diff --git a/defaults/main.yml b/defaults/main.yml index 00d6147..7ea0c32 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ traefik_namespace: "traefik" # - 10.96.0.0/12 # - 10.244.0.0/16 # - 192.168.0.0/24 -#traefik_node_selector: -# - localhost +traefik_node_selector: + - localhost traefik_cpu_limit: 500m traefik_memory_limit: 300Mi traefik_entrypoints: diff --git a/tasks/main.yml b/tasks/main.yml index a6708ad..4194da7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -49,7 +49,7 @@ k8s_info: context: "{{ my_context }}" api_version: v1 - kind: DaemonSet + kind: Deployment name: traefik namespace: '{{ traefik_namespace }}' field_selectors: @@ -71,7 +71,6 @@ when: - not traefik_actual_version.stdout == "[]" - not traefik_version == traefik_actual_version.stdout - - traefik_actual_version.stdout is version(traefik_version, '>') - name: Install traefik version {{ traefik_version }} k8s: @@ -81,19 +80,6 @@ resource_definition: "{{ lookup('template', item) | from_yaml }}" with_items: - "{{ lookup('vars', 'traefik_' + traefik_version + '_list') }}" - - traefik-cm.yml.j2 - - traefik-sa.yml.j2 - - traefik-dp.yml.j2 - - traefik-svc.yml.j2 - - traefik-dashboard-svc.yml.j2 - - traefik-middleware-httpsredirect.yml.j2 - - traefik-middleware-basicauth.yml.j2 - - traefik-middleware-headers.yml.j2 - - traefik-tls-options.yml.j2 - - traefik-dashboard.yml.j2 - - traefik-dashboard-insecure.yml.j2 - - traefik-ping.yml.j2 - - name: Define state of ipwhitelist middleware to present set_fact: diff --git a/templates/2.0/traefik-cm.yml.j2 b/templates/2.0/traefik-cm.yml.j2 new file mode 100644 index 0000000..e830531 --- /dev/null +++ b/templates/2.0/traefik-cm.yml.j2 @@ -0,0 +1,46 @@ +apiVersion: v1 +data: + traefik.yaml: | + global: + checkNewVersion: true + serversTransport: + insecureSkipVerify: true + entryPoints: +{% for traefik_entrypoint in traefik_entrypoints %} + {{ traefik_entrypoint.name }}: + address: :{{ traefik_entrypoint.port }} +{% endfor %} + providers: + kubernetesCRD: + throttleDuration: 2s + kubernetesIngress: {} + metrics: + prometheus: + buckets: + - 0.1 + - 0.3 + - 1.2 + - 5 + entryPoint: traefik + ping: + entryPoint: traefik + api: + insecure: true + dashboard: true + debug: true + log: + level: DEBUG + accessLog: + format: json + fields: + names: + BackendAddr: keep + BackendName: keep + BackendURL: keep + FrontendName: keep +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik + namespace: traefik diff --git a/templates/2.0/traefik-dashboard-insecure.yml.j2 b/templates/2.0/traefik-dashboard-insecure.yml.j2 new file mode 100644 index 0000000..9b64270 --- /dev/null +++ b/templates/2.0/traefik-dashboard-insecure.yml.j2 @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard-insecure + namespace: traefik + labels: + app: traefik + +spec: + entryPoints: + - http + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} + - name: https-only + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms diff --git a/templates/2.0/traefik-dashboard-svc.yml.j2 b/templates/2.0/traefik-dashboard-svc.yml.j2 new file mode 100644 index 0000000..2091a13 --- /dev/null +++ b/templates/2.0/traefik-dashboard-svc.yml.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik-dashboard + namespace: traefik + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: traefik + port: 8080 + protocol: TCP + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: ClusterIP + selector: + app: traefik diff --git a/templates/2.0/traefik-dashboard.yml.j2 b/templates/2.0/traefik-dashboard.yml.j2 new file mode 100644 index 0000000..d1f503b --- /dev/null +++ b/templates/2.0/traefik-dashboard.yml.j2 @@ -0,0 +1,48 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + namespace: traefik + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 +{% if basic_auth is defined or ingress_whitelist is defined %} + middlewares: +{% if basic_auth is defined %} + - name: basic-auth +{% endif %} +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} +{% endif %} + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + tls: + secretName: wildcard-cluster + options: + name: default + namespace: {{ traefik_namespace }} diff --git a/templates/2.0/traefik-dp.yml.j2 b/templates/2.0/traefik-dp.yml.j2 new file mode 100644 index 0000000..11209c3 --- /dev/null +++ b/templates/2.0/traefik-dp.yml.j2 @@ -0,0 +1,84 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: traefik + name: traefik + labels: + app: traefik + +spec: + replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} + strategy: + type: Recreate + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:{{ traefik_version_2_0 }} + args: + - --configfile=/config/traefik.yaml +# imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 80 + protocol: TCP + hostPort: 80 + - name: https + containerPort: 443 + protocol: TCP + hostPort: 443 + - name: traefik + containerPort: 8080 + protocol: TCP + hostPort: 8080 + readinessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: {{ traefik_cpu_limit }} + memory: {{ traefik_memory_limit }} + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /config + name: config +{% if traefik_node_selector is defined %} + nodeSelector: + entrypoint: traefik +{% endif %} + dnsPolicy: ClusterFirst + hostNetwork: false + restartPolicy: Always + terminationGracePeriodSeconds: 1 + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - configMap: + defaultMode: 420 + name: traefik + name: config diff --git a/templates/2.0/traefik-middleware-basicauth.yml.j2 b/templates/2.0/traefik-middleware-basicauth.yml.j2 new file mode 100644 index 0000000..2b3ff9f --- /dev/null +++ b/templates/2.0/traefik-middleware-basicauth.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-auth + namespace: traefik +spec: + basicAuth: + secret: basic-auth \ No newline at end of file diff --git a/templates/2.0/traefik-middleware-httpsredirect.yml.j2 b/templates/2.0/traefik-middleware-httpsredirect.yml.j2 new file mode 100644 index 0000000..812c1a4 --- /dev/null +++ b/templates/2.0/traefik-middleware-httpsredirect.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: https-only + namespace: traefik +spec: + redirectScheme: + scheme: https \ No newline at end of file diff --git a/templates/2.0/traefik-middleware-ipwhitelist.yml.j2 b/templates/2.0/traefik-middleware-ipwhitelist.yml.j2 new file mode 100644 index 0000000..00ee429 --- /dev/null +++ b/templates/2.0/traefik-middleware-ipwhitelist.yml.j2 @@ -0,0 +1,11 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-ipwhitelist + namespace: traefik +spec: + ipWhiteList: + sourceRange: +{% for acl_whitelist in ingress_whitelist %} + - {{ acl_whitelist }} +{% endfor %} diff --git a/templates/2.0/traefik-ping.yml.j2 b/templates/2.0/traefik-ping.yml.j2 new file mode 100644 index 0000000..eff1623 --- /dev/null +++ b/templates/2.0/traefik-ping.yml.j2 @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ping + namespace: traefik + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 14 + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + tls: + secretName: wildcard-cluster + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.0/traefik-sa.yml.j2 b/templates/2.0/traefik-sa.yml.j2 new file mode 100644 index 0000000..16505c8 --- /dev/null +++ b/templates/2.0/traefik-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: traefik + name: traefik-ingress-controller diff --git a/templates/2.0/traefik-svc.yml.j2 b/templates/2.0/traefik-svc.yml.j2 new file mode 100644 index 0000000..afff84c --- /dev/null +++ b/templates/2.0/traefik-svc.yml.j2 @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik + namespace: traefik + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: LoadBalancer + selector: + app: traefik diff --git a/templates/2.0/traefik-tls-options.yml.j2 b/templates/2.0/traefik-tls-options.yml.j2 new file mode 100644 index 0000000..a37696e --- /dev/null +++ b/templates/2.0/traefik-tls-options.yml.j2 @@ -0,0 +1,15 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: traefik + +spec: + sniStrict: true + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA diff --git a/templates/traefik-cm.yml.j2 b/templates/2.1/traefik-cm.yml.j2 similarity index 98% rename from templates/traefik-cm.yml.j2 rename to templates/2.1/traefik-cm.yml.j2 index 3b1ce68..3ccb24a 100644 --- a/templates/traefik-cm.yml.j2 +++ b/templates/2.1/traefik-cm.yml.j2 @@ -31,7 +31,7 @@ data: dashboard: true debug: true log: - level: WARN + level: DEBUG accessLog: format: json fields: diff --git a/templates/traefik-dashboard-insecure.yml.j2 b/templates/2.1/traefik-dashboard-insecure.yml.j2 similarity index 100% rename from templates/traefik-dashboard-insecure.yml.j2 rename to templates/2.1/traefik-dashboard-insecure.yml.j2 diff --git a/templates/traefik-dashboard-svc.yml.j2 b/templates/2.1/traefik-dashboard-svc.yml.j2 similarity index 100% rename from templates/traefik-dashboard-svc.yml.j2 rename to templates/2.1/traefik-dashboard-svc.yml.j2 diff --git a/templates/traefik-dashboard.yml.j2 b/templates/2.1/traefik-dashboard.yml.j2 similarity index 100% rename from templates/traefik-dashboard.yml.j2 rename to templates/2.1/traefik-dashboard.yml.j2 diff --git a/templates/traefik-dp.yml.j2 b/templates/2.1/traefik-dp.yml.j2 similarity index 78% rename from templates/traefik-dp.yml.j2 rename to templates/2.1/traefik-dp.yml.j2 index 9cdec37..5aef66e 100644 --- a/templates/traefik-dp.yml.j2 +++ b/templates/2.1/traefik-dp.yml.j2 @@ -1,4 +1,4 @@ -kind: DaemonSet +kind: Deployment apiVersion: apps/v1 metadata: namespace: {{ traefik_namespace }} @@ -7,7 +7,7 @@ metadata: app: traefik spec: -# replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} + replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} strategy: type: Recreate selector: @@ -21,17 +21,23 @@ spec: serviceAccountName: traefik-ingress-controller containers: - name: traefik - image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_') ) }} + image: traefik:{{ traefik_version_2_1 }} args: - --configfile=/config/traefik.yaml # imagePullPolicy: IfNotPresent ports: -{% for traefik_entrypoint in traefik_entrypoints %} - - name: {{ traefik_entrypoint.name }} - containerPort: {{ traefik_entrypoint.port }} - protocol: {{ traefik_entrypoint.proto }} - hostPort: {{ traefik_entrypoint.port }} -{% endfor %} + - name: http + containerPort: 80 + protocol: TCP + hostPort: 80 + - name: https + containerPort: 443 + protocol: TCP + hostPort: 443 + - name: traefik + containerPort: 8080 + protocol: TCP + hostPort: 8080 readinessProbe: httpGet: path: /ping diff --git a/templates/traefik-middleware-basicauth.yml.j2 b/templates/2.1/traefik-middleware-basicauth.yml.j2 similarity index 100% rename from templates/traefik-middleware-basicauth.yml.j2 rename to templates/2.1/traefik-middleware-basicauth.yml.j2 diff --git a/templates/traefik-middleware-headers.yml.j2 b/templates/2.1/traefik-middleware-headers.yml.j2 similarity index 62% rename from templates/traefik-middleware-headers.yml.j2 rename to templates/2.1/traefik-middleware-headers.yml.j2 index 50172d4..e0906fb 100644 --- a/templates/traefik-middleware-headers.yml.j2 +++ b/templates/2.1/traefik-middleware-headers.yml.j2 @@ -8,24 +8,24 @@ spec: browserXssFilter: "true" contentTypeNosniff: "true" forceSTSHeader: "true" - frameDeny: "true" + frameDeny = "true" stsIncludeSubdomains: "true" stsPreload: "true" stsSeconds: "15768000" sslRedirect: "true" - contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" + contentSecurityPolicy = "default-src 'self' 'unsafe-inline'" customFrameOptionsValue: "SAMEORIGIN" - referrerPolicy: "same-origin" - featurePolicy: "vibrate 'self'" + referrerPolicy = "same-origin" + featurePolicy = "vibrate 'self'" # CORS accessControlAllowMethods: - "GET" - "OPTIONS" - "PUT" - accessControlAllowOrigin: "origin-list-or-null" - #accessControlAllowOriginList: - # - "https://foo.bar.org" - # - "https://example.org" + accessControlAllowOrigin = "origin-list-or-null" +# accessControlAllowOriginList: +# - "https://foo.bar.org" +# - "https://example.org" accessControlMaxAge: 100 addVaryHeader: "true" \ No newline at end of file diff --git a/templates/traefik-middleware-httpsredirect.yml.j2 b/templates/2.1/traefik-middleware-httpsredirect.yml.j2 similarity index 100% rename from templates/traefik-middleware-httpsredirect.yml.j2 rename to templates/2.1/traefik-middleware-httpsredirect.yml.j2 diff --git a/templates/2.1/traefik-middleware-ipwhitelist.yml.j2 b/templates/2.1/traefik-middleware-ipwhitelist.yml.j2 new file mode 100644 index 0000000..60fa6ad --- /dev/null +++ b/templates/2.1/traefik-middleware-ipwhitelist.yml.j2 @@ -0,0 +1,11 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-ipwhitelist + namespace: {{ traefik_namespace }} +spec: + ipWhiteList: + sourceRange: +{% for acl_whitelist in ingress_whitelist %} + - {{ acl_whitelist }} +{% endfor %} diff --git a/templates/traefik-ping.yml.j2 b/templates/2.1/traefik-ping.yml.j2 similarity index 100% rename from templates/traefik-ping.yml.j2 rename to templates/2.1/traefik-ping.yml.j2 diff --git a/templates/traefik-sa.yml.j2 b/templates/2.1/traefik-sa.yml.j2 similarity index 100% rename from templates/traefik-sa.yml.j2 rename to templates/2.1/traefik-sa.yml.j2 diff --git a/templates/traefik-svc.yml.j2 b/templates/2.1/traefik-svc.yml.j2 similarity index 100% rename from templates/traefik-svc.yml.j2 rename to templates/2.1/traefik-svc.yml.j2 diff --git a/templates/traefik-tls-options.yml.j2 b/templates/2.1/traefik-tls-options.yml.j2 similarity index 100% rename from templates/traefik-tls-options.yml.j2 rename to templates/2.1/traefik-tls-options.yml.j2 diff --git a/templates/2.2/traefik-cm.yml.j2 b/templates/2.2/traefik-cm.yml.j2 new file mode 100644 index 0000000..3ccb24a --- /dev/null +++ b/templates/2.2/traefik-cm.yml.j2 @@ -0,0 +1,48 @@ +apiVersion: v1 +data: + traefik.yaml: | + global: + checkNewVersion: true + serversTransport: + insecureSkipVerify: true + entryPoints: +{% for traefik_entrypoint in traefik_entrypoints %} + {{ traefik_entrypoint.name }}: + address: :{{ traefik_entrypoint.port }} +{% endfor %} + providers: + kubernetesCRD: + ingressClass: "traefik" + throttleDuration: 2s + kubernetesIngress: + ingressClass: "traefik" + metrics: + prometheus: + buckets: + - 0.1 + - 0.3 + - 1.2 + - 5 + entryPoint: traefik + ping: + entryPoint: traefik + api: + insecure: true + dashboard: true + debug: true + log: + level: DEBUG + accessLog: + format: json + fields: + names: + BackendAddr: keep + BackendName: keep + BackendURL: keep + FrontendName: keep +kind: ConfigMap +metadata: + labels: + app: traefik + name: traefik + namespace: {{ traefik_namespace }} diff --git a/templates/2.2/traefik-dashboard-insecure.yml.j2 b/templates/2.2/traefik-dashboard-insecure.yml.j2 new file mode 100644 index 0000000..a37a302 --- /dev/null +++ b/templates/2.2/traefik-dashboard-insecure.yml.j2 @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard-insecure + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - http + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} + - name: https-only + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms diff --git a/templates/2.2/traefik-dashboard-svc.yml.j2 b/templates/2.2/traefik-dashboard-svc.yml.j2 new file mode 100644 index 0000000..d89d096 --- /dev/null +++ b/templates/2.2/traefik-dashboard-svc.yml.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik-dashboard + namespace: {{ traefik_namespace }} + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: traefik + port: 8080 + protocol: TCP + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: ClusterIP + selector: + app: traefik diff --git a/templates/2.2/traefik-dashboard.yml.j2 b/templates/2.2/traefik-dashboard.yml.j2 new file mode 100644 index 0000000..d755f8b --- /dev/null +++ b/templates/2.2/traefik-dashboard.yml.j2 @@ -0,0 +1,50 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 +{% if basic_auth is defined or ingress_whitelist is defined %} + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist +{% endif %} +{% if basic_auth is defined %} + - name: basic-auth +{% endif %} +{% endif %} + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + tls: + store: + name: default + namespace: {{ traefik_namespace }} + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.2/traefik-dp.yml.j2 b/templates/2.2/traefik-dp.yml.j2 new file mode 100644 index 0000000..6501a07 --- /dev/null +++ b/templates/2.2/traefik-dp.yml.j2 @@ -0,0 +1,94 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: {{ traefik_namespace }} + name: traefik + labels: + app: traefik + +spec: + replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} + strategy: + type: Recreate + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:{{ traefik_version_2_2 }} + args: + - --configfile=/config/traefik.yaml +# imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 80 + protocol: TCP + hostPort: 80 + - name: https + containerPort: 443 + protocol: TCP + hostPort: 443 + - name: traefik + containerPort: 8080 + protocol: TCP + hostPort: 8080 + readinessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: traefik + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + resources: + limits: + cpu: {{ traefik_cpu_limit }} + memory: {{ traefik_memory_limit }} + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /config + name: config +{% if traefik_node_selector is defined %} + nodeSelector: + flaminem.com/entrypoint: traefik +{% endif %} + dnsPolicy: ClusterFirst +{% if my_context == "flamykube" %} + hostNetwork: true +{% else %} + hostNetwork: false +{% endif %} + restartPolicy: Always + terminationGracePeriodSeconds: 1 + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - configMap: + defaultMode: 420 + name: traefik + name: config diff --git a/templates/2.2/traefik-middleware-basicauth.yml.j2 b/templates/2.2/traefik-middleware-basicauth.yml.j2 new file mode 100644 index 0000000..797fe1f --- /dev/null +++ b/templates/2.2/traefik-middleware-basicauth.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-auth + namespace: {{ traefik_namespace }} +spec: + basicAuth: + secret: basic-auth \ No newline at end of file diff --git a/templates/2.2/traefik-middleware-headers.yml.j2 b/templates/2.2/traefik-middleware-headers.yml.j2 new file mode 100644 index 0000000..e0906fb --- /dev/null +++ b/templates/2.2/traefik-middleware-headers.yml.j2 @@ -0,0 +1,31 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: security-headers + namespace: {{ traefik_namespace }} +spec: + headers: + browserXssFilter: "true" + contentTypeNosniff: "true" + forceSTSHeader: "true" + frameDeny = "true" + stsIncludeSubdomains: "true" + stsPreload: "true" + stsSeconds: "15768000" + sslRedirect: "true" + contentSecurityPolicy = "default-src 'self' 'unsafe-inline'" + customFrameOptionsValue: "SAMEORIGIN" + referrerPolicy = "same-origin" + featurePolicy = "vibrate 'self'" + + # CORS + accessControlAllowMethods: + - "GET" + - "OPTIONS" + - "PUT" + accessControlAllowOrigin = "origin-list-or-null" +# accessControlAllowOriginList: +# - "https://foo.bar.org" +# - "https://example.org" + accessControlMaxAge: 100 + addVaryHeader: "true" \ No newline at end of file diff --git a/templates/2.2/traefik-middleware-httpsredirect.yml.j2 b/templates/2.2/traefik-middleware-httpsredirect.yml.j2 new file mode 100644 index 0000000..d5f4cb3 --- /dev/null +++ b/templates/2.2/traefik-middleware-httpsredirect.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: https-only + namespace: {{ traefik_namespace }} +spec: + redirectScheme: + scheme: https \ No newline at end of file diff --git a/templates/2.2/traefik-ping.yml.j2 b/templates/2.2/traefik-ping.yml.j2 new file mode 100644 index 0000000..1703002 --- /dev/null +++ b/templates/2.2/traefik-ping.yml.j2 @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ping + namespace: {{ traefik_namespace }} + labels: + app: traefik + +spec: + entryPoints: + - https + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 14 + services: + - name: traefik-dashboard + port: 8080 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + tls: + secretName: wildcard-cluster + options: + name: default + namespace: {{ traefik_namespace }} \ No newline at end of file diff --git a/templates/2.2/traefik-sa.yml.j2 b/templates/2.2/traefik-sa.yml.j2 new file mode 100644 index 0000000..07c38a6 --- /dev/null +++ b/templates/2.2/traefik-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ traefik_namespace }} + name: traefik-ingress-controller diff --git a/templates/2.2/traefik-svc.yml.j2 b/templates/2.2/traefik-svc.yml.j2 new file mode 100644 index 0000000..7c369da --- /dev/null +++ b/templates/2.2/traefik-svc.yml.j2 @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik + name: traefik + namespace: {{ traefik_namespace }} + +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - protocol: TCP + port: 443 + name: https + targetPort: 443 + type: LoadBalancer + selector: + app: traefik diff --git a/templates/2.2/traefik-tls-options.yml.j2 b/templates/2.2/traefik-tls-options.yml.j2 new file mode 100644 index 0000000..6f64045 --- /dev/null +++ b/templates/2.2/traefik-tls-options.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: {{ traefik_namespace }} + +spec: + sniStrict: true + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + curvePreferences: + - CurveP521 + - CurveP384 \ No newline at end of file diff --git a/templates/traefik-middleware-ipwhitelist.yml.j2 b/templates/traefik-middleware-ipwhitelist.yml.j2 index 0722f45..60fa6ad 100644 --- a/templates/traefik-middleware-ipwhitelist.yml.j2 +++ b/templates/traefik-middleware-ipwhitelist.yml.j2 @@ -6,8 +6,6 @@ metadata: spec: ipWhiteList: sourceRange: -{% if ingress_whitelist is defined %} {% for acl_whitelist in ingress_whitelist %} - {{ acl_whitelist }} {% endfor %} -{% endif %} \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 6a88e79..bb407bf 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,14 +1,27 @@ traefik_version_2_0: 2.0.7 traefik_2.0_list: + - 2.0/traefik-cm.yml.j2 + - 2.0/traefik-sa.yml.j2 - 2.0/traefik-clusterrole.yml.j2 - 2.0/traefik-clusterrolebinding.yml.j2 - 2.0/traefik-crd-ingressroute.yml.j2 - 2.0/traefik-crd-ingressroutetcp.yml.j2 - 2.0/traefik-crd-middleware.yml.j2 - 2.0/traefik-crd-tlsoption.yml.j2 + - 2.0/traefik-dp.yml.j2 + - 2.0/traefik-svc.yml.j2 + - 2.0/traefik-dashboard-svc.yml.j2 + - 2.0/traefik-middleware-httpsredirect.yml.j2 + - 2.0/traefik-middleware-basicauth.yml.j2 + - 2.0/traefik-tls-options.yml.j2 + - 2.0/traefik-dashboard.yml.j2 + - 2.0/traefik-dashboard-insecure.yml.j2 + - 2.0/traefik-ping.yml.j2 traefik_version_2_1: 2.1.9 traefik_2.1_list: + - 2.1/traefik-cm.yml.j2 + - 2.1/traefik-sa.yml.j2 - 2.1/traefik-clusterrole.yml.j2 - 2.1/traefik-clusterrolebinding.yml.j2 - 2.1/traefik-crd-ingressroute.yml.j2 @@ -16,6 +29,16 @@ traefik_2.1_list: - 2.1/traefik-crd-middleware.yml.j2 - 2.1/traefik-crd-tlsoption.yml.j2 - 2.1/traefik-crd-traefikservice.yml.j2 + - 2.1/traefik-dp.yml.j2 + - 2.1/traefik-svc.yml.j2 + - 2.1/traefik-dashboard-svc.yml.j2 + - 2.1/traefik-middleware-httpsredirect.yml.j2 + - 2.1/traefik-middleware-basicauth.yml.j2 + - 2.1/traefik-middleware-headers.yml.j2 + - 2.1/traefik-tls-options.yml.j2 + - 2.1/traefik-dashboard.yml.j2 + - 2.1/traefik-dashboard-insecure.yml.j2 + - 2.1/traefik-ping.yml.j2 traefik_version_2_2: 2.2.4 traefik_2.2_list: @@ -26,5 +49,17 @@ traefik_2.2_list: - 2.2/traefik-crd-tlsoptions.yml.j2 - 2.2/traefik-crd-tlsstores.yml.j2 - 2.2/traefik-crd-traefikservices.yml.j2 + - 2.2/traefik-cm.yml.j2 + - 2.2/traefik-sa.yml.j2 - 2.2/traefik-clusterrole.yml.j2 - 2.2/traefik-clusterrolebinding.yml.j2 + - 2.2/traefik-dp.yml.j2 + - 2.2/traefik-svc.yml.j2 + - 2.2/traefik-dashboard-svc.yml.j2 + - 2.2/traefik-middleware-httpsredirect.yml.j2 + - 2.2/traefik-middleware-basicauth.yml.j2 + - 2.2/traefik-middleware-headers.yml.j2 + - 2.2/traefik-tls-options.yml.j2 + - 2.2/traefik-dashboard.yml.j2 + - 2.2/traefik-dashboard-insecure.yml.j2 + - 2.2/traefik-ping.yml.j2