version: v1 +# kind: DaemonSet +# name: traefik +# namespace: '{{ traefik_namespace }}' +# field_selectors: +# - spec.template.spec.containers.image +# register: traefik_actual_resources +# +# - name: Retreive actual traefik version +# shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq +# register: traefik_actual_version +# +# - name: Remove old traefik version {{ traefik_actual_version.stdout }} +# k8s: +# state: "absent" +# context: "{{ my_context }}" +# resource_definition: "{{ lookup('template', item) | from_yaml }}" +# with_items: +# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" +## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse +# when: +# - not traefik_actual_version.stdout == "[]" +# - not traefik_version == traefik_actual_version.stdout +# - traefik_actual_version.stdout is version(traefik_version, '>') + + - name: deploy traefik + community.kubernetes.helm_repository: name: traefik - namespace: '{{ traefik_namespace }}' - field_selectors: - - spec.template.spec.containers.image - register: traefik_actual_resources + repo_url: "https://helm.traefik.io/traefik" + tags: traefik + - name: Deploy latest version of Traefik + community.kubernetes.helm: + name: traefik + chart_ref: traefik/traefik + release_namespace: traefik + values: + additionalArguments: + - --configFile=/etc/traefik/traefik.yaml + podSecurityPolicy: + enabled: true + service: + enabled: false + ingressRoute: + dashboard: + enabled: false + ports: + web: + redirectTo: websecure + hostPort: 80 + websecure: + hostPort: 443 + volumes: + - mountPath: /etc/traefik + name: traefik-conf + type: configMap + - mountPath: /etc/traefik/file + name: traefik-file-provider + type: configMap + - mountPath: /etc/traefik/basic-auth + name: basic-auth + type: secret - - name: Retreive actual traefik version - shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq - register: traefik_actual_version - - - name: Remove old traefik version {{ traefik_actual_version.stdout }} - k8s: - state: "absent" - context: "{{ my_context }}" - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" -# - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse - when: - - not traefik_actual_version.stdout == "[]" - - not traefik_version == traefik_actual_version.stdout - - traefik_actual_version.stdout is version(traefik_version, '>') - - - name: Install traefik version {{ traefik_version }} + - name: Install traefik configuration k8s: state: "present" context: "{{ my_context }}" @@ -81,40 +118,18 @@ merge_type: merge resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: - - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - - traefik-psp.yml.j2 +# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" +# - traefik-psp.yml.j2 - traefik-cm.yml.j2 - - traefik-sa.yml.j2 - - traefik-dp.yml.j2 -# - traefik-svc.yml.j2 -# - traefik-dashboard-svc.yml.j2 - - traefik-middleware-httpsredirect.yml.j2 - - traefik-middleware-basicauth.yml.j2 - - traefik-middleware-headers.yml.j2 - - traefik-tls-options.yml.j2 + - traefik-file-provider.yml.j2 +# - traefik-sa.yml.j2 +# - traefik-dp.yml.j2 +# - traefik-middleware-httpsredirect.yml.j2 +# - traefik-middleware-basicauth.yml.j2 +# - traefik-middleware-headers.yml.j2 +# - traefik-tls-options.yml.j2 - traefik-ingressroute.yml.j2 - - traefik-dashboard-insecure.yml.j2 -# - traefik-ping.yml.j2 - - - - name: Define state of ipwhitelist middleware to present - set_fact: - traefik_ipwhitelist_state: present - when: - - traefik_version | regex_search('(^2.)') - - ingress_whitelist is defined - - name: Define state of ipwhitelist middleware to absent - set_fact: - traefik_ipwhitelist_state: absent - when: - - not ingress_whitelist is defined or traefik_ipwhitelist_state is not defined - - name: IP white list need to be {{ traefik_ipwhitelist_state }} - k8s: - state: "{{ traefik_ipwhitelist_state }}" - context: "{{ my_context }}" - merge_type: merge - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - traefik-middleware-ipwhitelist.yml.j2 +# - traefik-dashboard-insecure.yml.j2 + - traefik-svc.yml.j2 tags: traefik diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 37a2ff7..876b6b4 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -7,6 +7,20 @@ data: serversTransport: insecureSkipVerify: true entryPoints: + web: + address: ":8000/tcp" + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: ":8443/tcp" + http: + tls: + options: default + traefik: + address: ":9000/tcp" {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: address: :{{ traefik_entrypoint.port }} @@ -26,18 +40,11 @@ data: watch: true metrics: prometheus: - buckets: - - 0.1 - - 0.3 - - 1.2 - - 5 entryPoint: traefik ping: entryPoint: traefik api: - insecure: true dashboard: true - debug: true log: level: WARN format: json diff --git a/templates/traefik-file-provider.yml.j2 b/templates/traefik-file-provider.yml.j2 new file mode 100644 index 0000000..c91b56b --- /dev/null +++ b/templates/traefik-file-provider.yml.j2 @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-file-provider + namespace: traefik +data: + traefik-middlewares.yaml: | + http: + middlewares: + compress: + compress: + excludedContentTypes: ["text/event-stream"] + rate-limit: + rateLimit: + average: 100 + burst: 50 + security_headers: + headers: + accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] + accessControlAllowOrigin: "origin-list-or-null" + accessControlMaxAge: 100 + addVaryHeader: true + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + frameDeny: true + stsIncludeSubdomains: true + stsPreload: true + customFrameOptionsValue: "SAMEORIGIN" + referrerPolicy: "same-origin" + featurePolicy: "vibrate 'self'" + stsSeconds: 315360000 + sslRedirect: true + contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + # customResponseHeaders: + # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," + # server: "" +{% if ingress_whitelist is defined %} + traefik-ipwhitelist: + ipWhiteList: + sourceRange: +{% for acl_whitelist in ingress_whitelist %} + - {{ acl_whitelist }} +{% endfor %} +{% endif %} +{% if basic_auth|bool %} + basic-auth: + basicAuth: + removeHeader: true + usersFile: "/etc/traefik/basic-auth/basic_auth" + # users: + # - {{ basic_auth_data }} +{% endif %} + authelia: + forwardAuth: + address: "http://authelia:9091/api/verify?rd=https://login.example.com/" + trustForwardHeader: true + authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"] + + traefik-tls-defaults-options.yaml: | + tls: + options: + default: + sniStrict: true + minVersion: VersionTLS12 + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 5c8ca55..b7f199a 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -30,17 +30,6 @@ spec: services: - name: api@internal kind: TraefikService -# - name: traefik-dashboard -# port: 8080 -# # (default 1) A weight used by the weighted round-robin strategy (WRR). -# weight: 1 -# # (default true) PassHostHeader controls whether to leave the request's Host -# # Header as it was before it reached the proxy, or whether to let the proxy set it -# # to the destination (backend) host. -# passHostHeader: true -# responseForwarding: -# # (default 100ms) Interval between flushes of the buffered response body to the client. -# flushInterval: 100ms - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) kind: Rule services: @@ -58,6 +47,3 @@ spec: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} {% endif %} - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index 7c369da..71d2044 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -2,20 +2,24 @@ apiVersion: v1 kind: Service metadata: labels: - app: traefik + app.kubernetes.io/instance: traefik + app.kubernetes.io/name: traefik name: traefik namespace: {{ traefik_namespace }} spec: ports: - - name: http + - name: web + hostPort: 80 port: 80 protocol: TCP - targetPort: 80 - - protocol: TCP + targetPort: web + - name: websecure + hostPort: 443 port: 443 - name: https - targetPort: 443 - type: LoadBalancer + protocol: TCP + targetPort: websecure selector: - app: traefik + app.kubernetes.io/instance: traefik + app.kubernetes.io/name: traefik + sessionAffinity: None diff --git a/vars/main.yml b/vars/main.yml index cb917ee..2ba0d63 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,7 @@ traefik_2_2_list: - 2.2/traefik-clusterrole.yml.j2 - 2.2/traefik-clusterrolebinding.yml.j2 -traefik_version_2_3: 2.3.4 +traefik_version_2_3: 2.3.6 traefik_2_3_list: - 2.3/traefik-crd-ingressroutes.yml.j2 - 2.3/traefik-crd-ingressroutetcps.yml.j2 From bdbf908070057e37eba1682b9c5cf2f976124b48 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 11 Jan 2021 22:48:28 +0100 Subject: [PATCH 03/88] Update traefik to version 2.3.7 --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 2ba0d63..ffe6edb 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,7 @@ traefik_2_2_list: - 2.2/traefik-clusterrole.yml.j2 - 2.2/traefik-clusterrolebinding.yml.j2 -traefik_version_2_3: 2.3.6 +traefik_version_2_3: 2.3.7 traefik_2_3_list: - 2.3/traefik-crd-ingressroutes.yml.j2 - 2.3/traefik-crd-ingressroutetcps.yml.j2 From 88bdd203777c5d319dbb5d39fc0e5f49bc7ef21a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 19 Jan 2021 00:00:47 +0100 Subject: [PATCH 04/88] Use helm to deploy traefik --- tasks/main.yml | 21 ++- templates/2.0/traefik-clusterrole.yml.j2 | 62 ------- .../2.0/traefik-clusterrolebinding.yml.j2 | 13 -- templates/2.0/traefik-crd-ingressroute.yml.j2 | 16 -- .../2.0/traefik-crd-ingressroutetcp.yml.j2 | 16 -- templates/2.0/traefik-crd-middleware.yml.j2 | 16 -- templates/2.0/traefik-crd-tlsoption.yml.j2 | 13 -- templates/2.1/Ressources-exemple.yml | 157 ------------------ templates/2.1/traefik-clusterrole.yml.j2 | 42 ----- .../2.1/traefik-clusterrolebinding.yml.j2 | 13 -- templates/2.1/traefik-crd-ingressroute.yml.j2 | 16 -- .../2.1/traefik-crd-ingressroutetcp.yml.j2 | 16 -- templates/2.1/traefik-crd-middleware.yml.j2 | 16 -- templates/2.1/traefik-crd-tlsoption.yml.j2 | 16 -- .../2.1/traefik-crd-traefikservice.yml.j2 | 16 -- templates/2.2/Ressources-exemple.yml | 157 ------------------ templates/2.2/traefik-clusterrole.yml.j2 | 48 ------ .../2.2/traefik-clusterrolebinding.yml.j2 | 13 -- .../2.2/traefik-crd-ingressroutes.yml.j2 | 16 -- .../2.2/traefik-crd-ingressroutetcps.yml.j2 | 16 -- .../2.2/traefik-crd-ingressrouteudps.yml.j2 | 16 -- templates/2.2/traefik-crd-middlewares.yml.j2 | 16 -- templates/2.2/traefik-crd-tlsoptions.yml.j2 | 16 -- templates/2.2/traefik-crd-tlsstores.yml.j2 | 16 -- .../2.2/traefik-crd-traefikservices.yml.j2 | 16 -- templates/2.3/Ressources-exemple.yml | 157 ------------------ templates/2.3/traefik-clusterrole.yml.j2 | 50 ------ .../2.3/traefik-clusterrolebinding.yml.j2 | 13 -- .../2.3/traefik-crd-ingressroutes.yml.j2 | 13 -- .../2.3/traefik-crd-ingressroutetcps.yml.j2 | 13 -- .../2.3/traefik-crd-ingressrouteudps.yml.j2 | 13 -- templates/2.3/traefik-crd-middlewares.yml.j2 | 13 -- templates/2.3/traefik-crd-tlsoptions.yml.j2 | 13 -- templates/2.3/traefik-crd-tlsstores.yml.j2 | 13 -- .../2.3/traefik-crd-traefikservices.yml.j2 | 13 -- templates/traefik-cm.yml.j2 | 11 +- templates/traefik-dashboard-insecure.yml.j2 | 40 ----- templates/traefik-dashboard-svc.yml.j2 | 24 --- templates/traefik-dp.yml.j2 | 93 ----------- ...e-provider.yml.j2 => traefik-files.yml.j2} | 3 +- templates/traefik-ingressroute.yml.j2 | 1 - templates/traefik-middleware-basicauth.yml.j2 | 8 - templates/traefik-middleware-headers.yml.j2 | 31 ---- .../traefik-middleware-httpsredirect.yml.j2 | 8 - .../traefik-middleware-ipwhitelist.yml.j2 | 1 - templates/traefik-ping.yml.j2 | 41 ----- templates/traefik-psp.yml.j2 | 49 ------ templates/traefik-sa.yml.j2 | 1 - templates/traefik-svc.yml.j2 | 1 - templates/traefik-tls-options.yml.j2 | 16 -- vars/main.yml | 30 ---- 51 files changed, 16 insertions(+), 1432 deletions(-) delete mode 100644 templates/2.0/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.0/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.0/traefik-crd-ingressroute.yml.j2 delete mode 100644 templates/2.0/traefik-crd-ingressroutetcp.yml.j2 delete mode 100644 templates/2.0/traefik-crd-middleware.yml.j2 delete mode 100644 templates/2.0/traefik-crd-tlsoption.yml.j2 delete mode 100644 templates/2.1/Ressources-exemple.yml delete mode 100644 templates/2.1/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.1/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.1/traefik-crd-ingressroute.yml.j2 delete mode 100644 templates/2.1/traefik-crd-ingressroutetcp.yml.j2 delete mode 100644 templates/2.1/traefik-crd-middleware.yml.j2 delete mode 100644 templates/2.1/traefik-crd-tlsoption.yml.j2 delete mode 100644 templates/2.1/traefik-crd-traefikservice.yml.j2 delete mode 100644 templates/2.2/Ressources-exemple.yml delete mode 100644 templates/2.2/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.2/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.2/traefik-crd-ingressroutes.yml.j2 delete mode 100644 templates/2.2/traefik-crd-ingressroutetcps.yml.j2 delete mode 100644 templates/2.2/traefik-crd-ingressrouteudps.yml.j2 delete mode 100644 templates/2.2/traefik-crd-middlewares.yml.j2 delete mode 100644 templates/2.2/traefik-crd-tlsoptions.yml.j2 delete mode 100644 templates/2.2/traefik-crd-tlsstores.yml.j2 delete mode 100644 templates/2.2/traefik-crd-traefikservices.yml.j2 delete mode 100644 templates/2.3/Ressources-exemple.yml delete mode 100644 templates/2.3/traefik-clusterrole.yml.j2 delete mode 100644 templates/2.3/traefik-clusterrolebinding.yml.j2 delete mode 100644 templates/2.3/traefik-crd-ingressroutes.yml.j2 delete mode 100644 templates/2.3/traefik-crd-ingressroutetcps.yml.j2 delete mode 100644 templates/2.3/traefik-crd-ingressrouteudps.yml.j2 delete mode 100644 templates/2.3/traefik-crd-middlewares.yml.j2 delete mode 100644 templates/2.3/traefik-crd-tlsoptions.yml.j2 delete mode 100644 templates/2.3/traefik-crd-tlsstores.yml.j2 delete mode 100644 templates/2.3/traefik-crd-traefikservices.yml.j2 delete mode 100644 templates/traefik-dashboard-insecure.yml.j2 delete mode 100644 templates/traefik-dashboard-svc.yml.j2 delete mode 100644 templates/traefik-dp.yml.j2 rename templates/{traefik-file-provider.yml.j2 => traefik-files.yml.j2} (97%) delete mode 100644 templates/traefik-middleware-basicauth.yml.j2 delete mode 100644 templates/traefik-middleware-headers.yml.j2 delete mode 100644 templates/traefik-middleware-httpsredirect.yml.j2 delete mode 100644 templates/traefik-ping.yml.j2 delete mode 100644 templates/traefik-psp.yml.j2 delete mode 100644 templates/traefik-tls-options.yml.j2 diff --git a/tasks/main.yml b/tasks/main.yml index a4c6b05..9844fba 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -73,7 +73,7 @@ # - not traefik_version == traefik_actual_version.stdout # - traefik_actual_version.stdout is version(traefik_version, '>') - - name: deploy traefik + - name: Defined traefik repository community.kubernetes.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" @@ -84,6 +84,8 @@ chart_ref: traefik/traefik release_namespace: traefik values: + image: + tag: "{{ traefik_version_2_3 }}" additionalArguments: - --configFile=/etc/traefik/traefik.yaml podSecurityPolicy: @@ -93,6 +95,9 @@ ingressRoute: dashboard: enabled: false + ingressClass: + enabled: true + isDefaultClass: true ports: web: redirectTo: websecure @@ -104,7 +109,7 @@ name: traefik-conf type: configMap - mountPath: /etc/traefik/file - name: traefik-file-provider + name: traefik-files type: configMap - mountPath: /etc/traefik/basic-auth name: basic-auth @@ -115,21 +120,15 @@ state: "present" context: "{{ my_context }}" namespace: '{{ traefik_namespace }}' - merge_type: merge +# merge_type: merge + apply: yes resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: # - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" -# - traefik-psp.yml.j2 - traefik-cm.yml.j2 - - traefik-file-provider.yml.j2 + - traefik-files.yml.j2 # - traefik-sa.yml.j2 -# - traefik-dp.yml.j2 -# - traefik-middleware-httpsredirect.yml.j2 -# - traefik-middleware-basicauth.yml.j2 -# - traefik-middleware-headers.yml.j2 -# - traefik-tls-options.yml.j2 - traefik-ingressroute.yml.j2 -# - traefik-dashboard-insecure.yml.j2 - traefik-svc.yml.j2 tags: traefik diff --git a/templates/2.0/traefik-clusterrole.yml.j2 b/templates/2.0/traefik-clusterrole.yml.j2 deleted file mode 100644 index 537813c..0000000 --- a/templates/2.0/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,62 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - ingressroutes - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - ingressroutetcps - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - tlsoptions - verbs: - - get - - list - - watch diff --git a/templates/2.0/traefik-clusterrolebinding.yml.j2 b/templates/2.0/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 9f58700..0000000 --- a/templates/2.0/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: traefik diff --git a/templates/2.0/traefik-crd-ingressroute.yml.j2 b/templates/2.0/traefik-crd-ingressroute.yml.j2 deleted file mode 100644 index 41f70f9..0000000 --- a/templates/2.0/traefik-crd-ingressroute.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - namespace: traefik - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 deleted file mode 100644 index 107c4e5..0000000 --- a/templates/2.0/traefik-crd-ingressroutetcp.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - namespace: traefik - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.0/traefik-crd-middleware.yml.j2 b/templates/2.0/traefik-crd-middleware.yml.j2 deleted file mode 100644 index b517ac8..0000000 --- a/templates/2.0/traefik-crd-middleware.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - namespace: traefik - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.0/traefik-crd-tlsoption.yml.j2 b/templates/2.0/traefik-crd-tlsoption.yml.j2 deleted file mode 100644 index 1495e0d..0000000 --- a/templates/2.0/traefik-crd-tlsoption.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.1/Ressources-exemple.yml b/templates/2.1/Ressources-exemple.yml deleted file mode 100644 index bf512dd..0000000 --- a/templates/2.1/Ressources-exemple.yml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr2 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: s1 - weight: 1 - port: 80 - # Optional, as it is the default value - kind: Service - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr1 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: wrr2 - kind: TraefikService - weight: 1 - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror1 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: s1 - port: 80 - mirrors: - - name: s3 - percent: 20 - port: 80 - - name: mirror2 - kind: TraefikService - percent: 20 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror2 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: wrr2 - kind: TraefikService - mirrors: - - name: s2 - # Optional, as it is the default value - kind: Service - percent: 20 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroute -spec: - entryPoints: - - web - - websecure - routes: - - match: Host(`foo.com`) && PathPrefix(`/bar`) - kind: Rule - priority: 12 - # defining several services is possible and allowed, but for now the servers of - # all the services (for a given route) get merged altogether under the same - # load-balancing strategy. - services: - - name: s1 - port: 80 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - # strategy defines the load balancing strategy between the servers. It defaults - # to Round Robin, and for now only Round Robin is supported anyway. - strategy: RoundRobin - - name: s2 - port: 433 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - - match: PathPrefix(`/misc`) - services: - - name: s3 - port: 80 - middlewares: - - name: stripprefix - - name: addprefix - - match: PathPrefix(`/misc`) - services: - - name: s3 - # Optional, as it is the default value - kind: Service - port: 8443 - # scheme allow to override the scheme for the service. (ex: https or h2c) - scheme: https - - match: PathPrefix(`/lb`) - services: - - name: wrr1 - kind: TraefikService - - match: PathPrefix(`/mirrored`) - services: - - name: mirror1 - kind: TraefikService - # use an empty tls object for TLS with Let's Encrypt - tls: - secretName: supersecret - options: - name: myTLSOption - namespace: default - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: ingressroutetcp.crd - namespace: default - -spec: - entryPoints: - - footcp - routes: - - match: HostSNI(`bar.com`) - services: - - name: whoamitcp - port: 8080 - tls: - secretName: foosecret - passthrough: false - options: - name: myTLSOption - namespace: default \ No newline at end of file diff --git a/templates/2.1/traefik-clusterrole.yml.j2 b/templates/2.1/traefik-clusterrole.yml.j2 deleted file mode 100644 index fe4f9c9..0000000 --- a/templates/2.1/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,42 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - - ingressroutes - - traefikservices - - ingressroutetcps - - tlsoptions - verbs: - - get - - list - - watch diff --git a/templates/2.1/traefik-clusterrolebinding.yml.j2 b/templates/2.1/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 2a4398a..0000000 --- a/templates/2.1/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: {{ traefik_namespace }} diff --git a/templates/2.1/traefik-crd-ingressroute.yml.j2 b/templates/2.1/traefik-crd-ingressroute.yml.j2 deleted file mode 100644 index f31a6bd..0000000 --- a/templates/2.1/traefik-crd-ingressroute.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 b/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 deleted file mode 100644 index a766ed8..0000000 --- a/templates/2.1/traefik-crd-ingressroutetcp.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.1/traefik-crd-middleware.yml.j2 b/templates/2.1/traefik-crd-middleware.yml.j2 deleted file mode 100644 index 1c0168e..0000000 --- a/templates/2.1/traefik-crd-middleware.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.1/traefik-crd-tlsoption.yml.j2 b/templates/2.1/traefik-crd-tlsoption.yml.j2 deleted file mode 100644 index a1200f0..0000000 --- a/templates/2.1/traefik-crd-tlsoption.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.1/traefik-crd-traefikservice.yml.j2 b/templates/2.1/traefik-crd-traefikservice.yml.j2 deleted file mode 100644 index 46ce7ca..0000000 --- a/templates/2.1/traefik-crd-traefikservice.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: traefikservices.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TraefikService - plural: traefikservices - singular: traefikservice - scope: Namespaced diff --git a/templates/2.2/Ressources-exemple.yml b/templates/2.2/Ressources-exemple.yml deleted file mode 100644 index bf512dd..0000000 --- a/templates/2.2/Ressources-exemple.yml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr2 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: s1 - weight: 1 - port: 80 - # Optional, as it is the default value - kind: Service - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr1 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: wrr2 - kind: TraefikService - weight: 1 - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror1 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: s1 - port: 80 - mirrors: - - name: s3 - percent: 20 - port: 80 - - name: mirror2 - kind: TraefikService - percent: 20 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror2 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: wrr2 - kind: TraefikService - mirrors: - - name: s2 - # Optional, as it is the default value - kind: Service - percent: 20 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroute -spec: - entryPoints: - - web - - websecure - routes: - - match: Host(`foo.com`) && PathPrefix(`/bar`) - kind: Rule - priority: 12 - # defining several services is possible and allowed, but for now the servers of - # all the services (for a given route) get merged altogether under the same - # load-balancing strategy. - services: - - name: s1 - port: 80 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - # strategy defines the load balancing strategy between the servers. It defaults - # to Round Robin, and for now only Round Robin is supported anyway. - strategy: RoundRobin - - name: s2 - port: 433 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - - match: PathPrefix(`/misc`) - services: - - name: s3 - port: 80 - middlewares: - - name: stripprefix - - name: addprefix - - match: PathPrefix(`/misc`) - services: - - name: s3 - # Optional, as it is the default value - kind: Service - port: 8443 - # scheme allow to override the scheme for the service. (ex: https or h2c) - scheme: https - - match: PathPrefix(`/lb`) - services: - - name: wrr1 - kind: TraefikService - - match: PathPrefix(`/mirrored`) - services: - - name: mirror1 - kind: TraefikService - # use an empty tls object for TLS with Let's Encrypt - tls: - secretName: supersecret - options: - name: myTLSOption - namespace: default - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: ingressroutetcp.crd - namespace: default - -spec: - entryPoints: - - footcp - routes: - - match: HostSNI(`bar.com`) - services: - - name: whoamitcp - port: 8080 - tls: - secretName: foosecret - passthrough: false - options: - name: myTLSOption - namespace: default \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrole.yml.j2 b/templates/2.2/traefik-clusterrole.yml.j2 deleted file mode 100644 index bef2410..0000000 --- a/templates/2.2/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,48 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['traefik-ingress-controller'] - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - - ingressroutes - - traefikservices - - ingressroutetcps - - ingressrouteudps - - tlsoptions - - tlsstores - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/templates/2.2/traefik-clusterrolebinding.yml.j2 b/templates/2.2/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 2a4398a..0000000 --- a/templates/2.2/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: {{ traefik_namespace }} diff --git a/templates/2.2/traefik-crd-ingressroutes.yml.j2 b/templates/2.2/traefik-crd-ingressroutes.yml.j2 deleted file mode 100644 index f31a6bd..0000000 --- a/templates/2.2/traefik-crd-ingressroutes.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 deleted file mode 100644 index a766ed8..0000000 --- a/templates/2.2/traefik-crd-ingressroutetcps.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 deleted file mode 100644 index 535726c..0000000 --- a/templates/2.2/traefik-crd-ingressrouteudps.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressrouteudps.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteUDP - plural: ingressrouteudps - singular: ingressrouteudp - scope: Namespaced diff --git a/templates/2.2/traefik-crd-middlewares.yml.j2 b/templates/2.2/traefik-crd-middlewares.yml.j2 deleted file mode 100644 index 1c0168e..0000000 --- a/templates/2.2/traefik-crd-middlewares.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsoptions.yml.j2 b/templates/2.2/traefik-crd-tlsoptions.yml.j2 deleted file mode 100644 index a1200f0..0000000 --- a/templates/2.2/traefik-crd-tlsoptions.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.2/traefik-crd-tlsstores.yml.j2 b/templates/2.2/traefik-crd-tlsstores.yml.j2 deleted file mode 100644 index eae918f..0000000 --- a/templates/2.2/traefik-crd-tlsstores.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsstores.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSStore - plural: tlsstores - singular: tlsstore - scope: Namespaced diff --git a/templates/2.2/traefik-crd-traefikservices.yml.j2 b/templates/2.2/traefik-crd-traefikservices.yml.j2 deleted file mode 100644 index 46ce7ca..0000000 --- a/templates/2.2/traefik-crd-traefikservices.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: traefikservices.traefik.containo.us - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TraefikService - plural: traefikservices - singular: traefikservice - scope: Namespaced diff --git a/templates/2.3/Ressources-exemple.yml b/templates/2.3/Ressources-exemple.yml deleted file mode 100644 index bf512dd..0000000 --- a/templates/2.3/Ressources-exemple.yml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr2 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: s1 - weight: 1 - port: 80 - # Optional, as it is the default value - kind: Service - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: wrr1 - namespace: {{ traefik_namespace }} - -spec: - weighted: - services: - - name: wrr2 - kind: TraefikService - weight: 1 - - name: s3 - weight: 1 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror1 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: s1 - port: 80 - mirrors: - - name: s3 - percent: 20 - port: 80 - - name: mirror2 - kind: TraefikService - percent: 20 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TraefikService -metadata: - name: mirror2 - namespace: {{ traefik_namespace }} - -spec: - mirroring: - name: wrr2 - kind: TraefikService - mirrors: - - name: s2 - # Optional, as it is the default value - kind: Service - percent: 20 - port: 80 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroute -spec: - entryPoints: - - web - - websecure - routes: - - match: Host(`foo.com`) && PathPrefix(`/bar`) - kind: Rule - priority: 12 - # defining several services is possible and allowed, but for now the servers of - # all the services (for a given route) get merged altogether under the same - # load-balancing strategy. - services: - - name: s1 - port: 80 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - # strategy defines the load balancing strategy between the servers. It defaults - # to Round Robin, and for now only Round Robin is supported anyway. - strategy: RoundRobin - - name: s2 - port: 433 - healthCheck: - path: /health - host: baz.com - intervalSeconds: 7 - timeoutSeconds: 60 - - match: PathPrefix(`/misc`) - services: - - name: s3 - port: 80 - middlewares: - - name: stripprefix - - name: addprefix - - match: PathPrefix(`/misc`) - services: - - name: s3 - # Optional, as it is the default value - kind: Service - port: 8443 - # scheme allow to override the scheme for the service. (ex: https or h2c) - scheme: https - - match: PathPrefix(`/lb`) - services: - - name: wrr1 - kind: TraefikService - - match: PathPrefix(`/mirrored`) - services: - - name: mirror1 - kind: TraefikService - # use an empty tls object for TLS with Let's Encrypt - tls: - secretName: supersecret - options: - name: myTLSOption - namespace: default - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: ingressroutetcp.crd - namespace: default - -spec: - entryPoints: - - footcp - routes: - - match: HostSNI(`bar.com`) - services: - - name: whoamitcp - port: 8080 - tls: - secretName: foosecret - passthrough: false - options: - name: myTLSOption - namespace: default \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrole.yml.j2 b/templates/2.3/traefik-clusterrole.yml.j2 deleted file mode 100644 index 46bbd16..0000000 --- a/templates/2.3/traefik-clusterrole.yml.j2 +++ /dev/null @@ -1,50 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['traefik-ingress-controller'] - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - - ingressroutes - - traefikservices - - ingressroutetcps - - ingressrouteudps - - tlsoptions - - tlsstores - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/templates/2.3/traefik-clusterrolebinding.yml.j2 b/templates/2.3/traefik-clusterrolebinding.yml.j2 deleted file mode 100644 index 2a4398a..0000000 --- a/templates/2.3/traefik-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: {{ traefik_namespace }} diff --git a/templates/2.3/traefik-crd-ingressroutes.yml.j2 b/templates/2.3/traefik-crd-ingressroutes.yml.j2 deleted file mode 100644 index 0bcfd35..0000000 --- a/templates/2.3/traefik-crd-ingressroutes.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 b/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 deleted file mode 100644 index 36b202a..0000000 --- a/templates/2.3/traefik-crd-ingressroutetcps.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced diff --git a/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 b/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 deleted file mode 100644 index d7c2624..0000000 --- a/templates/2.3/traefik-crd-ingressrouteudps.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressrouteudps.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteUDP - plural: ingressrouteudps - singular: ingressrouteudp - scope: Namespaced diff --git a/templates/2.3/traefik-crd-middlewares.yml.j2 b/templates/2.3/traefik-crd-middlewares.yml.j2 deleted file mode 100644 index d1ae35f..0000000 --- a/templates/2.3/traefik-crd-middlewares.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsoptions.yml.j2 b/templates/2.3/traefik-crd-tlsoptions.yml.j2 deleted file mode 100644 index 1495e0d..0000000 --- a/templates/2.3/traefik-crd-tlsoptions.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced diff --git a/templates/2.3/traefik-crd-tlsstores.yml.j2 b/templates/2.3/traefik-crd-tlsstores.yml.j2 deleted file mode 100644 index f9a4005..0000000 --- a/templates/2.3/traefik-crd-tlsstores.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsstores.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSStore - plural: tlsstores - singular: tlsstore - scope: Namespaced diff --git a/templates/2.3/traefik-crd-traefikservices.yml.j2 b/templates/2.3/traefik-crd-traefikservices.yml.j2 deleted file mode 100644 index 3262c43..0000000 --- a/templates/2.3/traefik-crd-traefikservices.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: traefikservices.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TraefikService - plural: traefikservices - singular: traefikservice - scope: Namespaced \ No newline at end of file diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 876b6b4..a29ddaa 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -1,4 +1,9 @@ apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik-conf data: traefik.yaml: | global: @@ -56,9 +61,3 @@ data: BackendName: keep BackendURL: keep FrontendName: keep -kind: ConfigMap -metadata: - labels: - app: traefik - name: traefik - namespace: {{ traefik_namespace }} diff --git a/templates/traefik-dashboard-insecure.yml.j2 b/templates/traefik-dashboard-insecure.yml.j2 deleted file mode 100644 index 4ed4b56..0000000 --- a/templates/traefik-dashboard-insecure.yml.j2 +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard-insecure - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - entryPoints: - - http - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - middlewares: -{% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist -{% endif %} - - name: https-only - services: - - name: api@internal - kind: TraefikService -# - name: traefik-dashboard -# port: 8080 -# # (default 1) A weight used by the weighted round-robin strategy (WRR). -# weight: 1 -# # (default true) PassHostHeader controls whether to leave the request's Host -# # Header as it was before it reached the proxy, or whether to let the proxy set it -# # to the destination (backend) host. -# passHostHeader: true -# responseForwarding: -# # (default 100ms) Interval between flushes of the buffered response body to the client. -# flushInterval: 100ms diff --git a/templates/traefik-dashboard-svc.yml.j2 b/templates/traefik-dashboard-svc.yml.j2 deleted file mode 100644 index f6973c0..0000000 --- a/templates/traefik-dashboard-svc.yml.j2 +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: traefik - name: traefik-dashboard - namespace: {{ traefik_namespace }} - -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 -# - name: traefik -# port: 8080 -# protocol: TCP - - protocol: TCP - port: 443 - name: https - targetPort: 443 - type: ClusterIP - selector: - app: traefik diff --git a/templates/traefik-dp.yml.j2 b/templates/traefik-dp.yml.j2 deleted file mode 100644 index b7f3a54..0000000 --- a/templates/traefik-dp.yml.j2 +++ /dev/null @@ -1,93 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - namespace: {{ traefik_namespace }} - name: traefik - labels: - app: traefik - -spec: -# replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} - strategy: - type: Recreate - selector: - matchLabels: - app: traefik - template: - metadata: - labels: - app: traefik - spec: - serviceAccountName: traefik-ingress-controller -# securityContext: -# sysctls: -# - name: kernel.net.ipv4.ip_unprivileged_port_start -# value: "80" - containers: - - name: traefik - image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }} - args: - - --configfile=/config/traefik.yaml -# imagePullPolicy: IfNotPresent - ports: -{% for traefik_entrypoint in traefik_entrypoints %} - - name: {{ traefik_entrypoint.name }} - containerPort: {{ traefik_entrypoint.port }} - protocol: {{ traefik_entrypoint.proto }} -{% if traefik_entrypoint.hostport is defined %} - hostPort: {{ traefik_entrypoint.hostport }} -{% endif %} -{% endfor %} - readinessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - httpGet: - path: /ping - port: traefik - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: true - resources: - limits: - cpu: {{ traefik_cpu_limit }} - memory: {{ traefik_memory_limit }} - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /config - name: config -{% if traefik_node_selector is defined %} - nodeSelector: - reslinger.net/entrypoint: traefik -{% endif %} - dnsPolicy: ClusterFirst - hostNetwork: false - restartPolicy: Always - terminationGracePeriodSeconds: 1 - tolerations: - - effect: NoSchedule - operator: Exists - volumes: - - configMap: - defaultMode: 420 - name: traefik - name: config diff --git a/templates/traefik-file-provider.yml.j2 b/templates/traefik-files.yml.j2 similarity index 97% rename from templates/traefik-file-provider.yml.j2 rename to templates/traefik-files.yml.j2 index c91b56b..4a0c27e 100644 --- a/templates/traefik-file-provider.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -2,8 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: traefik-file-provider - namespace: traefik + name: traefik-files data: traefik-middlewares.yaml: | http: diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index b7f199a..587857f 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -2,7 +2,6 @@ apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik - namespace: {{ traefik_namespace }} labels: app: traefik diff --git a/templates/traefik-middleware-basicauth.yml.j2 b/templates/traefik-middleware-basicauth.yml.j2 deleted file mode 100644 index 797fe1f..0000000 --- a/templates/traefik-middleware-basicauth.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: basic-auth - namespace: {{ traefik_namespace }} -spec: - basicAuth: - secret: basic-auth \ No newline at end of file diff --git a/templates/traefik-middleware-headers.yml.j2 b/templates/traefik-middleware-headers.yml.j2 deleted file mode 100644 index 50172d4..0000000 --- a/templates/traefik-middleware-headers.yml.j2 +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: security-headers - namespace: {{ traefik_namespace }} -spec: - headers: - browserXssFilter: "true" - contentTypeNosniff: "true" - forceSTSHeader: "true" - frameDeny: "true" - stsIncludeSubdomains: "true" - stsPreload: "true" - stsSeconds: "15768000" - sslRedirect: "true" - contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" - customFrameOptionsValue: "SAMEORIGIN" - referrerPolicy: "same-origin" - featurePolicy: "vibrate 'self'" - - # CORS - accessControlAllowMethods: - - "GET" - - "OPTIONS" - - "PUT" - accessControlAllowOrigin: "origin-list-or-null" - #accessControlAllowOriginList: - # - "https://foo.bar.org" - # - "https://example.org" - accessControlMaxAge: 100 - addVaryHeader: "true" \ No newline at end of file diff --git a/templates/traefik-middleware-httpsredirect.yml.j2 b/templates/traefik-middleware-httpsredirect.yml.j2 deleted file mode 100644 index d5f4cb3..0000000 --- a/templates/traefik-middleware-httpsredirect.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: https-only - namespace: {{ traefik_namespace }} -spec: - redirectScheme: - scheme: https \ No newline at end of file diff --git a/templates/traefik-middleware-ipwhitelist.yml.j2 b/templates/traefik-middleware-ipwhitelist.yml.j2 index 0722f45..2e987a9 100644 --- a/templates/traefik-middleware-ipwhitelist.yml.j2 +++ b/templates/traefik-middleware-ipwhitelist.yml.j2 @@ -2,7 +2,6 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: traefik-ipwhitelist - namespace: {{ traefik_namespace }} spec: ipWhiteList: sourceRange: diff --git a/templates/traefik-ping.yml.j2 b/templates/traefik-ping.yml.j2 deleted file mode 100644 index 86666f8..0000000 --- a/templates/traefik-ping.yml.j2 +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-ping - namespace: {{ traefik_namespace }} - labels: - app: traefik - -spec: - entryPoints: - - https - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 14 - services: - - name: ping@internal - kind: TraefikService -# - name: traefik-dashboard -# port: 8080 -# # (default 1) A weight used by the weighted round-robin strategy (WRR). -# weight: 1 -# # (default true) PassHostHeader controls whether to leave the request's Host -# # Header as it was before it reached the proxy, or whether to let the proxy set it -# # to the destination (backend) host. -# passHostHeader: true -# responseForwarding: -# # (default 100ms) Interval between flushes of the buffered response body to the client. -# flushInterval: 100ms - tls: - secretName: wildcard-cluster - options: - name: default - namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/traefik-psp.yml.j2 b/templates/traefik-psp.yml.j2 deleted file mode 100644 index ac10d3d..0000000 --- a/templates/traefik-psp.yml.j2 +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default - name: traefik-ingress-controller -spec: - requiredDropCapabilities: - - ALL - allowedCapabilities: - - NET_BIND_SERVICE - privileged: false - allowPrivilegeEscalation: false - # Allow core volume types. - volumes: - - configMap - - downwardAPI - - secret - - emptyDir - - projected - # - persistentVolumeClaim - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - hostPorts: - readOnlyRootFilesystem: true - seLinux: - rule: 'RunAsAny' - hostPorts: - - max: 65535 - min: 1 - #allowedUnsafeSysctls: - # - kernel.net.ipv4.ip_unprivileged_port_start \ No newline at end of file diff --git a/templates/traefik-sa.yml.j2 b/templates/traefik-sa.yml.j2 index 07c38a6..8a31290 100644 --- a/templates/traefik-sa.yml.j2 +++ b/templates/traefik-sa.yml.j2 @@ -1,5 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - namespace: {{ traefik_namespace }} name: traefik-ingress-controller diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index 71d2044..dc82b82 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -5,7 +5,6 @@ metadata: app.kubernetes.io/instance: traefik app.kubernetes.io/name: traefik name: traefik - namespace: {{ traefik_namespace }} spec: ports: diff --git a/templates/traefik-tls-options.yml.j2 b/templates/traefik-tls-options.yml.j2 deleted file mode 100644 index 6f64045..0000000 --- a/templates/traefik-tls-options.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: default - namespace: {{ traefik_namespace }} - -spec: - sniStrict: true - minVersion: VersionTLS12 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - curvePreferences: - - CurveP521 - - CurveP384 \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index ffe6edb..3720128 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,33 +1,3 @@ -traefik_version_2_0: 2.0.7 -traefik_2_0_list: - - 2.0/traefik-clusterrole.yml.j2 - - 2.0/traefik-clusterrolebinding.yml.j2 - - 2.0/traefik-crd-ingressroute.yml.j2 - - 2.0/traefik-crd-ingressroutetcp.yml.j2 - - 2.0/traefik-crd-middleware.yml.j2 - - 2.0/traefik-crd-tlsoption.yml.j2 - -traefik_version_2_1: 2.1.9 -traefik_2_1_list: - - 2.1/traefik-clusterrole.yml.j2 - - 2.1/traefik-clusterrolebinding.yml.j2 - - 2.1/traefik-crd-ingressroute.yml.j2 - - 2.1/traefik-crd-ingressroutetcp.yml.j2 - - 2.1/traefik-crd-middleware.yml.j2 - - 2.1/traefik-crd-tlsoption.yml.j2 - - 2.1/traefik-crd-traefikservice.yml.j2 - -traefik_version_2_2: 2.2.11 -traefik_2_2_list: - - 2.2/traefik-crd-ingressroutes.yml.j2 - - 2.2/traefik-crd-ingressroutetcps.yml.j2 - - 2.2/traefik-crd-ingressrouteudps.yml.j2 - - 2.2/traefik-crd-middlewares.yml.j2 - - 2.2/traefik-crd-tlsoptions.yml.j2 - - 2.2/traefik-crd-tlsstores.yml.j2 - - 2.2/traefik-crd-traefikservices.yml.j2 - - 2.2/traefik-clusterrole.yml.j2 - - 2.2/traefik-clusterrolebinding.yml.j2 traefik_version_2_3: 2.3.7 traefik_2_3_list: From 25e17131ec6fcc604a97c3b27d1e86aadfc213c1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 23 Jan 2021 01:49:17 +0100 Subject: [PATCH 05/88] fix context --- tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 9844fba..886a94c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -80,9 +80,10 @@ tags: traefik - name: Deploy latest version of Traefik community.kubernetes.helm: + context: {{ my_context }} name: traefik chart_ref: traefik/traefik - release_namespace: traefik + release_namespace: {{ traefik_namespace }} values: image: tag: "{{ traefik_version_2_3 }}" From f67680e0a05d1769c54d80fdc5deb213c7256d94 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 23 Jan 2021 17:35:21 +0100 Subject: [PATCH 06/88] Fix lint --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 886a94c..ab52887 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -80,7 +80,7 @@ tags: traefik - name: Deploy latest version of Traefik community.kubernetes.helm: - context: {{ my_context }} + context: "{{ my_context }}" name: traefik chart_ref: traefik/traefik release_namespace: {{ traefik_namespace }} From 23413944f56f00335406446da990122f29712f5d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 23 Jan 2021 17:36:30 +0100 Subject: [PATCH 07/88] Fix another lint --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index ab52887..53a38c9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -83,7 +83,7 @@ context: "{{ my_context }}" name: traefik chart_ref: traefik/traefik - release_namespace: {{ traefik_namespace }} + release_namespace: "{{ traefik_namespace }}" values: image: tag: "{{ traefik_version_2_3 }}" From 0f90bb8c99edc4cadfa7cce1024d4b42a6233b76 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 30 Jan 2021 11:05:59 +0100 Subject: [PATCH 08/88] Simplify traefik version management --- defaults/main.yml | 2 +- tasks/main.yml | 2 +- vars/main.yml | 13 +------------ 3 files changed, 3 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4636822..18f8534 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.3" +traefik_version: "2.4.0" traefik_domain: "local" traefik_namespace: "traefik" #ingress_whitelist: diff --git a/tasks/main.yml b/tasks/main.yml index 53a38c9..60c4ef3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -86,7 +86,7 @@ release_namespace: "{{ traefik_namespace }}" values: image: - tag: "{{ traefik_version_2_3 }}" + tag: "{{ traefik_version }}" additionalArguments: - --configFile=/etc/traefik/traefik.yaml podSecurityPolicy: diff --git a/vars/main.yml b/vars/main.yml index 3720128..ed97d53 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,12 +1 @@ - -traefik_version_2_3: 2.3.7 -traefik_2_3_list: - - 2.3/traefik-crd-ingressroutes.yml.j2 - - 2.3/traefik-crd-ingressroutetcps.yml.j2 - - 2.3/traefik-crd-ingressrouteudps.yml.j2 - - 2.3/traefik-crd-middlewares.yml.j2 - - 2.3/traefik-crd-tlsoptions.yml.j2 - - 2.3/traefik-crd-tlsstores.yml.j2 - - 2.3/traefik-crd-traefikservices.yml.j2 - - 2.3/traefik-clusterrole.yml.j2 - - 2.3/traefik-clusterrolebinding.yml.j2 +--- From 6e8729077404219ad6142b0d511a632465cbb7db Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 1 Feb 2021 23:32:03 +0100 Subject: [PATCH 09/88] Update traefik version to 2.4.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 18f8534..c56661e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.4.0" +traefik_version: "2.4.1" traefik_domain: "local" traefik_namespace: "traefik" #ingress_whitelist: From 50d1adfe4e749554b8c362cdd062b106cde3addb Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 25 Dec 2021 01:53:07 +0100 Subject: [PATCH 10/88] Update meta --- meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index c8bee80..65154b8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,7 +6,7 @@ galaxy_info: galaxy_tags: [] license: GPL2 collections: - - community.kubernetes + - kubernetes.core platforms: - name: kubernetes version: From 771371672f1f9f512d592a74336a680739aa1e89 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 25 Dec 2021 01:54:48 +0100 Subject: [PATCH 11/88] Update files provider --- templates/traefik-files.yml.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 4a0c27e..aacb804 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -70,3 +70,16 @@ data: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +{% if false %} + stores: + default: + defaultCertificate: + certFile: path/to/wildcardcert.crt + keyFile: path/to/wildcardcert.key + + certificates: + - certFile: /path/to/domain.cert + keyFile: /path/to/domain.key + - certFile: /path/to/other-domain.cert + keyFile: /path/to/other-domain.key +{% endif %} From 917c6bdc268cedfaf56aa15b018fd3683ec9a92e Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 25 Dec 2021 01:55:08 +0100 Subject: [PATCH 12/88] Update port name --- templates/traefik-ingressroute.yml.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 587857f..dded99b 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -7,7 +7,7 @@ metadata: spec: entryPoints: - - https + - websecure routes: # Match is the rule corresponding to an underlying router. # Later on, match could be the simple form of a path prefix, e.g. just "/bar", @@ -45,4 +45,6 @@ spec: tls: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} +{% else %} + secretName: traefik.{{ traefik_domain }} {% endif %} From 288a4454da5dfab90864436bdf7de05442348b7a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 25 Dec 2021 01:55:56 +0100 Subject: [PATCH 13/88] Add defaults middleware in comments for future use --- templates/traefik-cm.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index a29ddaa..9d831ce 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -15,6 +15,9 @@ data: web: address: ":8000/tcp" http: +# middlewares: +# - auth@file +# - secure_headers@file redirections: entryPoint: to: websecure From 073568296901914e621344fb046d2e8e897e7bc1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 25 Dec 2021 01:56:25 +0100 Subject: [PATCH 14/88] Deploy without hostport --- defaults/main.yml | 12 +++++++----- tasks/main.yml | 29 ++++++++++++++++++---------- templates/traefik-certificate.yml.j2 | 12 ++++++++++++ templates/traefik-svc.yml.j2 | 8 ++++++-- 4 files changed, 44 insertions(+), 17 deletions(-) create mode 100644 templates/traefik-certificate.yml.j2 diff --git a/defaults/main.yml b/defaults/main.yml index c56661e..4cd513a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.4.1" +traefik_version: "2.5.6" traefik_domain: "local" traefik_namespace: "traefik" #ingress_whitelist: @@ -10,10 +10,12 @@ traefik_namespace: "traefik" # - localhost traefik_cpu_limit: 500m traefik_memory_limit: 300Mi -traefik_entrypoints: - - { name: "http", port: 8000, proto: "TCP", hostport: 80 } - - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true } - - { name: "traefik", port: 8080, proto: "TCP" } +traefik_entrypoints: [] +# - { name: "http", port: 8000, proto: "TCP", hostport: 80 } +# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true } +# - { name: "traefik", port: 8080, proto: "TCP" } +#traefik_external_ips: [] +# - 1.2.3.4 basic_auth: false #traefik_dashboard_certificate: wildcard-cluster \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 60c4ef3..c997bc5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,7 +9,7 @@ api_version: v1 kind: Namespace metadata: - name: traefik + name: '{{ traefik_namespace }}' labels: namespace: '{{ traefik_namespace }}' @@ -17,12 +17,12 @@ k8s: state: present context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' definition: apiVersion: v1 kind: Secret metadata: name: basic-auth - namespace: '{{ traefik_namespace }}' type: Opaque data: basic_auth: "{{ basic_auth_data | b64encode }}" @@ -74,12 +74,12 @@ # - traefik_actual_version.stdout is version(traefik_version, '>') - name: Defined traefik repository - community.kubernetes.helm_repository: + kubernetes.core.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" tags: traefik - name: Deploy latest version of Traefik - community.kubernetes.helm: + kubernetes.core.helm: context: "{{ my_context }}" name: traefik chart_ref: traefik/traefik @@ -99,12 +99,15 @@ ingressClass: enabled: true isDefaultClass: true - ports: - web: - redirectTo: websecure - hostPort: 80 - websecure: - hostPort: 443 +# ports: +# web: +# redirectTo: websecure +# hostPort: 80 +# websecure: +# hostPort: 443 +# tls: +# enabled: true +# options: default volumes: - mountPath: /etc/traefik name: traefik-conf @@ -115,6 +118,11 @@ - mountPath: /etc/traefik/basic-auth name: basic-auth type: secret + deployment: + replicas: 1 + podAnnotations: + prometheus.io/port: '9000' + prometheus.io/scrape: 'true' - name: Install traefik configuration k8s: @@ -126,6 +134,7 @@ resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: # - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" + - traefik-certificate.yml.j2 - traefik-cm.yml.j2 - traefik-files.yml.j2 # - traefik-sa.yml.j2 diff --git a/templates/traefik-certificate.yml.j2 b/templates/traefik-certificate.yml.j2 new file mode 100644 index 0000000..3042d55 --- /dev/null +++ b/templates/traefik-certificate.yml.j2 @@ -0,0 +1,12 @@ +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: traefik.{{ traefik_domain }} +spec: + dnsNames: + - traefik.{{ traefik_domain }} + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + secretName: traefik.{{ traefik_domain }} diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index dc82b82..1397dd8 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -9,15 +9,19 @@ metadata: spec: ports: - name: web - hostPort: 80 port: 80 protocol: TCP targetPort: web - name: websecure - hostPort: 443 port: 443 protocol: TCP targetPort: websecure +{% if traefik_external_ips is defined %} + externalIPs: +{% for traefik_external_ip in traefik_external_ips %} + - {{ traefik_external_ip }} +{% endfor %} +{% endif %} selector: app.kubernetes.io/instance: traefik app.kubernetes.io/name: traefik From ee4e749cd36b6e3a2f73fc41844f5b68cf9a1ba1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 31 Jan 2022 21:15:56 +0100 Subject: [PATCH 15/88] Update traefik deployment --- tasks/main.yml | 4 ++-- templates/traefik-files.yml.j2 | 8 ++++---- templates/traefik-middleware-ipwhitelist.yml.j2 | 12 ------------ todo.sh | 12 ++++++++++++ 4 files changed, 18 insertions(+), 18 deletions(-) delete mode 100644 templates/traefik-middleware-ipwhitelist.yml.j2 create mode 100644 todo.sh diff --git a/tasks/main.yml b/tasks/main.yml index c997bc5..2f4a0bc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -89,8 +89,8 @@ tag: "{{ traefik_version }}" additionalArguments: - --configFile=/etc/traefik/traefik.yaml - podSecurityPolicy: - enabled: true +# podSecurityPolicy: +# enabled: true service: enabled: false ingressRoute: diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index aacb804..261a26e 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -16,10 +16,10 @@ data: burst: 50 security_headers: headers: - accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] - accessControlAllowOrigin: "origin-list-or-null" - accessControlMaxAge: 100 - addVaryHeader: true + # accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] + # accessControlAllowOrigin: "origin-list-or-null" + # accessControlMaxAge: 100 + # addVaryHeader: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true diff --git a/templates/traefik-middleware-ipwhitelist.yml.j2 b/templates/traefik-middleware-ipwhitelist.yml.j2 deleted file mode 100644 index 2e987a9..0000000 --- a/templates/traefik-middleware-ipwhitelist.yml.j2 +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: traefik-ipwhitelist -spec: - ipWhiteList: - sourceRange: -{% if ingress_whitelist is defined %} -{% for acl_whitelist in ingress_whitelist %} - - {{ acl_whitelist }} -{% endfor %} -{% endif %} \ No newline at end of file diff --git a/todo.sh b/todo.sh new file mode 100644 index 0000000..3cab209 --- /dev/null +++ b/todo.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +cat << 'EOF' | kubectl --context my_context apply -f - +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: traefik +spec: + controller: traefik.io/ingress-controller +EOF + From b3df6499f373f6d6bc304e896e8026168dfa5209 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 25 Feb 2022 00:38:10 +0100 Subject: [PATCH 16/88] Update API --- templates/traefik-certificate.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/traefik-certificate.yml.j2 b/templates/traefik-certificate.yml.j2 index 3042d55..5fa7feb 100644 --- a/templates/traefik-certificate.yml.j2 +++ b/templates/traefik-certificate.yml.j2 @@ -1,5 +1,5 @@ --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: traefik.{{ traefik_domain }} From a722a1d783cdebac6c79d86936e0bcebf601ddc1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 25 Feb 2022 00:38:43 +0100 Subject: [PATCH 17/88] Use helm template values file --- tasks/main.yml | 42 +------------------ templates/traefik-helm-value.yaml.j2 | 62 ++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 40 deletions(-) create mode 100644 templates/traefik-helm-value.yaml.j2 diff --git a/tasks/main.yml b/tasks/main.yml index 2f4a0bc..def16fe 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,45 +84,7 @@ name: traefik chart_ref: traefik/traefik release_namespace: "{{ traefik_namespace }}" - values: - image: - tag: "{{ traefik_version }}" - additionalArguments: - - --configFile=/etc/traefik/traefik.yaml -# podSecurityPolicy: -# enabled: true - service: - enabled: false - ingressRoute: - dashboard: - enabled: false - ingressClass: - enabled: true - isDefaultClass: true -# ports: -# web: -# redirectTo: websecure -# hostPort: 80 -# websecure: -# hostPort: 443 -# tls: -# enabled: true -# options: default - volumes: - - mountPath: /etc/traefik - name: traefik-conf - type: configMap - - mountPath: /etc/traefik/file - name: traefik-files - type: configMap - - mountPath: /etc/traefik/basic-auth - name: basic-auth - type: secret - deployment: - replicas: 1 - podAnnotations: - prometheus.io/port: '9000' - prometheus.io/scrape: 'true' + values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" - name: Install traefik configuration k8s: @@ -139,6 +101,6 @@ - traefik-files.yml.j2 # - traefik-sa.yml.j2 - traefik-ingressroute.yml.j2 - - traefik-svc.yml.j2 +# - traefik-svc.yml.j2 tags: traefik diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 new file mode 100644 index 0000000..f430e44 --- /dev/null +++ b/templates/traefik-helm-value.yaml.j2 @@ -0,0 +1,62 @@ +image: + tag: "{{ traefik_version }}" +additionalArguments: + - --configFile=/etc/traefik/traefik.yaml +#podSecurityPolicy: +# enabled: true +service: +{% if traefik_external_ips is defined %} + type: ClusterIP + externalIPs: +{% for external_ip in traefik_external_ips %} + - {{ external_ip }} +{% endfor %} +{% elseif %} + type: LoadBalancer +{% endif %} +ingressRoute: + dashboard: + enabled: false +podDisruptionBudget: + enabled: true + minAvailable: 1 +ingressClass: + enabled: true + isDefaultClass: true +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 60 + - type: Resource + resource: + name: memory + targetAverageUtilization: 60 +#ports: +# web: +# redirectTo: websecure +# hostPort: 80 +# websecure: +# hostPort: 443 +# tls: +# enabled: true +# options: default +volumes: + - mountPath: /etc/traefik + name: traefik-conf + type: configMap + - mountPath: /etc/traefik/file + name: traefik-files + type: configMap + - mountPath: /etc/traefik/basic-auth + name: basic-auth + type: secret +deployment: + replicas: 1 + podAnnotations: + prometheus.io/port: '9000' + prometheus.io/scrape: 'true' \ No newline at end of file From a5a52b15c85847cd516e3cebd41e565ae4f449c5 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 25 Feb 2022 00:39:05 +0100 Subject: [PATCH 18/88] Fix template --- templates/traefik-cm.yml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 9d831ce..a4d50ad 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -15,9 +15,9 @@ data: web: address: ":8000/tcp" http: -# middlewares: -# - auth@file -# - secure_headers@file + # middlewares: + # - auth@file + # - secure_headers@file redirections: entryPoint: to: websecure From c0bfc09c8cd820362cec2c0608111c0396d7f7b9 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 26 Feb 2022 00:46:31 +0100 Subject: [PATCH 19/88] Update role --- defaults/main.yml | 5 +++-- templates/traefik-certificate.yml.j2 | 6 +++--- templates/traefik-files.yml.j2 | 2 ++ templates/traefik-helm-value.yaml.j2 | 8 +++----- templates/traefik-ingressroute.yml.j2 | 20 ++++++++++---------- 5 files changed, 21 insertions(+), 20 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4cd513a..e6b9cfd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,8 @@ my_context: kubernetes -traefik_version: "2.5.6" -traefik_domain: "local" +traefik_version: "2.6.1" +cluster_domain: "local" traefik_namespace: "traefik" +traefik_service_type: LoadBalancer #ingress_whitelist: # - 10.96.0.0/12 # - 10.244.0.0/16 diff --git a/templates/traefik-certificate.yml.j2 b/templates/traefik-certificate.yml.j2 index 5fa7feb..799ef52 100644 --- a/templates/traefik-certificate.yml.j2 +++ b/templates/traefik-certificate.yml.j2 @@ -2,11 +2,11 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: traefik.{{ traefik_domain }} + name: traefik.{{ cluster_domain }} spec: dnsNames: - - traefik.{{ traefik_domain }} + - traefik.{{ cluster_domain }} issuerRef: name: letsencrypt-prod kind: ClusterIssuer - secretName: traefik.{{ traefik_domain }} + secretName: traefik.{{ cluster_domain }} diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 261a26e..b5ab8e9 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -51,11 +51,13 @@ data: # users: # - {{ basic_auth_data }} {% endif %} +{% if false %} authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"] +{% endif %} traefik-tls-defaults-options.yaml: | tls: diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index f430e44..61f273a 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -1,18 +1,16 @@ -image: - tag: "{{ traefik_version }}" +#image: +# tag: "{{ traefik_version }}" additionalArguments: - --configFile=/etc/traefik/traefik.yaml #podSecurityPolicy: # enabled: true service: + type: {{ traefik_service_type }} {% if traefik_external_ips is defined %} - type: ClusterIP externalIPs: {% for external_ip in traefik_external_ips %} - {{ external_ip }} {% endfor %} -{% elseif %} - type: LoadBalancer {% endif %} ingressRoute: dashboard: diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index dded99b..e35e618 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -12,7 +12,7 @@ spec: # Match is the rule corresponding to an underlying router. # Later on, match could be the simple form of a path prefix, e.g. just "/bar", # but for now we only support a traefik style matching rule. - - match: Host(`traefik.{{ traefik_domain }}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + - match: Host(`traefik.{{ cluster_domain }}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", # "Parameter", etc, to support simpler forms of rule matching, but for now we # only support "Rule". @@ -20,25 +20,25 @@ spec: {% if basic_auth is defined or ingress_whitelist is defined %} middlewares: {% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist + - name: traefik-ipwhitelist@file {% endif %} {% if basic_auth is defined %} - - name: basic-auth + - name: basic-auth@file {% endif %} {% endif %} services: - name: api@internal kind: TraefikService - - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) + - match: Host(`traefik.{{ cluster_domain }}`) && PathPrefix(`/ping`) kind: Rule services: - name: ping@internal kind: TraefikService - - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/metrics`) - kind: Rule - services: - - name: prometheus@internal - kind: TraefikService +# - match: Host(`traefik.{{ cluster_domain }}`) && PathPrefix(`/metrics`) +# kind: Rule +# services: +# - name: prometheus@internal +# kind: TraefikService @@ -46,5 +46,5 @@ spec: {% if traefik_dashboard_certificate is defined %} secretName: {{ traefik_dashboard_certificate }} {% else %} - secretName: traefik.{{ traefik_domain }} + secretName: traefik.{{ cluster_domain }} {% endif %} From 34a9cc12e562f74df13f88af309088a35dd51cff Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 16 Mar 2022 18:11:29 +0100 Subject: [PATCH 20/88] Add comment --- templates/traefik-helm-value.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 61f273a..05fbdd9 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -1,3 +1,4 @@ +# https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml #image: # tag: "{{ traefik_version }}" additionalArguments: From 49f9f0be08ecce8507a0a71bea66589bc36f4d12 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 26 Mar 2022 00:04:05 +0100 Subject: [PATCH 21/88] Prepare default backend --- tasks/main.yml | 1 + templates/traefik-defaultbackend.yml.j2 | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 templates/traefik-defaultbackend.yml.j2 diff --git a/tasks/main.yml b/tasks/main.yml index def16fe..3fa5e21 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -102,5 +102,6 @@ # - traefik-sa.yml.j2 - traefik-ingressroute.yml.j2 # - traefik-svc.yml.j2 +# - traefik-defaultbackend.yml.j2 tags: traefik diff --git a/templates/traefik-defaultbackend.yml.j2 b/templates/traefik-defaultbackend.yml.j2 new file mode 100644 index 0000000..40ad31d --- /dev/null +++ b/templates/traefik-defaultbackend.yml.j2 @@ -0,0 +1,16 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cheese + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + traefik.ingress.kubernetes.io/router.priority: "1" + traefik.ingress.kubernetes.io/router.middlewares: security_headers@file,compress@file + +spec: + defaultBackend: + service: + name: stilton + port: + number: 80 From 5456ce68ef33277d8e1eeeb120cf4b4ee1722669 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 26 Mar 2022 00:04:37 +0100 Subject: [PATCH 22/88] Fix authelia middleware --- templates/traefik-files.yml.j2 | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index b5ab8e9..b03f2f6 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -51,13 +51,24 @@ data: # users: # - {{ basic_auth_data }} {% endif %} -{% if false %} authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true - authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"] -{% endif %} + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + - "Remote-Name" + - "Remote-Email" + authelia-basic: + forwardAuth: + address: "http://authelia:9091/api/verify?auth=basic" + trustForwardHeader: true + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + - "Remote-Name" + - "Remote-Email" traefik-tls-defaults-options.yaml: | tls: From 1fccb6896ef0b05e2dbc9ee6b0eb98e02396dc13 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 2 Apr 2022 11:15:52 +0200 Subject: [PATCH 23/88] Add chain middleware exemple --- templates/traefik-files.yml.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index b03f2f6..71a4b5b 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -7,6 +7,19 @@ data: traefik-middlewares.yaml: | http: middlewares: + test_chain: + chain: + middlewares: + - rate-limit + - security_headers +{% if ingress_whitelist is defined %} + - traefik-ipwhitelist +{% endif %} + - compress +{% if basic_auth|bool %} + - basic-auth +{% endif %} + - authelia compress: compress: excludedContentTypes: ["text/event-stream"] From eb0b205efb893df474f70fa4de4190c66a89ff7a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 4 May 2022 00:04:09 +0200 Subject: [PATCH 24/88] Update traefik conf --- templates/traefik-cm.yml.j2 | 24 ++++++++++++++++-------- templates/traefik-files.yml.j2 | 4 ++++ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index a4d50ad..240f225 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -18,6 +18,7 @@ data: # middlewares: # - auth@file # - secure_headers@file + # - crowdsec-bouncer@file redirections: entryPoint: to: websecure @@ -27,6 +28,10 @@ data: http: tls: options: default + # middlewares: + # - auth@file + # - secure_headers@file + # - crowdsec-bouncer@file traefik: address: ":9000/tcp" {% for traefik_entrypoint in traefik_entrypoints %} @@ -56,11 +61,14 @@ data: log: level: WARN format: json - accessLog: - format: json - fields: - names: - BackendAddr: keep - BackendName: keep - BackendURL: keep - FrontendName: keep + accessLog: {} + #accessLog: + # filePath: "/var/log/traefik/access.log" + # bufferingSize: 50 + ## format: json + ## fields: + ## names: + ## BackendAddr: keep + ## BackendName: keep + ## BackendURL: keep + ## FrontendName: keep diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 71a4b5b..e6f4836 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -82,6 +82,10 @@ data: - "Remote-Groups" - "Remote-Name" - "Remote-Email" + crowdsec-bouncer: + forwardAuth: + address: "http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth + trustForwardHeader: true traefik-tls-defaults-options.yaml: | tls: From 736ac64ff0c7c0c6d1a5ec9d2709599f244ed938 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 10 May 2022 00:35:31 +0200 Subject: [PATCH 25/88] Add test with nodeports --- templates/traefik-helm-value.yaml.j2 | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 05fbdd9..39e1c58 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -35,15 +35,19 @@ autoscaling: resource: name: memory targetAverageUtilization: 60 -#ports: -# web: +{% if traefik_service_type == "NodePort" and false %} +ports: + web: # redirectTo: websecure # hostPort: 80 -# websecure: + nodePort: 80 + websecure: # hostPort: 443 + nodePort: 443 # tls: # enabled: true # options: default +{% endif %} volumes: - mountPath: /etc/traefik name: traefik-conf From 6def4562ad6574be1f1595ced074539c9ec9d5e1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 5 Jun 2022 11:27:24 +0200 Subject: [PATCH 26/88] Update traefik deployment + add crowdsec bouncer --- defaults/main.yml | 11 +++++++---- tasks/main.yml | 25 +++++++++++++++++++++++++ templates/traefik-cm.yml.j2 | 11 ++++++++++- templates/traefik-files.yml.j2 | 9 ++++----- 4 files changed, 46 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e6b9cfd..02eb919 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.6.1" +traefik_version: "2.7.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer @@ -12,11 +12,14 @@ traefik_service_type: LoadBalancer traefik_cpu_limit: 500m traefik_memory_limit: 300Mi traefik_entrypoints: [] -# - { name: "http", port: 8000, proto: "TCP", hostport: 80 } -# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true } +# - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } +# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } # - { name: "traefik", port: 8080, proto: "TCP" } #traefik_external_ips: [] # - 1.2.3.4 basic_auth: false -#traefik_dashboard_certificate: wildcard-cluster \ No newline at end of file +#traefik_dashboard_certificate: wildcard-cluster + +crowdsec_namespace: "crowdsec" +crowdsec_traefik_bouncer_chart_version: "0.1.0" diff --git a/tasks/main.yml b/tasks/main.yml index 3fa5e21..1d2a398 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,6 +45,31 @@ when: - traefik_node_selector is defined + - name: Deploy latest version of CrowdSec Traefik bouncer + kubernetes.core.helm: + context: "{{ my_context }}" + name: crowdsec-traefik-bouncer + release_namespace: "{{ traefik_namespace }}" + create_namespace: yes + chart_ref: crowdsec/crowdsec-traefik-bouncer + chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" + values: + bouncer: + crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}" + crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080" + replicaCount: 1 + podSecurityContext: + fsGroup: 2000 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + when: + - traefik_crowdsec_bouncer_apikey is defined + # - name: Get Deployment information object # k8s_info: # context: "{{ my_context }}" diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 240f225..7e4773b 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -19,6 +19,7 @@ data: # - auth@file # - secure_headers@file # - crowdsec-bouncer@file + # - {{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd redirections: entryPoint: to: websecure @@ -37,10 +38,18 @@ data: {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: address: :{{ traefik_entrypoint.port }} -{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %} +{% if traefik_entrypoint.tls is defined or traefik_entrypoint.middlewares is defined %} http: +{% if traefik_entrypoint.middlewares is defined %} + middlewares: +{% for middleware in traefik_entrypoint.middlewares %} + - {{ middleware }} +{% endfor %} +{% endif %} +{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %} tls: {} {% endif %} +{% endif %} {% endfor %} providers: kubernetesCRD: diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index e6f4836..6f92802 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -7,14 +7,14 @@ data: traefik-middlewares.yaml: | http: middlewares: - test_chain: + min_security: chain: middlewares: - - rate-limit - security_headers {% if ingress_whitelist is defined %} - traefik-ipwhitelist {% endif %} + - rate-limit - compress {% if basic_auth|bool %} - basic-auth @@ -41,9 +41,8 @@ data: stsPreload: true customFrameOptionsValue: "SAMEORIGIN" referrerPolicy: "same-origin" - featurePolicy: "vibrate 'self'" + permissionsPolicy: "vibrate 'self'" stsSeconds: 315360000 - sslRedirect: true contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" # customResponseHeaders: # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," @@ -84,7 +83,7 @@ data: - "Remote-Email" crowdsec-bouncer: forwardAuth: - address: "http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth + address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth" trustForwardHeader: true traefik-tls-defaults-options.yaml: | From ebc0f4bdfcad735a5504ba7db52dd7713ba14519 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 15 Jun 2022 19:56:54 +0200 Subject: [PATCH 27/88] Enable plugins --- templates/traefik-helm-value.yaml.j2 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 39e1c58..6207b3f 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -62,4 +62,11 @@ deployment: replicas: 1 podAnnotations: prometheus.io/port: '9000' - prometheus.io/scrape: 'true' \ No newline at end of file + prometheus.io/scrape: 'true' +experimental: + http3: + enabled: true + plugins: + enabled: true + kubernetesGateway: + enabled: false From 7ced7add47b50990d7d66138960f252eb36b3c17 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 24 Jun 2022 02:24:02 +0200 Subject: [PATCH 28/88] Update traefik to version 2.7.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 02eb919..59ff3ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.7.0" +traefik_version: "2.7.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From e76a31ffeb2d122880e5dc1c39dd06a5beae9670 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 24 Jun 2022 02:25:41 +0200 Subject: [PATCH 29/88] Traefik-hub deployment --- tasks/main.yml | 18 +++++++++++++++++- templates/traefik-cm.yml.j2 | 24 +++++++++++++++++++++--- templates/traefik-helm-value.yaml.j2 | 18 ++++++++++++++++-- 3 files changed, 54 insertions(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 1d2a398..7dbcfa9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -102,7 +102,6 @@ kubernetes.core.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" - tags: traefik - name: Deploy latest version of Traefik kubernetes.core.helm: context: "{{ my_context }}" @@ -129,4 +128,21 @@ # - traefik-svc.yml.j2 # - traefik-defaultbackend.yml.j2 + - name: Defined traefik-hub repository + kubernetes.core.helm_repository: + name: traefik-hub + repo_url: "https://helm.traefik.io/hub" + when: + - traefik_hub_token is defined + - name: Deploy latest version of Traefik-hub + kubernetes.core.helm: + context: "{{ my_context }}" + name: hub-agent + chart_ref: traefik-hub/hub-agent + release_namespace: "{{ traefik_namespace }}" + values: + token: "{{ traefik_hub_token }}" + when: + - traefik_hub_token is defined + tags: traefik diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 7e4773b..947afae 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -35,6 +35,14 @@ data: # - crowdsec-bouncer@file traefik: address: ":9000/tcp" + metrics: + address: ":9100/tcp" +{% if traefik_hub_token is defined %} + traefikhub-api: + address: ":9900" + traefikhub-tunl: + address: ":9901" +{% endif%} {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: address: :{{ traefik_entrypoint.port }} @@ -62,14 +70,18 @@ data: watch: true metrics: prometheus: - entryPoint: traefik + entryPoint: metrics + addRoutersLabels: true ping: entryPoint: traefik api: dashboard: true +{% if traefik_hub_token is defined %} + hub: {} +{% endif %} log: - level: WARN - format: json + level: ERROR + # format: json accessLog: {} #accessLog: # filePath: "/var/log/traefik/access.log" @@ -81,3 +93,9 @@ data: ## BackendName: keep ## BackendURL: keep ## FrontendName: keep + experimental: + # kubernetesGateway: true + http3: true +{% if traefik_hub_token is defined %} + hub: true +{% endif %} diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 6207b3f..050187b 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -1,6 +1,7 @@ # https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml #image: # tag: "{{ traefik_version }}" +#fullnameOverride: "{{ my_context }}" additionalArguments: - --configFile=/etc/traefik/traefik.yaml #podSecurityPolicy: @@ -35,8 +36,9 @@ autoscaling: resource: name: memory targetAverageUtilization: 60 -{% if traefik_service_type == "NodePort" and false %} +{% if traefik_service_type == "NodePort" or traefik_hub_token is defined %} ports: +{% if traefik_service_type == "NodePort" and false %} web: # redirectTo: websecure # hostPort: 80 @@ -48,6 +50,14 @@ ports: # enabled: true # options: default {% endif %} +{% if traefik_hub_token is defined %} + traefikhub-tunl: + port: 9901 + expose: true + exposedPort: 9901 + protocol: "TCP" +{% endif %} +{% endif %} volumes: - mountPath: /etc/traefik name: traefik-conf @@ -61,7 +71,7 @@ volumes: deployment: replicas: 1 podAnnotations: - prometheus.io/port: '9000' + prometheus.io/port: '9100' prometheus.io/scrape: 'true' experimental: http3: @@ -70,3 +80,7 @@ experimental: enabled: true kubernetesGateway: enabled: false +{% if traefik_hub_token is defined %} + hub: + enabled: true +{% endif %} From ba1319aeefe4b5ca2e82b99231931ffed6d3f388 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 16 Jul 2022 23:31:42 +0200 Subject: [PATCH 30/88] Add ondemand plugin --- defaults/main.yml | 2 +- tasks/main.yml | 13 ++++ templates/traefik-cm.yml.j2 | 13 ++++ templates/traefik-ondemand-plugin.yml.j2 | 81 ++++++++++++++++++++++++ 4 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 templates/traefik-ondemand-plugin.yml.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 59ff3ce..576f812 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.7.1" +traefik_version: "2.8.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer diff --git a/tasks/main.yml b/tasks/main.yml index 7dbcfa9..1b65f06 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -128,6 +128,19 @@ # - traefik-svc.yml.j2 # - traefik-defaultbackend.yml.j2 + - name: Install traefik plugin's + k8s: + state: "present" + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' +# merge_type: merge + apply: yes + resource_definition: "{{ lookup('template', item) | from_yaml_all }}" + with_items: + - traefik-ondemand-plugin.yml.j2 + when: + - traefik_ondemand is defined + - name: Defined traefik-hub repository kubernetes.core.helm_repository: name: traefik-hub diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 947afae..f7ec403 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -24,6 +24,9 @@ data: entryPoint: to: websecure scheme: https + permanent: true + # http3: + # advertisedPort: 42 websecure: address: ":8443/tcp" http: @@ -33,6 +36,8 @@ data: # - auth@file # - secure_headers@file # - crowdsec-bouncer@file + # http3: + # advertisedPort: 42 traefik: address: ":9000/tcp" metrics: @@ -63,8 +68,10 @@ data: kubernetesCRD: # ingressClass: "traefik" throttleDuration: 2s + allowEmptyServices: true kubernetesIngress: ingressClass: "traefik" + allowEmptyServices: true file: directory: /etc/traefik/file/ watch: true @@ -99,3 +106,9 @@ data: {% if traefik_hub_token is defined %} hub: true {% endif %} +{% if traefik_ondemand is defined %} + plugins: + traefik-ondemand-plugin: + moduleName: github.com/acouvreur/traefik-ondemand-plugin + version: v1.2.0 +{% endif %} diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 new file mode 100644 index 0000000..d983519 --- /dev/null +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik-ondemand-service + labels: + app: traefik-ondemand-service +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-ondemand-service + template: + metadata: + labels: + app: traefik-ondemand-service + spec: + serviceAccountName: traefik-ondemand-service + serviceAccount: traefik-ondemand-service + containers: + - name: traefik-ondemand-service + image: ghcr.io/acouvreur/traefik-ondemand-service:1 + args: ["--swarmMode=false", "--kubernetesMode=true"] + ports: + - containerPort: 10000 +--- +apiVersion: v1 +kind: Service +metadata: + name: traefik-ondemand-service +spec: + selector: + app: traefik-ondemand-service + ports: + - protocol: TCP + port: 10000 + targetPort: 10000 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: traefik-ondemand-service +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: traefik-ondemand-service + namespace: {{ traefik_namespace }} +rules: + - apiGroups: + - apps + resources: + - deployments + - deployments/scale + verbs: + - patch + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: traefik-ondemand-service +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ondemand-service +subjects: + - kind: ServiceAccount + name: traefik-ondemand-service + namespace: {{ traefik_namespace }} +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: ondemand +spec: + plugin: + traefik-ondemand-plugin: + name: traefik_ondemand_plugin + serviceUrl: 'http://traefik-ondemand-service.{{ traefik_namespace }}:10000' + timeout: 1m \ No newline at end of file From daaed8df51f5c9d8853e1e25b413aedc57fc4aab Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 16 Jul 2022 23:33:49 +0200 Subject: [PATCH 31/88] Fix collections names --- tasks/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 1b65f06..927e442 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ - name: traefik setup block: - name: namespace - k8s: + kubernetes.core.k8s: state: present context: "{{ my_context }}" merge_type: merge @@ -14,7 +14,7 @@ namespace: '{{ traefik_namespace }}' - name: Create a Secret object for basic authentification - k8s: + kubernetes.core.k8s: state: present context: "{{ my_context }}" namespace: '{{ traefik_namespace }}' @@ -30,7 +30,7 @@ - basic_auth|bool - name: Add host label for traefik deployment - k8s: + kubernetes.core.k8s: state: present context: "{{ my_context }}" definition: @@ -50,7 +50,7 @@ context: "{{ my_context }}" name: crowdsec-traefik-bouncer release_namespace: "{{ traefik_namespace }}" - create_namespace: yes + create_namespace: true chart_ref: crowdsec/crowdsec-traefik-bouncer chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" values: @@ -71,7 +71,7 @@ - traefik_crowdsec_bouncer_apikey is defined # - name: Get Deployment information object -# k8s_info: +# kubernetes.core.k8s_info: # context: "{{ my_context }}" # api_version: v1 # kind: DaemonSet @@ -86,7 +86,7 @@ # register: traefik_actual_version # # - name: Remove old traefik version {{ traefik_actual_version.stdout }} -# k8s: +# kubernetes.core.k8s: # state: "absent" # context: "{{ my_context }}" # resource_definition: "{{ lookup('template', item) | from_yaml }}" @@ -111,12 +111,12 @@ values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" - name: Install traefik configuration - k8s: + kubernetes.core.k8s: state: "present" context: "{{ my_context }}" namespace: '{{ traefik_namespace }}' # merge_type: merge - apply: yes + apply: true resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: # - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" @@ -129,12 +129,12 @@ # - traefik-defaultbackend.yml.j2 - name: Install traefik plugin's - k8s: + kubernetes.core.k8s: state: "present" context: "{{ my_context }}" namespace: '{{ traefik_namespace }}' # merge_type: merge - apply: yes + apply: true resource_definition: "{{ lookup('template', item) | from_yaml_all }}" with_items: - traefik-ondemand-plugin.yml.j2 From 44b97e681c32bd8951602d1a69c8d5198b52eafc Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 23 Jul 2022 01:03:23 +0200 Subject: [PATCH 32/88] Fix lint errors --- defaults/main.yml | 24 +-- meta/main.yml | 6 +- tasks/main.yml | 298 ++++++++++++++++----------------- templates/traefik-files.yml.j2 | 14 +- 4 files changed, 174 insertions(+), 168 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 576f812..f1807c9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,23 +3,23 @@ traefik_version: "2.8.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer -#ingress_whitelist: -# - 10.96.0.0/12 -# - 10.244.0.0/16 -# - 192.168.0.0/24 -#traefik_node_selector: -# - localhost +# ingress_whitelist: +# - 10.96.0.0/12 +# - 10.244.0.0/16 +# - 192.168.0.0/24 +# traefik_node_selector: +# - localhost traefik_cpu_limit: 500m traefik_memory_limit: 300Mi traefik_entrypoints: [] -# - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } -# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } -# - { name: "traefik", port: 8080, proto: "TCP" } -#traefik_external_ips: [] -# - 1.2.3.4 +# - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } +# - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] } +# - { name: "traefik", port: 8080, proto: "TCP" } +# traefik_external_ips: [] +# - 1.2.3.4 basic_auth: false -#traefik_dashboard_certificate: wildcard-cluster +# traefik_dashboard_certificate: wildcard-cluster crowdsec_namespace: "crowdsec" crowdsec_traefik_bouncer_chart_version: "0.1.0" diff --git a/meta/main.yml b/meta/main.yml index 65154b8..22bf70c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -8,6 +8,6 @@ galaxy_info: collections: - kubernetes.core platforms: - - name: kubernetes - version: - - all + - name: kubernetes + version: + - all diff --git a/tasks/main.yml b/tasks/main.yml index 927e442..1f5200d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,161 +1,161 @@ - name: traefik setup block: - - name: namespace - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - merge_type: merge - definition: - api_version: v1 - kind: Namespace - metadata: - name: '{{ traefik_namespace }}' - labels: - namespace: '{{ traefik_namespace }}' + - name: namespace + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + merge_type: merge + definition: + api_version: v1 + kind: Namespace + metadata: + name: '{{ traefik_namespace }}' + labels: + namespace: '{{ traefik_namespace }}' - - name: Create a Secret object for basic authentification - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' - definition: - apiVersion: v1 - kind: Secret - metadata: - name: basic-auth - type: Opaque - data: - basic_auth: "{{ basic_auth_data | b64encode }}" - when: - - basic_auth|bool + - name: Create a Secret object for basic authentification + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' + definition: + apiVersion: v1 + kind: Secret + metadata: + name: basic-auth + type: Opaque + data: + basic_auth: "{{ basic_auth_data | b64encode }}" + when: + - basic_auth|bool - - name: Add host label for traefik deployment - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - definition: - apiVersion: v1 - kind: Node - metadata: - name: "{{ item }}" - labels: - entrypoint: traefik - with_items: - - '{{ traefik_node_selector }}' - when: - - traefik_node_selector is defined + - name: Add host label for traefik deployment + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + definition: + apiVersion: v1 + kind: Node + metadata: + name: "{{ item }}" + labels: + entrypoint: traefik + with_items: + - '{{ traefik_node_selector }}' + when: + - traefik_node_selector is defined - - name: Deploy latest version of CrowdSec Traefik bouncer - kubernetes.core.helm: - context: "{{ my_context }}" - name: crowdsec-traefik-bouncer - release_namespace: "{{ traefik_namespace }}" - create_namespace: true - chart_ref: crowdsec/crowdsec-traefik-bouncer - chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" - values: - bouncer: - crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}" - crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080" - replicaCount: 1 - podSecurityContext: - fsGroup: 2000 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - when: - - traefik_crowdsec_bouncer_apikey is defined + - name: Deploy latest version of CrowdSec Traefik bouncer + kubernetes.core.helm: + context: "{{ my_context }}" + name: crowdsec-traefik-bouncer + release_namespace: "{{ traefik_namespace }}" + create_namespace: true + chart_ref: crowdsec/crowdsec-traefik-bouncer + chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" + values: + bouncer: + crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}" + crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080" + replicaCount: 1 + podSecurityContext: + fsGroup: 2000 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + when: + - traefik_crowdsec_bouncer_apikey is defined -# - name: Get Deployment information object -# kubernetes.core.k8s_info: -# context: "{{ my_context }}" -# api_version: v1 -# kind: DaemonSet -# name: traefik -# namespace: '{{ traefik_namespace }}' -# field_selectors: -# - spec.template.spec.containers.image -# register: traefik_actual_resources -# -# - name: Retreive actual traefik version -# shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq -# register: traefik_actual_version -# -# - name: Remove old traefik version {{ traefik_actual_version.stdout }} -# kubernetes.core.k8s: -# state: "absent" -# context: "{{ my_context }}" -# resource_definition: "{{ lookup('template', item) | from_yaml }}" -# with_items: -# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" -## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse -# when: -# - not traefik_actual_version.stdout == "[]" -# - not traefik_version == traefik_actual_version.stdout -# - traefik_actual_version.stdout is version(traefik_version, '>') +# - name: Get Deployment information object +# kubernetes.core.k8s_info: +# context: "{{ my_context }}" +# api_version: v1 +# kind: DaemonSet +# name: traefik +# namespace: '{{ traefik_namespace }}' +# field_selectors: +# - spec.template.spec.containers.image +# register: traefik_actual_resources +# +# - name: Retreive actual traefik version +# ansible.builtin.shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq +# register: traefik_actual_version +# +# - name: Remove old traefik version {{ traefik_actual_version.stdout }} +# kubernetes.core.k8s: +# state: "absent" +# context: "{{ my_context }}" +# resource_definition: "{{ lookup('template', item) | from_yaml }}" +# with_items: +# - "{{ lookup('vars', 'traefik_' + traefik_actual_version.stdout | regex_replace('[.]','_') + '_list') | reverse | list }}" +## - hostvars[inventory_hostname]['traefik_' + traefik_actual_version.stdout + '_list'] | reverse +# when: +# - not traefik_actual_version.stdout == "[]" +# - not traefik_version == traefik_actual_version.stdout +# - traefik_actual_version.stdout is version(traefik_version, '>') - - name: Defined traefik repository - kubernetes.core.helm_repository: - name: traefik - repo_url: "https://helm.traefik.io/traefik" - - name: Deploy latest version of Traefik - kubernetes.core.helm: - context: "{{ my_context }}" - name: traefik - chart_ref: traefik/traefik - release_namespace: "{{ traefik_namespace }}" - values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" + - name: Defined traefik repository + kubernetes.core.helm_repository: + name: traefik + repo_url: "https://helm.traefik.io/traefik" + - name: Deploy latest version of Traefik + kubernetes.core.helm: + context: "{{ my_context }}" + name: traefik + chart_ref: traefik/traefik + release_namespace: "{{ traefik_namespace }}" + values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" - - name: Install traefik configuration - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' -# merge_type: merge - apply: true - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: -# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - - traefik-certificate.yml.j2 - - traefik-cm.yml.j2 - - traefik-files.yml.j2 -# - traefik-sa.yml.j2 - - traefik-ingressroute.yml.j2 -# - traefik-svc.yml.j2 -# - traefik-defaultbackend.yml.j2 + - name: Install traefik configuration + kubernetes.core.k8s: + state: "present" + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' +# merge_type: merge + apply: true + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: +# - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" + - traefik-certificate.yml.j2 + - traefik-cm.yml.j2 + - traefik-files.yml.j2 +# - traefik-sa.yml.j2 + - traefik-ingressroute.yml.j2 +# - traefik-svc.yml.j2 +# - traefik-defaultbackend.yml.j2 - - name: Install traefik plugin's - kubernetes.core.k8s: - state: "present" - context: "{{ my_context }}" - namespace: '{{ traefik_namespace }}' -# merge_type: merge - apply: true - resource_definition: "{{ lookup('template', item) | from_yaml_all }}" - with_items: - - traefik-ondemand-plugin.yml.j2 - when: - - traefik_ondemand is defined + - name: Install traefik plugin's + kubernetes.core.k8s: + state: "present" + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' +# merge_type: merge + apply: true + resource_definition: "{{ lookup('template', item) | from_yaml_all }}" + with_items: + - traefik-ondemand-plugin.yml.j2 + when: + - traefik_ondemand is defined - - name: Defined traefik-hub repository - kubernetes.core.helm_repository: - name: traefik-hub - repo_url: "https://helm.traefik.io/hub" - when: - - traefik_hub_token is defined - - name: Deploy latest version of Traefik-hub - kubernetes.core.helm: - context: "{{ my_context }}" - name: hub-agent - chart_ref: traefik-hub/hub-agent - release_namespace: "{{ traefik_namespace }}" - values: - token: "{{ traefik_hub_token }}" - when: - - traefik_hub_token is defined + - name: Defined traefik-hub repository + kubernetes.core.helm_repository: + name: traefik-hub + repo_url: "https://helm.traefik.io/hub" + when: + - traefik_hub_token is defined + - name: Deploy latest version of Traefik-hub + kubernetes.core.helm: + context: "{{ my_context }}" + name: hub-agent + chart_ref: traefik-hub/hub-agent + release_namespace: "{{ traefik_namespace }}" + values: + token: "{{ traefik_hub_token }}" + when: + - traefik_hub_token is defined tags: traefik diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 6f92802..40f342f 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -29,10 +29,10 @@ data: burst: 50 security_headers: headers: - # accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] + accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] # accessControlAllowOrigin: "origin-list-or-null" - # accessControlMaxAge: 100 - # addVaryHeader: true + accessControlMaxAge: 100 + addVaryHeader: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true @@ -42,11 +42,14 @@ data: customFrameOptionsValue: "SAMEORIGIN" referrerPolicy: "same-origin" permissionsPolicy: "vibrate 'self'" + permissionsPolicy: "camera 'none'; microphone 'none'; geolocation 'none'; payment 'none';" stsSeconds: 315360000 - contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + # contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" # customResponseHeaders: # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # server: "" + hostsProxyHeaders: + - "X-Forwarded-Host" {% if ingress_whitelist is defined %} traefik-ipwhitelist: ipWhiteList: @@ -99,6 +102,9 @@ data: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + alpnProtocols: + - h2 + - http/1.1 {% if false %} stores: default: From a102ba09a71ce0f64a2491826d97e5eb07310fa7 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 23 Jul 2022 01:07:41 +0200 Subject: [PATCH 33/88] Fix lint errors --- .drone.yml | 2 +- tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.drone.yml b/.drone.yml index f366012..c8ff368 100644 --- a/.drone.yml +++ b/.drone.yml @@ -1,7 +1,7 @@ --- kind: pipeline type: kubernetes -#type: docker +# type: docker name: default steps: diff --git a/tasks/main.yml b/tasks/main.yml index 1f5200d..c712f88 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -80,11 +80,11 @@ # field_selectors: # - spec.template.spec.containers.image # register: traefik_actual_resources -# +# # - name: Retreive actual traefik version # ansible.builtin.shell: echo "{{ traefik_actual_resources.resources }}" | sed "s/.*traefik:\([0-9]\.[0-9]*\).*/\1/" | uniq # register: traefik_actual_version -# +# # - name: Remove old traefik version {{ traefik_actual_version.stdout }} # kubernetes.core.k8s: # state: "absent" From 382cc69b2c22bbb6fbf5d2b02e34b3cbf3ae1d20 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 5 Oct 2022 11:16:48 +0200 Subject: [PATCH 34/88] Update traefik deployment --- tasks/main.yml | 13 +++++++++++++ templates/traefik-cm.yml.j2 | 5 ++++- templates/traefik-hub-certificate.yml.j2 | 14 ++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 templates/traefik-hub-certificate.yml.j2 diff --git a/tasks/main.yml b/tasks/main.yml index c712f88..2dc1bf6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -141,6 +141,19 @@ when: - traefik_ondemand is defined + - name: ReInstall traefik-hub certificate if already know + kubernetes.core.k8s: + state: "present" + context: "{{ my_context }}" + namespace: '{{ traefik_namespace }}' +# merge_type: merge +# apply: true + resource_definition: "{{ lookup('template', item) | from_yaml_all }}" + with_items: + - traefik-hub-certificate.yml.j2 + when: + - traefik_hub_tlscrt is defined + - traefik_hub_tlskey is defined - name: Defined traefik-hub repository kubernetes.core.helm_repository: name: traefik-hub diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index f7ec403..7adfb58 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -46,7 +46,7 @@ data: traefikhub-api: address: ":9900" traefikhub-tunl: - address: ":9901" + address: ":9901/tcp" {% endif%} {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: @@ -71,6 +71,9 @@ data: allowEmptyServices: true kubernetesIngress: ingressClass: "traefik" +{% if traefik_hub_token is defined %} + allowExternalNameServices: true +{% endif%} allowEmptyServices: true file: directory: /etc/traefik/file/ diff --git a/templates/traefik-hub-certificate.yml.j2 b/templates/traefik-hub-certificate.yml.j2 new file mode 100644 index 0000000..72997c3 --- /dev/null +++ b/templates/traefik-hub-certificate.yml.j2 @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Secret + metadata: + annotations: + app.kubernetes.io/managed-by: traefik-hub + name: hub-certificate + namespace: {{ traefik_namespace }} + type: kubernetes.io/tls + data: + tls.crt: {{ traefik_hub_tlscrt | b64encode }} + tls.key: {{ traefik_hub_tlskey | b64encode }} From 4e55bc09afe293277c7acc49e3e8dd9a7f174cf8 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 18 Oct 2022 00:18:20 +0200 Subject: [PATCH 35/88] Update traefik & crowdsec traefik bouncer --- defaults/main.yml | 4 ++-- tasks/main.yml | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f1807c9..54f314c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.8.1" +traefik_version: "2.9.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer @@ -22,4 +22,4 @@ basic_auth: false # traefik_dashboard_certificate: wildcard-cluster crowdsec_namespace: "crowdsec" -crowdsec_traefik_bouncer_chart_version: "0.1.0" +crowdsec_traefik_bouncer_chart_version: "0.1.2" diff --git a/tasks/main.yml b/tasks/main.yml index 2dc1bf6..60f4f14 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -54,9 +54,12 @@ chart_ref: crowdsec/crowdsec-traefik-bouncer chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}" values: + image: + tag: "0.5.0" bouncer: crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}" crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080" + crowdsec_bouncer_gin_mode: "release" replicaCount: 1 podSecurityContext: fsGroup: 2000 From 2a2161a25d060ec920a73e970656d63de893428d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 7 Dec 2022 11:24:40 +0100 Subject: [PATCH 36/88] Update traefik deployment --- defaults/main.yml | 4 ++-- templates/traefik-cm.yml.j2 | 2 +- templates/traefik-helm-value.yaml.j2 | 8 ++++++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 54f314c..64f9d0a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.9.1" +traefik_version: "2.9.5" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer @@ -22,4 +22,4 @@ basic_auth: false # traefik_dashboard_certificate: wildcard-cluster crowdsec_namespace: "crowdsec" -crowdsec_traefik_bouncer_chart_version: "0.1.2" +crowdsec_traefik_bouncer_chart_version: "0.3.5" diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 7adfb58..ec15dcc 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -37,7 +37,7 @@ data: # - secure_headers@file # - crowdsec-bouncer@file # http3: - # advertisedPort: 42 + # advertisedPort: 443 traefik: address: ":9000/tcp" metrics: diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 050187b..0abb7fd 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -1,6 +1,8 @@ # https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml -#image: -# tag: "{{ traefik_version }}" +{% if traefik_version is defined %} +image: + tag: "{{ traefik_version }}" +{% endif %} #fullnameOverride: "{{ my_context }}" additionalArguments: - --configFile=/etc/traefik/traefik.yaml @@ -23,6 +25,7 @@ podDisruptionBudget: ingressClass: enabled: true isDefaultClass: true +{% if false %} autoscaling: enabled: true minReplicas: 1 @@ -36,6 +39,7 @@ autoscaling: resource: name: memory targetAverageUtilization: 60 +{% endif %} {% if traefik_service_type == "NodePort" or traefik_hub_token is defined %} ports: {% if traefik_service_type == "NodePort" and false %} From 23e0c8a91ec1cc6b6c6a6813be74bc707975da9b Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 23 Jun 2023 17:09:22 +0200 Subject: [PATCH 37/88] Fix hostport deployment --- defaults/main.yml | 2 +- templates/traefik-files.yml.j2 | 2 +- templates/traefik-helm-value.yaml.j2 | 25 +++++++++++++++++++++---- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 64f9d0a..868a754 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.9.5" +traefik_version: "2.10.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 40f342f..07755e4 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -41,7 +41,7 @@ data: stsPreload: true customFrameOptionsValue: "SAMEORIGIN" referrerPolicy: "same-origin" - permissionsPolicy: "vibrate 'self'" + # permissionsPolicy: "vibrate 'self'" permissionsPolicy: "camera 'none'; microphone 'none'; geolocation 'none'; payment 'none';" stsSeconds: 315360000 # contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 0abb7fd..ccf9f19 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -40,16 +40,24 @@ autoscaling: name: memory targetAverageUtilization: 60 {% endif %} -{% if traefik_service_type == "NodePort" or traefik_hub_token is defined %} +{% if traefik_service_type == "NodePort" or (traefik_hostport is defined and traefik_hostport == true) or traefik_hub_token is defined %} ports: -{% if traefik_service_type == "NodePort" and false %} +{% if traefik_service_type == "NodePort" or (traefik_hostport is defined and traefik_hostport == true) %} web: # redirectTo: websecure -# hostPort: 80 +{% if traefik_hostport is defined and traefik_hostport == true %} + hostPort: 80 +{% endif %} +{% if traefik_service_type == "NodePort" %} nodePort: 80 +{% endif %} websecure: -# hostPort: 443 +{% if traefik_hostport is defined and traefik_hostport == true %} + hostPort: 443 +{% endif %} +{% if traefik_service_type == "NodePort" %} nodePort: 443 +{% endif %} # tls: # enabled: true # options: default @@ -73,10 +81,19 @@ volumes: name: basic-auth type: secret deployment: +{% if traefik_hostport is defined and traefik_hostport == true %} + kind: DaemonSet +{% else %} replicas: 1 +{% endif %} + revisionHistoryLimit: 3 podAnnotations: prometheus.io/port: '9100' prometheus.io/scrape: 'true' +{% if traefik_hostport is defined and traefik_hostport == true %} +updateStrategy: + type: OnDelete +{% endif %} experimental: http3: enabled: true From c96e8274a94e33d0206177c3022235d5800b4c02 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 20 Jul 2023 13:14:09 +0200 Subject: [PATCH 38/88] Update traefik to version 2.10.3 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 868a754..c73b43f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "2.10.1" +traefik_version: "2.10.3" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From 37c90c3c42e8b6386061eb4ed871c61c6fdf20b8 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 20 Jul 2023 13:14:31 +0200 Subject: [PATCH 39/88] WIP Switchboard --- tasks/main.yml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 60f4f14..09d6f4e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -174,4 +174,47 @@ when: - traefik_hub_token is defined +#echo 'apiVersion: v1 +#kind: Service +#metadata: +# annotations: +## external-dns.alpha.kubernetes.io/endpoints-type: HostIP +# external-dns.alpha.kubernetes.io/hostname: traefik.ibm.reslinger.net +# external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP +## external-dns.alpha.kubernetes.io/target: "1.2.3.4" +# name: traefik-dns +# namespace: traefik +#spec: +# clusterIP: None +# ports: +# - name: web +# port: 80 +# protocol: TCP +# targetPort: web +# - name: websecure +# port: 443 +# protocol: TCP +# targetPort: websecure +# selector: +# app.kubernetes.io/instance: traefik-traefik +# app.kubernetes.io/name: traefik' | kubectl --context kubeibm -n traefik apply -f - + +# - name: Deploy latest version of Switchboard +# kubernetes.core.helm: +# context: "{{ my_context }}" +# name: switchboard +# chart_ref: oci://ghcr.io/borchero/charts/switchboard +# release_namespace: "{{ traefik_namespace }}" +## values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" +# values: +# integrations: +## certManager: +## enabled: true +## issuer: "letsencrypt-prod" +# externalDNS: +# enabled: true +# targetIPs: [10.144.217.172] + + + tags: traefik From 8a6b74906e7c94e577d78d7c9d89057f9ec75639 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 20 Jul 2023 13:15:16 +0200 Subject: [PATCH 40/88] Enable http/3 --- templates/traefik-cm.yml.j2 | 12 ++++++++---- templates/traefik-helm-value.yaml.j2 | 5 +++-- templates/traefik-ingressroute.yml.j2 | 11 +++++++++++ templates/traefik-svc.yml.j2 | 4 ++++ 4 files changed, 26 insertions(+), 6 deletions(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index ec15dcc..289341c 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -28,7 +28,7 @@ data: # http3: # advertisedPort: 42 websecure: - address: ":8443/tcp" + address: ":8443" http: tls: options: default @@ -36,8 +36,8 @@ data: # - auth@file # - secure_headers@file # - crowdsec-bouncer@file - # http3: - # advertisedPort: 443 + http3: + advertisedPort: 443 traefik: address: ":9000/tcp" metrics: @@ -50,7 +50,11 @@ data: {% endif%} {% for traefik_entrypoint in traefik_entrypoints %} {{ traefik_entrypoint.name }}: - address: :{{ traefik_entrypoint.port }} +{% if traefik_entrypoint.proto is defined %} + address: ":{{ traefik_entrypoint.port }}/{{ traefik_entrypoint.proto | lower }}" +{% else %} + address: ":{{ traefik_entrypoint.port }}" +{% endif %} {% if traefik_entrypoint.tls is defined or traefik_entrypoint.middlewares is defined %} http: {% if traefik_entrypoint.middlewares is defined %} diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index ccf9f19..dff9287 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -58,6 +58,9 @@ ports: {% if traefik_service_type == "NodePort" %} nodePort: 443 {% endif %} + http3: + enabled: true + advertisedPort: 443 # tls: # enabled: true # options: default @@ -95,8 +98,6 @@ updateStrategy: type: OnDelete {% endif %} experimental: - http3: - enabled: true plugins: enabled: true kubernetesGateway: diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index e35e618..22000cc 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -4,6 +4,17 @@ metadata: name: traefik labels: app: traefik + annotations: + kubernetes.io/ingress.class: traefik + external-dns.alpha.kubernetes.io/hostname: traefik.{{ cluster_domain }} + external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP +{% if false %} + # external-dns.alpha.kubernetes.io/endpoints-type: HostIP + # external-dns.alpha.kubernetes.io/target: "1.2.3.4" + + # external-dns.alpha.kubernetes.io/ttl: "120" + # external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" +{% endif %} spec: entryPoints: diff --git a/templates/traefik-svc.yml.j2 b/templates/traefik-svc.yml.j2 index 1397dd8..b206f0e 100644 --- a/templates/traefik-svc.yml.j2 +++ b/templates/traefik-svc.yml.j2 @@ -16,6 +16,10 @@ spec: port: 443 protocol: TCP targetPort: websecure + - name: websecure-http3 + port: 443 + protocol: UDP + targetPort: websecure {% if traefik_external_ips is defined %} externalIPs: {% for traefik_external_ip in traefik_external_ips %} From 1be87b3bb4ecb588c4258939ba1801050f71fce5 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 24 Jul 2023 12:07:32 +0200 Subject: [PATCH 41/88] Fix lint error --- tasks/main.yml | 80 +++++++++++++++++++++++++------------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 09d6f4e..6b50ef5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -174,46 +174,46 @@ when: - traefik_hub_token is defined -#echo 'apiVersion: v1 -#kind: Service -#metadata: -# annotations: -## external-dns.alpha.kubernetes.io/endpoints-type: HostIP -# external-dns.alpha.kubernetes.io/hostname: traefik.ibm.reslinger.net -# external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP -## external-dns.alpha.kubernetes.io/target: "1.2.3.4" -# name: traefik-dns -# namespace: traefik -#spec: -# clusterIP: None -# ports: -# - name: web -# port: 80 -# protocol: TCP -# targetPort: web -# - name: websecure -# port: 443 -# protocol: TCP -# targetPort: websecure -# selector: -# app.kubernetes.io/instance: traefik-traefik -# app.kubernetes.io/name: traefik' | kubectl --context kubeibm -n traefik apply -f - - -# - name: Deploy latest version of Switchboard -# kubernetes.core.helm: -# context: "{{ my_context }}" -# name: switchboard -# chart_ref: oci://ghcr.io/borchero/charts/switchboard -# release_namespace: "{{ traefik_namespace }}" -## values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" -# values: -# integrations: -## certManager: -## enabled: true -## issuer: "letsencrypt-prod" -# externalDNS: -# enabled: true -# targetIPs: [10.144.217.172] +# echo 'apiVersion: v1 +# kind: Service +# metadata: +# annotations: +# # external-dns.alpha.kubernetes.io/endpoints-type: HostIP +# external-dns.alpha.kubernetes.io/hostname: traefik.ibm.reslinger.net +# external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP +# # external-dns.alpha.kubernetes.io/target: "1.2.3.4" +# name: traefik-dns +# namespace: traefik +# spec: +# clusterIP: None +# ports: +# - name: web +# port: 80 +# protocol: TCP +# targetPort: web +# - name: websecure +# port: 443 +# protocol: TCP +# targetPort: websecure +# selector: +# app.kubernetes.io/instance: traefik-traefik +# app.kubernetes.io/name: traefik' | kubectl --context kubeibm -n traefik apply -f - + +# - name: Deploy latest version of Switchboard +# kubernetes.core.helm: +# context: "{{ my_context }}" +# name: switchboard +# chart_ref: oci://ghcr.io/borchero/charts/switchboard +# release_namespace: "{{ traefik_namespace }}" +# # values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" +# values: +# integrations: +# # certManager: +# # enabled: true +# # issuer: "letsencrypt-prod" +# externalDNS: +# enabled: true +# targetIPs: [10.144.217.172] From dda4c70a95da7f44b3288e4cbc999059203c4366 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 24 Jul 2023 12:13:45 +0200 Subject: [PATCH 42/88] Fix another lint errors --- tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6b50ef5..041291c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -198,7 +198,7 @@ # selector: # app.kubernetes.io/instance: traefik-traefik # app.kubernetes.io/name: traefik' | kubectl --context kubeibm -n traefik apply -f - - + # - name: Deploy latest version of Switchboard # kubernetes.core.helm: # context: "{{ my_context }}" @@ -216,5 +216,4 @@ # targetIPs: [10.144.217.172] - tags: traefik From a4d8db46534778a983a273b9efaccdc72c52b0f2 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 18 Nov 2023 10:13:54 +0100 Subject: [PATCH 43/88] Add wip for dashboard --- templates/traefik-files.yml.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 07755e4..27a1efb 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -118,3 +118,17 @@ data: - certFile: /path/to/other-domain.cert keyFile: /path/to/other-domain.key {% endif %} + +# dashboard.yaml: | +# http: +# routers: +# traefik: +# rule: "Host(`traefik.{{ domain | lower }}`)" +# entryPoints: +# - "websecure" +# middlewares: +# - "min_security@file" +#{% if basic_auth|bool %} +# - "basic-auth@file" +#{% endif %} +# service: "api@internal" From 0ff12a846fdcf30a343fa265c104eb7881462981 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 4 May 2024 13:39:47 +0200 Subject: [PATCH 44/88] Update to traefik v3 --- defaults/main.yml | 5 +++-- tasks/main.yml | 1 + templates/traefik-cm.yml.j2 | 5 ++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c73b43f..c392afd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,6 @@ my_context: kubernetes -traefik_version: "2.10.3" +traefik_version: "3.0.0" +traefik_helm_chart_version: "28.0.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer @@ -22,4 +23,4 @@ basic_auth: false # traefik_dashboard_certificate: wildcard-cluster crowdsec_namespace: "crowdsec" -crowdsec_traefik_bouncer_chart_version: "0.3.5" +crowdsec_traefik_bouncer_chart_version: "0.1.3" diff --git a/tasks/main.yml b/tasks/main.yml index 041291c..593e65a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -110,6 +110,7 @@ context: "{{ my_context }}" name: traefik chart_ref: traefik/traefik + chart_version: "{{ traefik_helm_chart_version }}" release_namespace: "{{ traefik_namespace }}" values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 289341c..746b1ab 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -25,8 +25,6 @@ data: to: websecure scheme: https permanent: true - # http3: - # advertisedPort: 42 websecure: address: ":8443" http: @@ -107,9 +105,9 @@ data: ## BackendName: keep ## BackendURL: keep ## FrontendName: keep +{% if traefik_hub_token is defined or traefik_ondemand is defined %} experimental: # kubernetesGateway: true - http3: true {% if traefik_hub_token is defined %} hub: true {% endif %} @@ -119,3 +117,4 @@ data: moduleName: github.com/acouvreur/traefik-ondemand-plugin version: v1.2.0 {% endif %} +{% endif %} From 5eaa1c24afce1dfe1904381f3c2b4e29d556c3ca Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 4 May 2024 13:49:52 +0200 Subject: [PATCH 45/88] Add link for traefik helm chart --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 593e65a..ff357b6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -101,6 +101,7 @@ # - not traefik_version == traefik_actual_version.stdout # - traefik_actual_version.stdout is version(traefik_version, '>') +# https://github.com/traefik/traefik-helm-chart - name: Defined traefik repository kubernetes.core.helm_repository: name: traefik From c5ef11e9e0191a6ddb45ed820a239f314ba72d47 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 26 Jun 2024 23:34:24 +0200 Subject: [PATCH 46/88] Add grafana dashboard --- files/grafana-dashboard.yml | 1523 +++++++++++++++++++++++++++++++++++ tasks/main.yml | 9 + 2 files changed, 1532 insertions(+) create mode 100644 files/grafana-dashboard.yml diff --git a/files/grafana-dashboard.yml b/files/grafana-dashboard.yml new file mode 100644 index 0000000..22ecb26 --- /dev/null +++ b/files/grafana-dashboard.yml @@ -0,0 +1,1523 @@ +# file from https://github.com/traefik/traefik/blob/master/contrib/grafana/traefik-kubernetes.json +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + grafana_dashboard: "1" + name: traefik-grafana-dashboard +data: + traefik-kubernetes.json: |- + { + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "panel", + "id": "piechart", + "name": "Pie chart", + "version": "" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "Official dashboard for Traefik on Kubernetes", + "editable": false, + "fiscalYearStartMonth": 0, + "gnetId": 17347, + "graphTooltip": 0, + "id": null, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 9, + "panels": [], + "title": "General", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 5, + "x": 0, + "y": 1 + }, + "id": 13, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.3.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "count(traefik_config_reloads_total)", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Traefik Instances", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 7, + "x": 5, + "y": 1 + }, + "id": 7, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[1m])) by (entrypoint)", + "legendFormat": "{{entrypoint}}", + "range": true, + "refId": "A" + } + ], + "title": "Requests per Entrypoint", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "https://medium.com/@tristan_96324/prometheus-apdex-alerting-d17a065e39d0", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 6, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)\n", + "legendFormat": "{{method}}", + "range": true, + "refId": "A" + } + ], + "title": "Apdex score", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Mean Distribution", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 5, + "x": 0, + "y": 3 + }, + "id": 14, + "options": { + "legend": { + "displayMode": "list", + "placement": "right", + "showLegend": true, + "values": [ + "percent" + ] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "asc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[1m])) by (method, code)", + "legendFormat": "{{method}}[{{code}}]", + "range": true, + "refId": "A" + } + ], + "title": "Http Code ", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 23, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Mean", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(15,\n label_replace(\n traefik_service_request_duration_seconds_sum{service=~\"$service.*\",protocol=\"http\"} / \n traefik_service_request_duration_seconds_count{service=~\"$service.*\",protocol=\"http\"},\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)\n\n", + "legendFormat": "{{method}}[{{code}}] on {{service}}", + "range": true, + "refId": "A" + } + ], + "title": "Top slow services", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Mean", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(15,\n label_replace(\n sum by (service,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", + "legendFormat": "[{{code}}] on {{service}}", + "range": true, + "refId": "A" + } + ], + "title": "Most requested services", + "type": "timeseries" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 17 + }, + "id": 11, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 18 + }, + "id": 3, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "label_replace(\n 1 - (sum by (service)\n (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[5m])) / sum by (service) \n (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n ) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)", + "legendFormat": "{{service}}", + "range": true, + "refId": "A" + } + ], + "title": "Services failing SLO of 1200ms", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 18 + }, + "id": 4, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "label_replace(\n 1 - (sum by (service)\n (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[5m])) / sum by (service) \n (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n ) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)", + "legendFormat": "{{service}}", + "range": true, + "refId": "A" + } + ], + "title": "Services failing SLO of 300ms", + "type": "timeseries" + } + ], + "title": "SLO", + "type": "row" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 16, + "panels": [], + "title": "HTTP Details", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 0, + "y": 19 + }, + "id": 17, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Mean", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(15,\n label_replace(\n sum by (service,method,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", + "legendFormat": "{{method}}[{{code}}] on {{service}}", + "range": true, + "refId": "A" + } + ], + "title": "2xx over 5 min", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisGridShow": true, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 8, + "y": 19 + }, + "id": 18, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Mean", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(15,\n label_replace(\n sum by (service,method,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", + "legendFormat": "{{method}}[{{code}}] on {{service}}", + "range": true, + "refId": "A" + } + ], + "title": "5xx over 5 min", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisGridShow": true, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 16, + "y": 19 + }, + "id": 19, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Mean", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(15,\n label_replace(\n sum by (service,method,code) \n (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[5m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", + "legendFormat": "{{method}}[{{code}}] on {{service}}", + "range": true, + "refId": "A" + } + ], + "title": "Other codes over 5 min", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisGridShow": true, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 31 + }, + "id": 20, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Mean", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(15,\n label_replace(\n sum by (service,method) \n (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", + "legendFormat": "{{method}} on {{service}}", + "range": true, + "refId": "A" + } + ], + "title": "Requests Size", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisGridShow": true, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 31 + }, + "id": 24, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Mean", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(15,\n label_replace(\n sum by (service,method) \n (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)", + "legendFormat": "{{method}} on {{service}}", + "range": true, + "refId": "A" + } + ], + "title": "Responses Size", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 39 + }, + "id": 21, + "options": { + "legend": { + "calcs": [ + "mean", + "max" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(traefik_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n", + "legendFormat": "{{entrypoint}}", + "range": true, + "refId": "A" + } + ], + "title": "Connections per Entrypoint", + "type": "timeseries" + } + ], + "refresh": false, + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "label": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(traefik_open_connections, entrypoint)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "entrypoint", + "options": [], + "query": { + "query": "label_values(traefik_open_connections, entrypoint)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(traefik_service_requests_total, service)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "service", + "options": [], + "query": { + "query": "label_values(traefik_service_requests_total, service)", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/([^@]+)@.*/", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Traefik Official Kubernetes Dashboard", + "uid": "n5bu_kv4k", + "version": 7, + "weekStart": "" + } diff --git a/tasks/main.yml b/tasks/main.yml index ff357b6..d103949 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -217,5 +217,14 @@ # enabled: true # targetIPs: [10.144.217.172] + - name: Install traefik grafana dashboard + kubernetes.core.k8s: + state: "present" + context: "{{ my_context }}" + namespace: 'traefik' + apply: yes + resource_definition: "{{ lookup('file', item) | from_yaml_all }}" + with_items: + - grafana-dashboard.yml tags: traefik From 8d4a335e40335a4c0d37e1137c8471d44a0d9be6 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 26 Jun 2024 23:40:57 +0200 Subject: [PATCH 47/88] Enable ServiceMonitor --- templates/traefik-helm-value.yaml.j2 | 50 ++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index dff9287..c18c1e5 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -90,13 +90,57 @@ deployment: replicas: 1 {% endif %} revisionHistoryLimit: 3 - podAnnotations: - prometheus.io/port: '9100' - prometheus.io/scrape: 'true' +# podAnnotations: +# prometheus.io/port: '9100' +# prometheus.io/scrape: 'true' +# prometheus.io/path: "/metrics" {% if traefik_hostport is defined and traefik_hostport == true %} updateStrategy: type: OnDelete {% endif %} +metrics: + prometheus: + service: + enabled: true + serviceMonitor: +# metricRelabelings: [] +# # - sourceLabels: [__name__] +# # separator: ; +# # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ +# # replacement: $1 +# # action: drop +# relabelings: [] +# # - sourceLabels: [__meta_kubernetes_pod_node_name] +# # separator: ; +# # regex: ^(.*)$ +# # targetLabel: nodename +# # replacement: $1 +# # action: replace +# jobLabel: traefik +# interval: 30s +# honorLabels: true +# # (Optional) +# # scrapeTimeout: 5s +# # honorTimestamps: true +# # enableHttp2: true +# # followRedirects: true +# # additionalLabels: +# # foo: bar +# # namespace: "another-namespace" +# # namespaceSelector: {} +# prometheusRule: +# additionalLabels: {} +# namespace: "{{ traefik_namespace }}" +# rules: +# - alert: TraefikDown +# expr: up{job="traefik"} == 0 +# for: 5m +# labels: +# context: traefik +# severity: warning +# annotations: +# summary: "Traefik Down" +# description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" experimental: plugins: enabled: true From f14a292a3575d0e0250268efd7a1dc1c09416344 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 28 Jun 2024 11:28:53 +0200 Subject: [PATCH 48/88] Update ServiceMonitor configuration --- templates/traefik-helm-value.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index c18c1e5..b03a8c1 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -103,13 +103,13 @@ metrics: service: enabled: true serviceMonitor: -# metricRelabelings: [] + metricRelabelings: [] # # - sourceLabels: [__name__] # # separator: ; # # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ # # replacement: $1 # # action: drop -# relabelings: [] + relabelings: [] # # - sourceLabels: [__meta_kubernetes_pod_node_name] # # separator: ; # # regex: ^(.*)$ From 6b03163f0595462989b1052f2ad76e9c09e03376 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 7 Jul 2024 11:19:43 +0200 Subject: [PATCH 49/88] Update traefik to version 3.0.4 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index c392afd..fad378a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.0.0" +traefik_version: "3.0.4" traefik_helm_chart_version: "28.0.0" cluster_domain: "local" traefik_namespace: "traefik" From 48c523ec9ab4a1181df56553c0db8df8e4c1b07d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 8 Sep 2024 13:47:46 +0200 Subject: [PATCH 50/88] Add servers transport file --- templates/traefik-files.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 27a1efb..5fabe92 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -89,6 +89,12 @@ data: address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth" trustForwardHeader: true + traefik-servers-transport.yaml: | + http: + serversTransports: + skip-verify-https-backend: + insecureSkipVerify: true + traefik-tls-defaults-options.yaml: | tls: options: From 62961f7e06dfe880d68fa42f5cfe4c682a602293 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 9 Sep 2024 00:07:23 +0200 Subject: [PATCH 51/88] Switch plugin traefik-on-demand by sablier --- templates/traefik-cm.yml.j2 | 10 ++- templates/traefik-files.yml.j2 | 13 ++++ templates/traefik-helm-value.yaml.j2 | 5 ++ templates/traefik-ondemand-plugin.yml.j2 | 87 +++++++++++++++--------- 4 files changed, 79 insertions(+), 36 deletions(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 746b1ab..f68996c 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -70,13 +70,17 @@ data: kubernetesCRD: # ingressClass: "traefik" throttleDuration: 2s +{% if traefik_ondemand is defined %} allowEmptyServices: true +{% endif%} kubernetesIngress: ingressClass: "traefik" {% if traefik_hub_token is defined %} allowExternalNameServices: true {% endif%} +{% if traefik_ondemand is defined %} allowEmptyServices: true +{% endif%} file: directory: /etc/traefik/file/ watch: true @@ -113,8 +117,8 @@ data: {% endif %} {% if traefik_ondemand is defined %} plugins: - traefik-ondemand-plugin: - moduleName: github.com/acouvreur/traefik-ondemand-plugin - version: v1.2.0 + sablier: + moduleName: github.com/acouvreur/sablier + version: v1.7.0 {% endif %} {% endif %} diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 5fabe92..4c1f158 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -58,6 +58,19 @@ data: - {{ acl_whitelist }} {% endfor %} {% endif %} +{% if traefik_ondemand is defined %} + ondemand: + plugin: + sablier: + #group: default + dynamic: + displayName: Application is starting + refreshFrequency: 5s + showDetails: "true" + theme: hacker-terminal + sablierUrl: http://sablier:10000 + sessionDuration: 1m +{% endif %} {% if basic_auth|bool %} basic-auth: basicAuth: diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index b03a8c1..ee066b4 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -144,6 +144,11 @@ metrics: experimental: plugins: enabled: true +{% if traefik_ondemand is defined %} + sablier: + moduleName: "github.com/acouvreur/sablier" + version: "v1.7.0" +{% endif %} kubernetesGateway: enabled: false {% if traefik_hub_token is defined %} diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index d983519..9c988b3 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -1,35 +1,35 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: traefik-ondemand-service + name: sablier labels: - app: traefik-ondemand-service + app: sablier spec: replicas: 1 selector: matchLabels: - app: traefik-ondemand-service + app: sablier template: metadata: labels: - app: traefik-ondemand-service + app: sablier spec: - serviceAccountName: traefik-ondemand-service - serviceAccount: traefik-ondemand-service + serviceAccountName: sablier + serviceAccount: sablier containers: - - name: traefik-ondemand-service - image: ghcr.io/acouvreur/traefik-ondemand-service:1 - args: ["--swarmMode=false", "--kubernetesMode=true"] + - name: sablier + image: acouvreur/sablier:1.7.0 + args: ["start", "--provider.name=kubernetes"] ports: - containerPort: 10000 --- apiVersion: v1 kind: Service metadata: - name: traefik-ondemand-service + name: sablier spec: selector: - app: traefik-ondemand-service + app: sablier ports: - protocol: TCP port: 10000 @@ -38,44 +38,65 @@ spec: apiVersion: v1 kind: ServiceAccount metadata: - name: traefik-ondemand-service + name: sablier + namespace: {{ traefik_namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: traefik-ondemand-service - namespace: {{ traefik_namespace }} + name: sablier +# namespace: {{ traefik_namespace }} rules: - apiGroups: - apps + - "" resources: - deployments - - deployments/scale +# - deployments/scale + - statefulsets +# - statefulsets/scale verbs: - - patch - - get - - update ---- + - patch # Scale up and down + - get # Retrieve info about specific dep + - update # Scale up and down + - list # Events + - watch # Events + - apiGroups: + - apps + - "" + resources: + - deployments/scale + - statefulsets/scale + verbs: + - patch # Scale up and down + - update # Scale up and down + - get # Retrieve info about specific dep + - list # Events + - watch # Events--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: traefik-ondemand-service + name: sablier roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: traefik-ondemand-service + name: sablier subjects: - kind: ServiceAccount - name: traefik-ondemand-service + name: sablier namespace: {{ traefik_namespace }} ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: ondemand -spec: - plugin: - traefik-ondemand-plugin: - name: traefik_ondemand_plugin - serviceUrl: 'http://traefik-ondemand-service.{{ traefik_namespace }}:10000' - timeout: 1m \ No newline at end of file +#--- +#apiVersion: traefik.containo.us/v1alpha1 +#kind: Middleware +#metadata: +# name: ondemand +#spec: +# plugin: +# group: default +# dynamic: +# displayName: My Title +# refreshFrequency: 5s +# showDetails: "true" +# theme: hacker-terminal +# sablierUrl: http://sablier.{{ traefik_namespace }}:10000 +# sessionDuration: 1m From 8db2742da0d4664b1d4e30c76ff8b2849e873f35 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 13 Sep 2024 14:16:59 +0200 Subject: [PATCH 52/88] fix yaml template --- templates/traefik-ondemand-plugin.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 9c988b3..59c28ad 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -73,6 +73,7 @@ rules: - get # Retrieve info about specific dep - list # Events - watch # Events--- +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: From 232cd4de5d77035bf35ed696e1045838eac5314d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 28 Sep 2024 18:55:34 +0200 Subject: [PATCH 53/88] Update traefik role --- defaults/main.yml | 4 +- tasks/main.yml | 7 ++- templates/default-network-dns-policy.yaml.j2 | 46 ++++++++++++++++++++ templates/traefik-helm-value.yaml.j2 | 12 +++-- templates/traefik-ingressroute.yml.j2 | 2 +- 5 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 templates/default-network-dns-policy.yaml.j2 diff --git a/defaults/main.yml b/defaults/main.yml index fad378a..bf17a26 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes -traefik_version: "3.0.4" -traefik_helm_chart_version: "28.0.0" +traefik_version: "3.1.4" +traefik_helm_chart_version: "31.1.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer diff --git a/tasks/main.yml b/tasks/main.yml index d103949..07f176b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -106,6 +106,9 @@ kubernetes.core.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" +# - name: show templating results +# ansible.builtin.debug: +# msg: "{{ lookup('ansible.builtin.template', 'traefik-helm-value.yaml.j2') }}" - name: Deploy latest version of Traefik kubernetes.core.helm: context: "{{ my_context }}" @@ -113,6 +116,7 @@ chart_ref: traefik/traefik chart_version: "{{ traefik_helm_chart_version }}" release_namespace: "{{ traefik_namespace }}" + create_namespace: true values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" - name: Install traefik configuration @@ -122,8 +126,9 @@ namespace: '{{ traefik_namespace }}' # merge_type: merge apply: true - resource_definition: "{{ lookup('template', item) | from_yaml }}" + resource_definition: "{{ lookup('template', item) | from_yaml_all }}" with_items: + - default-network-dns-policy.yaml.j2 # - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - traefik-certificate.yml.j2 - traefik-cm.yml.j2 diff --git a/templates/default-network-dns-policy.yaml.j2 b/templates/default-network-dns-policy.yaml.j2 new file mode 100644 index 0000000..185500e --- /dev/null +++ b/templates/default-network-dns-policy.yaml.j2 @@ -0,0 +1,46 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: intra-namespace +spec: + podSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + name: {{ traefik_namespace }} + +#--- +#apiVersion: networking.k8s.io/v1 +#kind: NetworkPolicy +#metadata: +# name: allow-dns-access +#spec: +# podSelector: +# matchLabels: {} +# policyTypes: +# - Egress +# egress: +# - to: +# - namespaceSelector: +# matchLabels: +# kubernetes.io/metadata.name: kube-system +# podSelector: +# matchLabels: +# k8s-app: kube-dns +# ports: +# - protocol: UDP +# port: 53 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-traefik-v121-ingress +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ingress: + - {} + policyTypes: + - Ingress diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index ee066b4..c1d6b71 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -140,11 +140,10 @@ metrics: # severity: warning # annotations: # summary: "Traefik Down" -# description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" +# description: "{% raw %}{{ $labels.pod }} on {{ $labels.nodename }} is down{% endraw %}" experimental: - plugins: - enabled: true {% if traefik_ondemand is defined %} + plugins: sablier: moduleName: "github.com/acouvreur/sablier" version: "v1.7.0" @@ -155,3 +154,10 @@ experimental: hub: enabled: true {% endif %} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 22000cc..93c07e5 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: traefik From 24d977621bbd0d1dbbc10676f0522e62bd100e1e Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 28 Sep 2024 18:55:56 +0200 Subject: [PATCH 54/88] Add forgotten file --- templates/traefik-ondemand-plugin.yml.j2 | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 59c28ad..0a0aba5 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -19,9 +19,21 @@ spec: containers: - name: sablier image: acouvreur/sablier:1.7.0 - args: ["start", "--provider.name=kubernetes"] + args: ["start", "--provider.name=kubernetes", "--storage.file=/dev/shm/state.json"] ports: - - containerPort: 10000 + - containerPort: 10000 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +# --configFile=path/to/myconfigfile.yml --- apiVersion: v1 kind: Service @@ -39,7 +51,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: sablier - namespace: {{ traefik_namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -87,7 +98,7 @@ subjects: name: sablier namespace: {{ traefik_namespace }} #--- -#apiVersion: traefik.containo.us/v1alpha1 +#apiVersion: traefik.io/v1alpha1 #kind: Middleware #metadata: # name: ondemand From 0dcdedf829cd9270365d197d2a8fca5051e54922 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 2 Oct 2024 09:08:01 +0200 Subject: [PATCH 55/88] Update min_security middleware --- templates/traefik-files.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/traefik-files.yml.j2 b/templates/traefik-files.yml.j2 index 4c1f158..c046713 100644 --- a/templates/traefik-files.yml.j2 +++ b/templates/traefik-files.yml.j2 @@ -16,10 +16,12 @@ data: {% endif %} - rate-limit - compress +{% if false %} {% if basic_auth|bool %} - basic-auth {% endif %} - authelia +{% endif %} compress: compress: excludedContentTypes: ["text/event-stream"] From dd782d4e3263c0176fd087ba78d4a3a78934a7fe Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 8 Oct 2024 07:18:15 +0200 Subject: [PATCH 56/88] Update traefik helm chart to version 32.1.0 & traefik to version 3.1.5 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index bf17a26..cbd6dff 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes -traefik_version: "3.1.4" -traefik_helm_chart_version: "31.1.1" +traefik_version: "3.1.5" +traefik_helm_chart_version: "32.1.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From 3e53d8fb91191af5fc027765d3647716e74edbaa Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 10 Oct 2024 14:53:52 +0200 Subject: [PATCH 57/88] Update traefik to version 3.1.6 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cbd6dff..9c44681 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.1.5" +traefik_version: "3.1.6" traefik_helm_chart_version: "32.1.0" cluster_domain: "local" traefik_namespace: "traefik" From ccf7bef5eb7f8e21301ff88af02539f52c7f768f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 11 Oct 2024 21:37:49 +0200 Subject: [PATCH 58/88] Update traefik helm chart to version 32.1.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9c44681..6e92cda 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes traefik_version: "3.1.6" -traefik_helm_chart_version: "32.1.0" +traefik_helm_chart_version: "32.1.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From f83fd94ddf9e1b0e563cae2b28c37c7d09c10be2 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 16 Oct 2024 00:39:51 +0200 Subject: [PATCH 59/88] Fix Sablier --- templates/traefik-cm.yml.j2 | 2 +- templates/traefik-helm-value.yaml.j2 | 2 +- templates/traefik-ondemand-plugin.yml.j2 | 66 ++++++++++++++---------- 3 files changed, 41 insertions(+), 29 deletions(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index f68996c..4e4c154 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -119,6 +119,6 @@ data: plugins: sablier: moduleName: github.com/acouvreur/sablier - version: v1.7.0 + version: v1.8.0 {% endif %} {% endif %} diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index c1d6b71..84df520 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -146,7 +146,7 @@ experimental: plugins: sablier: moduleName: "github.com/acouvreur/sablier" - version: "v1.7.0" + version: "v1.8.0" {% endif %} kubernetesGateway: enabled: false diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 0a0aba5..87ce24b 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -3,23 +3,27 @@ kind: Deployment metadata: name: sablier labels: - app: sablier + app.kubernetes.io/name: sablier spec: replicas: 1 selector: matchLabels: - app: sablier + app.kubernetes.io/name: sablier template: metadata: labels: - app: sablier + app.kubernetes.io/name: sablier spec: serviceAccountName: sablier serviceAccount: sablier containers: - name: sablier - image: acouvreur/sablier:1.7.0 - args: ["start", "--provider.name=kubernetes", "--storage.file=/dev/shm/state.json"] + image: acouvreur/sablier:1.8.0 + args: + - "start" + - "--provider.name=kubernetes" + - "--server.port=10000" + - "--storage.file=/dev/shm/state.json" ports: - containerPort: 10000 securityContext: @@ -41,7 +45,7 @@ metadata: name: sablier spec: selector: - app: sablier + app.kubernetes.io/name: sablier ports: - protocol: TCP port: 10000 @@ -63,27 +67,15 @@ rules: - "" resources: - deployments -# - deployments/scale + - deployments/scale - statefulsets -# - statefulsets/scale + - statefulsets/scale verbs: - patch # Scale up and down - get # Retrieve info about specific dep - update # Scale up and down - list # Events - watch # Events - - apiGroups: - - apps - - "" - resources: - - deployments/scale - - statefulsets/scale - verbs: - - patch # Scale up and down - - update # Scale up and down - - get # Retrieve info about specific dep - - list # Events - - watch # Events--- --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -97,6 +89,24 @@ subjects: - kind: ServiceAccount name: sablier namespace: {{ traefik_namespace }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-traefik-to-sablier +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: sablier + ingress: + - ports: + - port: 10000 + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: traefik + policyTypes: + - Ingress #--- #apiVersion: traefik.io/v1alpha1 #kind: Middleware @@ -104,11 +114,13 @@ subjects: # name: ondemand #spec: # plugin: -# group: default +# names: toto # Comma separated names of containers/services/deployments etc. +# group: default # Group name to use to filter by label, ignored if names is set # dynamic: -# displayName: My Title -# refreshFrequency: 5s -# showDetails: "true" -# theme: hacker-terminal -# sablierUrl: http://sablier.{{ traefik_namespace }}:10000 -# sessionDuration: 1m +# displayName: My Title # (Optional) Defaults to the middleware name +# refreshFrequency: 5s # (Optional) The loading page refresh frequency +# showDetails: "true" # (Optional) Set to true or false to show details specifcally for this middleware, unset to use Sablier server defaults +# theme: hacker-terminal # (Optional) The theme to use +# sablierUrl: http://sablier.{{ traefik_namespace }}:10000 # The sablier URL service, must be reachable from the Traefik instance +# sessionDuration: 1m # The session duration after which containers/services/deployments instances are shutdown + From 474c54804c1b24b52237e2ea56d7336db0c672d6 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 21 Oct 2024 09:34:25 +0200 Subject: [PATCH 60/88] Update Sabllier to version 1.8.1 --- templates/traefik-cm.yml.j2 | 2 +- templates/traefik-ondemand-plugin.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 4e4c154..5c2a44c 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -119,6 +119,6 @@ data: plugins: sablier: moduleName: github.com/acouvreur/sablier - version: v1.8.0 + version: v1.8.1 {% endif %} {% endif %} diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 87ce24b..61f0830 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -18,7 +18,7 @@ spec: serviceAccount: sablier containers: - name: sablier - image: acouvreur/sablier:1.8.0 + image: acouvreur/sablier:1.8.1 args: - "start" - "--provider.name=kubernetes" From 77a7accd512a641af452f7a77c690af56e302b32 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 25 Oct 2024 01:20:38 +0200 Subject: [PATCH 61/88] Update Sablier to version 1.8.1 --- templates/traefik-helm-value.yaml.j2 | 4 ++-- templates/traefik-ondemand-plugin.yml.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 84df520..e2ab99d 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -145,8 +145,8 @@ experimental: {% if traefik_ondemand is defined %} plugins: sablier: - moduleName: "github.com/acouvreur/sablier" - version: "v1.8.0" + moduleName: "github.com/sablierapp/sablier" + version: "v1.8.1" {% endif %} kubernetesGateway: enabled: false diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 61f0830..6267efa 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -18,7 +18,7 @@ spec: serviceAccount: sablier containers: - name: sablier - image: acouvreur/sablier:1.8.1 + image: sablierapp/sablier:1.8.1 args: - "start" - "--provider.name=kubernetes" From c99b0c58ad7ceaed0895031b6ad8257f35b6d97c Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 25 Oct 2024 09:56:21 +0200 Subject: [PATCH 62/88] Reduce sablier RBAC permission --- templates/traefik-ondemand-plugin.yml.j2 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 6267efa..b1de45a 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -67,8 +67,16 @@ rules: - "" resources: - deployments - - deployments/scale - statefulsets + verbs: + - get # Retrieve info about specific dep + - list # Events + - watch # Events + - apiGroups: + - apps + - "" + resources: + - deployments/scale - statefulsets/scale verbs: - patch # Scale up and down From 793b10fbaf3227ef71f5751a1c07186b32226e2a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 29 Oct 2024 09:31:43 +0100 Subject: [PATCH 63/88] Update traefik to version 3.2.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6e92cda..caa315f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.1.6" +traefik_version: "3.2.0" traefik_helm_chart_version: "32.1.1" cluster_domain: "local" traefik_namespace: "traefik" From d99b5686b5c20a37390de979c945b201053f7b03 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 1 Nov 2024 15:24:24 +0100 Subject: [PATCH 64/88] Update traefik helm chart to version 33.0.0 --- defaults/main.yml | 2 +- tasks/main.yml | 13 +++++++++++++ templates/traefik-cm.yml.j2 | 3 ++- templates/traefik-helm-value.yaml.j2 | 20 ++++++++++++++++++-- 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index caa315f..144a988 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes traefik_version: "3.2.0" -traefik_helm_chart_version: "32.1.1" +traefik_helm_chart_version: "33.0.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer diff --git a/tasks/main.yml b/tasks/main.yml index 07f176b..46cad8c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,18 @@ - name: traefik setup block: + - name: Deploy Traefik CRDs + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + apply: true + definition: "{{ lookup('url', item , split_lines=False) | from_yaml_all }}" + with_items: +# - "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml" + - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" +# - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" +# ansible.builtin.command: > +# kubectl --context "{{ my_context }}" apply --server-side --force-conflicts -k +# https://github.com/traefik/traefik-helm-chart/tree/v{{ traefik_helm_chart_version }}/traefik/crds/ - name: namespace kubernetes.core.k8s: state: present diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 5c2a44c..7a58e79 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -37,7 +37,7 @@ data: http3: advertisedPort: 443 traefik: - address: ":9000/tcp" + address: ":8080/tcp" metrics: address: ":9100/tcp" {% if traefik_hub_token is defined %} @@ -81,6 +81,7 @@ data: {% if traefik_ondemand is defined %} allowEmptyServices: true {% endif%} + kubernetesGateway: {} file: directory: /etc/traefik/file/ watch: true diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index e2ab99d..0294e1a 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -148,8 +148,6 @@ experimental: moduleName: "github.com/sablierapp/sablier" version: "v1.8.1" {% endif %} - kubernetesGateway: - enabled: false {% if traefik_hub_token is defined %} hub: enabled: true @@ -161,3 +159,21 @@ securityContext: readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault +{% if false %} +{% raw %} +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: "extra" + data: + something: "extra" + - | + apiVersion: v1 + kind: ConfigMap + metadata: + name: "templated" + data: + something: {{ printf "templated" }} +{% endraw %} +{% endif %} From 2fd697e6af1ebaa2298d64fc401823d3b754c97d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 2 Nov 2024 11:47:54 +0100 Subject: [PATCH 65/88] Add comment to enable prometheus rules --- templates/traefik-helm-value.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index 0294e1a..e5c7f22 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -129,6 +129,7 @@ metrics: # # namespace: "another-namespace" # # namespaceSelector: {} # prometheusRule: +# enabled: true # additionalLabels: {} # namespace: "{{ traefik_namespace }}" # rules: From b8c2999185569b2fed9a35b1945b46397b619e18 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 16 Nov 2024 13:31:36 +0100 Subject: [PATCH 66/88] Move external-dns annotation --- templates/traefik-helm-value.yaml.j2 | 4 ++++ templates/traefik-ingressroute.yml.j2 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index e5c7f22..718ad26 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -16,6 +16,10 @@ service: - {{ external_ip }} {% endfor %} {% endif %} +{% if traefik_service_type == "LoadBalancer" %} + annotations: + external-dns.alpha.kubernetes.io/hostname: traefik.{{ cluster_domain }} +{% endif %} ingressRoute: dashboard: enabled: false diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 93c07e5..7e27fde 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -6,9 +6,9 @@ metadata: app: traefik annotations: kubernetes.io/ingress.class: traefik +{% if false %} external-dns.alpha.kubernetes.io/hostname: traefik.{{ cluster_domain }} external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP -{% if false %} # external-dns.alpha.kubernetes.io/endpoints-type: HostIP # external-dns.alpha.kubernetes.io/target: "1.2.3.4" From e55c12a65ad715c1b1211b06766c3f9e09b80593 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 16 Nov 2024 23:57:46 +0100 Subject: [PATCH 67/88] Fix sablier config --- templates/traefik-cm.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 7a58e79..10b18cf 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -119,7 +119,7 @@ data: {% if traefik_ondemand is defined %} plugins: sablier: - moduleName: github.com/acouvreur/sablier + moduleName: github.com/sablierapp/sablier version: v1.8.1 {% endif %} {% endif %} From d720b163956c737fe6481a1258d7b0e7b45550f0 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 20 Nov 2024 22:28:14 +0100 Subject: [PATCH 68/88] Update traefik to version 3.2.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 144a988..740572f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.2.0" +traefik_version: "3.2.1" traefik_helm_chart_version: "33.0.0" cluster_domain: "local" traefik_namespace: "traefik" From 8997b36ac9377fa61f53717a3cb7a61bf895536f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 11 Dec 2024 10:38:34 +0100 Subject: [PATCH 69/88] Update traefik helm chart to version 33.1.0 & traefik to version 3.2.2 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 740572f..c6e7a18 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes -traefik_version: "3.2.1" -traefik_helm_chart_version: "33.0.0" +traefik_version: "3.2.2" +traefik_helm_chart_version: "33.1.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From c44b244662c8f06115037c37d948308f64601aa8 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 11 Dec 2024 14:56:31 +0100 Subject: [PATCH 70/88] Update traefik helm chart to version 33.2.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index c6e7a18..f8193a4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes traefik_version: "3.2.2" -traefik_helm_chart_version: "33.1.0" +traefik_helm_chart_version: "33.2.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From c6e526a87388ac9ef9026520d3982db86a5efebc Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 14 Dec 2024 11:01:45 +0100 Subject: [PATCH 71/88] Update traefik helm chart to version 33.2.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index f8193a4..c049123 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes traefik_version: "3.2.2" -traefik_helm_chart_version: "33.2.0" +traefik_helm_chart_version: "33.2.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From fdac47a9996ea31b5017775e0d64ebe5800351fd Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 17 Dec 2024 06:48:23 +0100 Subject: [PATCH 72/88] Update traefik to version 3.2.3 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index c049123..cee1d86 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.2.2" +traefik_version: "3.2.3" traefik_helm_chart_version: "33.2.1" cluster_domain: "local" traefik_namespace: "traefik" From bfbf42d6eaee235ecffcee216c506e611dbe9246 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 11 Jan 2025 09:03:01 +0100 Subject: [PATCH 73/88] Update traefik to version 3.3.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cee1d86..a8fbe65 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.2.3" +traefik_version: "3.3.1" traefik_helm_chart_version: "33.2.1" cluster_domain: "local" traefik_namespace: "traefik" From 7b1dc133bc1dcfcf4ab9f46a29c8a2ec0cb9bda0 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 17 Jan 2025 08:07:22 +0100 Subject: [PATCH 74/88] Update sablier to version 1.8.2 --- templates/traefik-cm.yml.j2 | 2 +- templates/traefik-ondemand-plugin.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index 10b18cf..eef351c 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -120,6 +120,6 @@ data: plugins: sablier: moduleName: github.com/sablierapp/sablier - version: v1.8.1 + version: v1.8.2 {% endif %} {% endif %} diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index b1de45a..321e5e2 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -18,7 +18,7 @@ spec: serviceAccount: sablier containers: - name: sablier - image: sablierapp/sablier:1.8.1 + image: sablierapp/sablier:1.8.2 args: - "start" - "--provider.name=kubernetes" From 8e722e7bbdef230a061931e2c9a4748b4a167929 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 18 Jan 2025 13:21:01 +0100 Subject: [PATCH 75/88] Update traefik helm charts --- defaults/main.yml | 5 +++-- tasks/main.yml | 35 ++++++++++++++++++++++------------- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a8fbe65..54b4654 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ my_context: kubernetes -traefik_version: "3.3.1" -traefik_helm_chart_version: "33.2.1" +traefik_version: "3.3.2" +traefik_helm_chart_version: "34.1.0" +traefikcrds_helm_chart_version: "1.2.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer diff --git a/tasks/main.yml b/tasks/main.yml index 46cad8c..28b44c9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,18 +1,18 @@ - name: traefik setup block: - - name: Deploy Traefik CRDs - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - apply: true - definition: "{{ lookup('url', item , split_lines=False) | from_yaml_all }}" - with_items: -# - "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml" - - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" -# - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" -# ansible.builtin.command: > -# kubectl --context "{{ my_context }}" apply --server-side --force-conflicts -k -# https://github.com/traefik/traefik-helm-chart/tree/v{{ traefik_helm_chart_version }}/traefik/crds/ +# - name: Deploy Traefik CRDs +# kubernetes.core.k8s: +# state: present +# context: "{{ my_context }}" +# apply: true +# definition: "{{ lookup('url', item , split_lines=False) | from_yaml_all }}" +# with_items: +## - "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml" +# - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" +## - "https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" +## ansible.builtin.command: > +## kubectl --context "{{ my_context }}" apply --server-side --force-conflicts -k +## https://github.com/traefik/traefik-helm-chart/tree/v{{ traefik_helm_chart_version }}/traefik/crds/ - name: namespace kubernetes.core.k8s: state: present @@ -119,6 +119,14 @@ kubernetes.core.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" + - name: Deploy Traefik CRDs + kubernetes.core.helm: + context: "{{ my_context }}" + name: traefik-crds + chart_ref: traefik/traefik-crds + chart_version: "{{ traefikcrds_helm_chart_version }}" + release_namespace: "{{ traefik_namespace }}" + create_namespace: true # - name: show templating results # ansible.builtin.debug: # msg: "{{ lookup('ansible.builtin.template', 'traefik-helm-value.yaml.j2') }}" @@ -130,6 +138,7 @@ chart_version: "{{ traefik_helm_chart_version }}" release_namespace: "{{ traefik_namespace }}" create_namespace: true + skip_crds: true values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" - name: Install traefik configuration From 3072bf1b85d8ab148a02e172fe1b458e1a77f883 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 8 Feb 2025 13:05:46 +0100 Subject: [PATCH 76/88] Update traefik helm charts --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 54b4654..fd18d40 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ my_context: kubernetes traefik_version: "3.3.2" -traefik_helm_chart_version: "34.1.0" -traefikcrds_helm_chart_version: "1.2.0" +traefik_helm_chart_version: "34.3.0" +traefikcrds_helm_chart_version: "1.3.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From 27f57467e533ae24a5bab728af5e551689aab7de Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 8 Feb 2025 13:09:33 +0100 Subject: [PATCH 77/88] Update traefik to version 3.3.3 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index fd18d40..60f411f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.3.2" +traefik_version: "3.3.3" traefik_helm_chart_version: "34.3.0" traefikcrds_helm_chart_version: "1.3.0" cluster_domain: "local" From 2e723a2e48fc6ef16399458f1e5c98a4e38a4a89 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 8 Feb 2025 13:37:26 +0100 Subject: [PATCH 78/88] Update sablier to version 1.8.3 --- defaults/main.yml | 2 ++ templates/traefik-cm.yml.j2 | 2 +- templates/traefik-ondemand-plugin.yml.j2 | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 60f411f..3953c9d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -25,3 +25,5 @@ basic_auth: false crowdsec_namespace: "crowdsec" crowdsec_traefik_bouncer_chart_version: "0.1.3" + +traefik_sabblier_version: "1.8.3" diff --git a/templates/traefik-cm.yml.j2 b/templates/traefik-cm.yml.j2 index eef351c..c4b25ad 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/traefik-cm.yml.j2 @@ -120,6 +120,6 @@ data: plugins: sablier: moduleName: github.com/sablierapp/sablier - version: v1.8.2 + version: v{{ traefik_sabblier_version }} {% endif %} {% endif %} diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 321e5e2..76fdb93 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -18,7 +18,7 @@ spec: serviceAccount: sablier containers: - name: sablier - image: sablierapp/sablier:1.8.2 + image: sablierapp/sablier:{{ traefik_sabblier_version }} args: - "start" - "--provider.name=kubernetes" From d54083e1056eb3055b4272f0aa6e67c91720acc1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 21 Feb 2025 22:56:39 +0100 Subject: [PATCH 79/88] Update sablier to version 1.8.5 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3953c9d..29140fd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,4 +26,4 @@ basic_auth: false crowdsec_namespace: "crowdsec" crowdsec_traefik_bouncer_chart_version: "0.1.3" -traefik_sabblier_version: "1.8.3" +traefik_sabblier_version: "1.8.5" From d234920f99a5ff606312d8658ec298a9396eac90 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 21 Feb 2025 22:59:16 +0100 Subject: [PATCH 80/88] Update crds chart to version 1.4.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 29140fd..fec9b0b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ my_context: kubernetes traefik_version: "3.3.3" traefik_helm_chart_version: "34.3.0" -traefikcrds_helm_chart_version: "1.3.0" +traefikcrds_helm_chart_version: "1.4.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From 51c40370417064402fec2cce9f3af52f05a71264 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 21 Feb 2025 23:00:02 +0100 Subject: [PATCH 81/88] Update traefik helm chart to version 34.4.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index fec9b0b..66718bc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes traefik_version: "3.3.3" -traefik_helm_chart_version: "34.3.0" +traefik_helm_chart_version: "34.4.0" traefikcrds_helm_chart_version: "1.4.0" cluster_domain: "local" traefik_namespace: "traefik" From a6846e75ab6e1341484ecac5eb7bd362381f38d5 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 26 Feb 2025 08:23:46 +0100 Subject: [PATCH 82/88] Update traefik to version 3.3.4 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 66718bc..ffa2adc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ my_context: kubernetes -traefik_version: "3.3.3" +traefik_version: "3.3.4" traefik_helm_chart_version: "34.4.0" traefikcrds_helm_chart_version: "1.4.0" cluster_domain: "local" From 3b63848dccd08e869b5771501721a66c982739fa Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 5 Mar 2025 08:06:58 +0100 Subject: [PATCH 83/88] Update traefik helm chart to version 34.4.1, traefik crds helm chart to 1.5.0 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ffa2adc..91b7339 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ my_context: kubernetes traefik_version: "3.3.4" -traefik_helm_chart_version: "34.4.0" -traefikcrds_helm_chart_version: "1.4.0" +traefik_helm_chart_version: "34.4.1" +traefikcrds_helm_chart_version: "1.5.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From cd264348aefa631c17751a2b47da486881d30324 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 5 Mar 2025 08:07:16 +0100 Subject: [PATCH 84/88] Update sablier to version 1.8.6 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 91b7339..6336e79 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,4 +26,4 @@ basic_auth: false crowdsec_namespace: "crowdsec" crowdsec_traefik_bouncer_chart_version: "0.1.3" -traefik_sabblier_version: "1.8.5" +traefik_sabblier_version: "1.8.6" From fc938231222d67c58cc3d24bf5b837d46acc731a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 2 Apr 2025 08:27:32 +0200 Subject: [PATCH 85/88] Update versions, traefik: 3.3.5; traefik crds: 1.6.0; traefik helm chart: 34.5.0 --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6336e79..3d4c631 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ my_context: kubernetes -traefik_version: "3.3.4" -traefik_helm_chart_version: "34.4.1" -traefikcrds_helm_chart_version: "1.5.0" +traefik_version: "3.3.5" +traefik_helm_chart_version: "34.5.0" +traefikcrds_helm_chart_version: "1.6.0" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer From 5c42a3ee2727482c6245758d88cedb9c5b34a05a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 12 Apr 2025 14:32:07 +0200 Subject: [PATCH 86/88] Update traefik helm chart to version 35.0.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3d4c631..cfe6e31 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes traefik_version: "3.3.5" -traefik_helm_chart_version: "34.5.0" +traefik_helm_chart_version: "35.0.0" traefikcrds_helm_chart_version: "1.6.0" cluster_domain: "local" traefik_namespace: "traefik" From 72c1cb7d9f7ed54d9634ece25112e6f0b74cee9c Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 12 Apr 2025 14:33:13 +0200 Subject: [PATCH 87/88] Update sablier to version 1.9.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cfe6e31..e1bad80 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,4 +26,4 @@ basic_auth: false crowdsec_namespace: "crowdsec" crowdsec_traefik_bouncer_chart_version: "0.1.3" -traefik_sabblier_version: "1.8.6" +traefik_sabblier_version: "1.9.0" From 8e5db64b48b2abcfa279c9585fdd3db5b1156153 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 19 Apr 2025 11:14:34 +0200 Subject: [PATCH 88/88] Update traefik to version 3.3.6 & helm chart to version 35.0.1 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e1bad80..173d4a1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes -traefik_version: "3.3.5" -traefik_helm_chart_version: "35.0.0" +traefik_version: "3.3.6" +traefik_helm_chart_version: "35.0.1" traefikcrds_helm_chart_version: "1.6.0" cluster_domain: "local" traefik_namespace: "traefik"