Reduce maintenance

defaults/main.yml

@@ -6,8 +6,8 @@ traefik_namespace: "traefik"
 #  - 10.96.0.0/12
 #  - 10.244.0.0/16
 #  - 192.168.0.0/24
-traefik_node_selector:
+#traefik_node_selector:
-  - localhost
+#  - localhost
 traefik_cpu_limit: 500m
 traefik_memory_limit: 300Mi
 traefik_entrypoints:

tasks/main.yml

@@ -49,7 +49,7 @@
     k8s_info:
       context: "{{ my_context }}"
       api_version: v1
-      kind: Deployment
+      kind: DaemonSet
       name: traefik
       namespace: '{{ traefik_namespace }}'
       field_selectors:
@@ -71,6 +71,7 @@
     when:
       - not traefik_actual_version.stdout == "[]"
       - not traefik_version == traefik_actual_version.stdout
+      - traefik_actual_version.stdout is version(traefik_version, '>')
 
   - name: Install traefik version {{ traefik_version }}
     k8s:
@@ -80,6 +81,19 @@
       resource_definition: "{{ lookup('template', item) | from_yaml }}"
     with_items:
       - "{{ lookup('vars', 'traefik_' + traefik_version + '_list') }}"
+      - traefik-cm.yml.j2
+      - traefik-sa.yml.j2
+      - traefik-dp.yml.j2
+      - traefik-svc.yml.j2
+      - traefik-dashboard-svc.yml.j2
+      - traefik-middleware-httpsredirect.yml.j2
+      - traefik-middleware-basicauth.yml.j2
+      - traefik-middleware-headers.yml.j2
+      - traefik-tls-options.yml.j2
+      - traefik-dashboard.yml.j2
+      - traefik-dashboard-insecure.yml.j2
+      - traefik-ping.yml.j2
+
 
   - name: Define state of ipwhitelist middleware to present
     set_fact:

templates/2.0/traefik-cm.yml.j2

@@ -1,46 +0,0 @@
-apiVersion: v1
-data:
-  traefik.yaml: |
-    global:
-      checkNewVersion: true
-    serversTransport:
-      insecureSkipVerify: true
-    entryPoints:
-{% for traefik_entrypoint in traefik_entrypoints %}
-      {{ traefik_entrypoint.name }}:
-        address: :{{ traefik_entrypoint.port }}
-{% endfor %}
-    providers:
-      kubernetesCRD:
-        throttleDuration: 2s
-      kubernetesIngress: {}
-    metrics:
-      prometheus:
-        buckets:
-        - 0.1
-        - 0.3
-        - 1.2
-        - 5
-        entryPoint: traefik
-    ping:
-      entryPoint: traefik
-    api:
-      insecure: true
-      dashboard: true
-      debug: true
-    log:
-      level: DEBUG
-    accessLog:
-      format: json
-      fields:
-        names:
-          BackendAddr: keep
-          BackendName: keep
-          BackendURL: keep
-          FrontendName: keep
-kind: ConfigMap
-metadata:
-  labels:
-    app: traefik
-  name: traefik
-  namespace: traefik

templates/2.0/traefik-dashboard-insecure.yml.j2

@@ -1,39 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard-insecure
-  namespace: traefik
-  labels:
-    app: traefik
-
-spec:
-  entryPoints:
-    - http
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
-    middlewares:
-{% if ingress_whitelist is defined %}
-      - name: traefik-ipwhitelist
-{% endif %}
-      - name: https-only
-    services:
-    - name: traefik-dashboard
-      port: 8080
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-      # (default true) PassHostHeader controls whether to leave the request's Host
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      # to the destination (backend) host.
-      passHostHeader: true
-      responseForwarding:
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
-        flushInterval: 100ms

templates/2.0/traefik-dashboard-svc.yml.j2

@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: traefik
-  name: traefik-dashboard
-  namespace: traefik
-
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 80
-  - name: traefik
-    port: 8080
-    protocol: TCP
-  - protocol: TCP
-    port: 443
-    name: https
-    targetPort: 443
-  type: ClusterIP
-  selector:
-    app: traefik

templates/2.0/traefik-dashboard.yml.j2

@@ -1,48 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard
-  namespace: traefik
-  labels:
-    app: traefik
-
-spec:
-  entryPoints:
-    - https
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
-{% if basic_auth is defined or ingress_whitelist is defined %}
-    middlewares:
-{% if basic_auth is defined %}
-      - name: basic-auth
-{% endif %}
-{% if ingress_whitelist is defined %}
-      - name: traefik-ipwhitelist
-{% endif %}
-{% endif %}
-    services:
-    - name: traefik-dashboard
-      port: 8080
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-      # (default true) PassHostHeader controls whether to leave the request's Host
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      # to the destination (backend) host.
-      passHostHeader: true
-      responseForwarding:
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
-        flushInterval: 100ms
-  tls:
-    secretName: wildcard-cluster
-    options:
-      name: default
-      namespace: {{ traefik_namespace }}

templates/2.0/traefik-dp.yml.j2

@@ -1,84 +0,0 @@
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  namespace: traefik
-  name: traefik
-  labels:
-    app: traefik
-
-spec:
-  replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} 
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: traefik
-  template:
-    metadata:
-      labels:
-        app: traefik
-    spec:
-      serviceAccountName: traefik-ingress-controller
-      containers:
-        - name: traefik
-          image: traefik:{{ traefik_version_2_0 }}
-          args:
-            - --configfile=/config/traefik.yaml
-#          imagePullPolicy: IfNotPresent
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-              hostPort: 80
-            - name: https
-              containerPort: 443
-              protocol: TCP
-              hostPort: 443
-            - name: traefik
-              containerPort: 8080
-              protocol: TCP
-              hostPort: 8080
-          readinessProbe:
-            httpGet:
-              path: /ping
-              port: traefik
-            failureThreshold: 1
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 2
-          livenessProbe:
-            httpGet:
-              path: /ping
-              port: traefik
-            failureThreshold: 3
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 2
-          resources:
-            limits:
-              cpu: {{ traefik_cpu_limit }}
-              memory: {{ traefik_memory_limit }}
-            requests:
-              cpu: 100m
-              memory: 20Mi
-          volumeMounts:
-            - mountPath: /config
-              name: config
-{% if traefik_node_selector is defined %}
-      nodeSelector:
-        entrypoint: traefik
-{% endif %}
-      dnsPolicy: ClusterFirst
-      hostNetwork: false
-      restartPolicy: Always
-      terminationGracePeriodSeconds: 1
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      volumes:
-        - configMap:
-            defaultMode: 420
-            name: traefik
-          name: config

templates/2.0/traefik-middleware-basicauth.yml.j2

@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: basic-auth
-  namespace: traefik
-spec:
-  basicAuth:
-    secret: basic-auth

templates/2.0/traefik-middleware-httpsredirect.yml.j2

@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: https-only
-  namespace: traefik
-spec:
-  redirectScheme:
-    scheme: https

templates/2.0/traefik-middleware-ipwhitelist.yml.j2

@@ -1,11 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-ipwhitelist
-  namespace: traefik
-spec:
-  ipWhiteList:
-    sourceRange:
-{% for acl_whitelist in ingress_whitelist %}
-      - {{ acl_whitelist }}
-{% endfor %}

templates/2.0/traefik-ping.yml.j2

@@ -1,39 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-ping
-  namespace: traefik
-  labels:
-    app: traefik
-
-spec:
-  entryPoints:
-    - https
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 14
-    services:
-    - name: traefik-dashboard
-      port: 8080
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-      # (default true) PassHostHeader controls whether to leave the request's Host
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      # to the destination (backend) host.
-      passHostHeader: true
-      responseForwarding:
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
-        flushInterval: 100ms
-  tls:
-    secretName: wildcard-cluster
-    options:
-      name: default
-      namespace: {{ traefik_namespace }}

templates/2.0/traefik-sa.yml.j2

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: traefik
-  name: traefik-ingress-controller

templates/2.0/traefik-svc.yml.j2

@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: traefik
-  name: traefik
-  namespace: traefik
-
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 80
-  - protocol: TCP
-    port: 443
-    name: https
-    targetPort: 443
-  type: LoadBalancer
-  selector:
-    app: traefik

templates/2.0/traefik-tls-options.yml.j2

@@ -1,15 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: TLSOption
-metadata:
-  name: default
-  namespace: traefik
-
-spec:
-  sniStrict: true
-  minVersion: VersionTLS12
-  cipherSuites:
-    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

templates/2.1/traefik-cm.yml.j2

@@ -1,48 +0,0 @@
-apiVersion: v1
-data:
-  traefik.yaml: |
-    global:
-      checkNewVersion: true
-    serversTransport:
-      insecureSkipVerify: true
-    entryPoints:
-{% for traefik_entrypoint in traefik_entrypoints %}
-      {{ traefik_entrypoint.name }}:
-        address: :{{ traefik_entrypoint.port }}
-{% endfor %}
-    providers:
-      kubernetesCRD:
-        ingressClass: "traefik"
-        throttleDuration: 2s
-      kubernetesIngress:
-        ingressClass: "traefik"
-    metrics:
-      prometheus:
-        buckets:
-        - 0.1
-        - 0.3
-        - 1.2
-        - 5
-        entryPoint: traefik
-    ping:
-      entryPoint: traefik
-    api:
-      insecure: true
-      dashboard: true
-      debug: true
-    log:
-      level: DEBUG
-    accessLog:
-      format: json
-      fields:
-        names:
-          BackendAddr: keep
-          BackendName: keep
-          BackendURL: keep
-          FrontendName: keep
-kind: ConfigMap
-metadata:
-  labels:
-    app: traefik
-  name: traefik
-  namespace: {{ traefik_namespace }}

templates/2.1/traefik-dp.yml.j2

@@ -1,94 +0,0 @@
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  namespace: {{ traefik_namespace }}
-  name: traefik
-  labels:
-    app: traefik
-
-spec:
-  replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} 
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: traefik
-  template:
-    metadata:
-      labels:
-        app: traefik
-    spec:
-      serviceAccountName: traefik-ingress-controller
-      containers:
-        - name: traefik
-          image: traefik:{{ traefik_version_2_1 }}
-          args:
-            - --configfile=/config/traefik.yaml
-#          imagePullPolicy: IfNotPresent
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-              hostPort: 80
-            - name: https
-              containerPort: 443
-              protocol: TCP
-              hostPort: 443
-            - name: traefik
-              containerPort: 8080
-              protocol: TCP
-              hostPort: 8080
-          readinessProbe:
-            httpGet:
-              path: /ping
-              port: traefik
-            failureThreshold: 1
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 2
-          livenessProbe:
-            httpGet:
-              path: /ping
-              port: traefik
-            failureThreshold: 3
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 2
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-          resources:
-            limits:
-              cpu: {{ traefik_cpu_limit }}
-              memory: {{ traefik_memory_limit }}
-            requests:
-              cpu: 100m
-              memory: 20Mi
-          volumeMounts:
-            - mountPath: /config
-              name: config
-{% if traefik_node_selector is defined %}
-      nodeSelector:
-        flaminem.com/entrypoint: traefik
-{% endif %}
-      dnsPolicy: ClusterFirst
-{% if my_context == "flamykube" %}
-      hostNetwork: true
-{% else %}
-      hostNetwork: false
-{% endif %}
-      restartPolicy: Always
-      terminationGracePeriodSeconds: 1
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      volumes:
-        - configMap:
-            defaultMode: 420
-            name: traefik
-          name: config

templates/2.1/traefik-middleware-headers.yml.j2

@@ -1,31 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: security-headers
-  namespace: {{ traefik_namespace }}
-spec:
-  headers:
-    browserXssFilter: "true"
-    contentTypeNosniff: "true"
-    forceSTSHeader: "true"
-    frameDeny = "true"
-    stsIncludeSubdomains: "true"
-    stsPreload: "true"
-    stsSeconds: "15768000"
-    sslRedirect: "true"
-    contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
-    customFrameOptionsValue: "SAMEORIGIN"
-    referrerPolicy = "same-origin"
-    featurePolicy = "vibrate 'self'"
-
-    # CORS
-    accessControlAllowMethods:
-      - "GET"
-      - "OPTIONS"
-      - "PUT"
-    accessControlAllowOrigin = "origin-list-or-null"
-#    accessControlAllowOriginList:
-#      - "https://foo.bar.org"
-#      - "https://example.org"
-    accessControlMaxAge: 100
-    addVaryHeader: "true"

templates/2.1/traefik-middleware-ipwhitelist.yml.j2

@@ -1,11 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-ipwhitelist
-  namespace: {{ traefik_namespace }}
-spec:
-  ipWhiteList:
-    sourceRange:
-{% for acl_whitelist in ingress_whitelist %}
-      - {{ acl_whitelist }}
-{% endfor %}

templates/2.2/traefik-dashboard-insecure.yml.j2

@@ -1,39 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard-insecure
-  namespace: {{ traefik_namespace }}
-  labels:
-    app: traefik
-
-spec:
-  entryPoints:
-    - http
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
-    middlewares:
-{% if ingress_whitelist is defined %}
-      - name: traefik-ipwhitelist
-{% endif %}
-      - name: https-only
-    services:
-    - name: traefik-dashboard
-      port: 8080
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-      # (default true) PassHostHeader controls whether to leave the request's Host
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      # to the destination (backend) host.
-      passHostHeader: true
-      responseForwarding:
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
-        flushInterval: 100ms

templates/2.2/traefik-dashboard-svc.yml.j2

@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: traefik
-  name: traefik-dashboard
-  namespace: {{ traefik_namespace }}
-
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 80
-  - name: traefik
-    port: 8080
-    protocol: TCP
-  - protocol: TCP
-    port: 443
-    name: https
-    targetPort: 443
-  type: ClusterIP
-  selector:
-    app: traefik

templates/2.2/traefik-dashboard.yml.j2

@@ -1,50 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard
-  namespace: {{ traefik_namespace }}
-  labels:
-    app: traefik
-
-spec:
-  entryPoints:
-    - https
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
-{% if basic_auth is defined or ingress_whitelist is defined %}
-    middlewares:
-{% if ingress_whitelist is defined %}
-      - name: traefik-ipwhitelist
-{% endif %}
-{% if basic_auth is defined %}
-      - name: basic-auth
-{% endif %}
-{% endif %}
-    services:
-    - name: traefik-dashboard
-      port: 8080
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-      # (default true) PassHostHeader controls whether to leave the request's Host
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      # to the destination (backend) host.
-      passHostHeader: true
-      responseForwarding:
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
-        flushInterval: 100ms
-  tls:
-    store:
-      name: default
-      namespace: {{ traefik_namespace }}
-    options:
-      name: default
-      namespace: {{ traefik_namespace }}

templates/2.2/traefik-middleware-basicauth.yml.j2

@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: basic-auth
-  namespace: {{ traefik_namespace }}
-spec:
-  basicAuth:
-    secret: basic-auth

templates/2.2/traefik-middleware-httpsredirect.yml.j2

@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: https-only
-  namespace: {{ traefik_namespace }}
-spec:
-  redirectScheme:
-    scheme: https

templates/2.2/traefik-ping.yml.j2

@@ -1,39 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-ping
-  namespace: {{ traefik_namespace }}
-  labels:
-    app: traefik
-
-spec:
-  entryPoints:
-    - https
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 14
-    services:
-    - name: traefik-dashboard
-      port: 8080
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-      # (default true) PassHostHeader controls whether to leave the request's Host
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      # to the destination (backend) host.
-      passHostHeader: true
-      responseForwarding:
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
-        flushInterval: 100ms
-  tls:
-    secretName: wildcard-cluster
-    options:
-      name: default
-      namespace: {{ traefik_namespace }}

templates/2.2/traefik-sa.yml.j2

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: {{ traefik_namespace }}
-  name: traefik-ingress-controller

templates/2.2/traefik-svc.yml.j2

@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: traefik
-  name: traefik
-  namespace: {{ traefik_namespace }}
-
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 80
-  - protocol: TCP
-    port: 443
-    name: https
-    targetPort: 443
-  type: LoadBalancer
-  selector:
-    app: traefik

templates/2.2/traefik-tls-options.yml.j2

@@ -1,16 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: TLSOption
-metadata:
-  name: default
-  namespace: {{ traefik_namespace }}
-
-spec:
-  sniStrict: true
-  minVersion: VersionTLS12
-  cipherSuites:
-    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-  curvePreferences:
-    - CurveP521
-    - CurveP384

templates/traefik-cm.yml.j2

@@ -31,7 +31,7 @@ data:
       dashboard: true
       debug: true
     log:
-      level: DEBUG
+      level: WARN
     accessLog:
       format: json
       fields:

templates/traefik-dp.yml.j2

@@ -1,4 +1,4 @@
-kind: Deployment
+kind: DaemonSet
 apiVersion: apps/v1
 metadata:
   namespace: {{ traefik_namespace }}
@@ -7,7 +7,7 @@ metadata:
     app: traefik
 
 spec:
-  replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} 
+#  replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} 
   strategy:
     type: Recreate
   selector:
@@ -21,23 +21,17 @@ spec:
       serviceAccountName: traefik-ingress-controller
       containers:
         - name: traefik
-          image: traefik:{{ traefik_version_2_2 }}
+          image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_') ) }}
           args:
             - --configfile=/config/traefik.yaml
 #          imagePullPolicy: IfNotPresent
           ports:
-            - name: http
+{% for traefik_entrypoint in traefik_entrypoints %}
-              containerPort: 80
+            - name: {{ traefik_entrypoint.name }}
-              protocol: TCP
+              containerPort: {{ traefik_entrypoint.port }}
-              hostPort: 80
+              protocol: {{ traefik_entrypoint.proto }}
-            - name: https
+              hostPort: {{ traefik_entrypoint.port }}
-              containerPort: 443
+{% endfor %}
-              protocol: TCP
-              hostPort: 443
-            - name: traefik
-              containerPort: 8080
-              protocol: TCP
-              hostPort: 8080
           readinessProbe:
             httpGet:
               path: /ping

templates/traefik-middleware-headers.yml.j2

@@ -8,22 +8,22 @@ spec:
     browserXssFilter: "true"
     contentTypeNosniff: "true"
     forceSTSHeader: "true"
-    frameDeny = "true"
+    frameDeny: "true"
     stsIncludeSubdomains: "true"
     stsPreload: "true"
     stsSeconds: "15768000"
     sslRedirect: "true"
-    contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
+    contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
     customFrameOptionsValue: "SAMEORIGIN"
-    referrerPolicy = "same-origin"
+    referrerPolicy: "same-origin"
-    featurePolicy = "vibrate 'self'"
+    featurePolicy: "vibrate 'self'"
 
     # CORS
     accessControlAllowMethods:
       - "GET"
       - "OPTIONS"
       - "PUT"
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOrigin: "origin-list-or-null"
     #accessControlAllowOriginList:
     #  - "https://foo.bar.org"
     #  - "https://example.org"

templates/traefik-middleware-ipwhitelist.yml.j2

@@ -6,6 +6,8 @@ metadata:
 spec:
   ipWhiteList:
     sourceRange:
+{% if ingress_whitelist is defined %}
 {% for acl_whitelist in ingress_whitelist %}
       - {{ acl_whitelist }}
 {% endfor %}
+{% endif %}

vars/main.yml

@@ -1,27 +1,14 @@
 traefik_version_2_0: 2.0.7
 traefik_2.0_list:
-  - 2.0/traefik-cm.yml.j2
-  - 2.0/traefik-sa.yml.j2
   - 2.0/traefik-clusterrole.yml.j2
   - 2.0/traefik-clusterrolebinding.yml.j2
   - 2.0/traefik-crd-ingressroute.yml.j2
   - 2.0/traefik-crd-ingressroutetcp.yml.j2
   - 2.0/traefik-crd-middleware.yml.j2
   - 2.0/traefik-crd-tlsoption.yml.j2
-  - 2.0/traefik-dp.yml.j2
-  - 2.0/traefik-svc.yml.j2
-  - 2.0/traefik-dashboard-svc.yml.j2
-  - 2.0/traefik-middleware-httpsredirect.yml.j2
-  - 2.0/traefik-middleware-basicauth.yml.j2
-  - 2.0/traefik-tls-options.yml.j2
-  - 2.0/traefik-dashboard.yml.j2
-  - 2.0/traefik-dashboard-insecure.yml.j2
-  - 2.0/traefik-ping.yml.j2
 
 traefik_version_2_1: 2.1.9
 traefik_2.1_list:
-  - 2.1/traefik-cm.yml.j2
-  - 2.1/traefik-sa.yml.j2
   - 2.1/traefik-clusterrole.yml.j2
   - 2.1/traefik-clusterrolebinding.yml.j2
   - 2.1/traefik-crd-ingressroute.yml.j2
@@ -29,16 +16,6 @@ traefik_2.1_list:
   - 2.1/traefik-crd-middleware.yml.j2
   - 2.1/traefik-crd-tlsoption.yml.j2
   - 2.1/traefik-crd-traefikservice.yml.j2
-  - 2.1/traefik-dp.yml.j2
-  - 2.1/traefik-svc.yml.j2
-  - 2.1/traefik-dashboard-svc.yml.j2
-  - 2.1/traefik-middleware-httpsredirect.yml.j2
-  - 2.1/traefik-middleware-basicauth.yml.j2
-  - 2.1/traefik-middleware-headers.yml.j2
-  - 2.1/traefik-tls-options.yml.j2
-  - 2.1/traefik-dashboard.yml.j2
-  - 2.1/traefik-dashboard-insecure.yml.j2
-  - 2.1/traefik-ping.yml.j2
 
 traefik_version_2_2: 2.2.4
 traefik_2.2_list:
@@ -49,17 +26,5 @@ traefik_2.2_list:
   - 2.2/traefik-crd-tlsoptions.yml.j2
   - 2.2/traefik-crd-tlsstores.yml.j2
   - 2.2/traefik-crd-traefikservices.yml.j2
-  - 2.2/traefik-cm.yml.j2
-  - 2.2/traefik-sa.yml.j2
   - 2.2/traefik-clusterrole.yml.j2
   - 2.2/traefik-clusterrolebinding.yml.j2
-  - 2.2/traefik-dp.yml.j2
-  - 2.2/traefik-svc.yml.j2
-  - 2.2/traefik-dashboard-svc.yml.j2
-  - 2.2/traefik-middleware-httpsredirect.yml.j2
-  - 2.2/traefik-middleware-basicauth.yml.j2
-  - 2.2/traefik-middleware-headers.yml.j2
-  - 2.2/traefik-tls-options.yml.j2
-  - 2.2/traefik-dashboard.yml.j2
-  - 2.2/traefik-dashboard-insecure.yml.j2
-  - 2.2/traefik-ping.yml.j2