ansible-role-k8s-traefik/templates/traefik-files.yml.j2

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-files
data:
  traefik-middlewares.yaml: |
    http:
      middlewares:
        compress:
          compress:
            excludedContentTypes: ["text/event-stream"]
        rate-limit:
          rateLimit:
            average: 100
            burst: 50
        security_headers:
          headers:
    #        accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
    #        accessControlAllowOrigin: "origin-list-or-null"
    #        accessControlMaxAge: 100
    #        addVaryHeader: true
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            frameDeny: true
            stsIncludeSubdomains: true
            stsPreload: true
            customFrameOptionsValue: "SAMEORIGIN"
            referrerPolicy: "same-origin"
            featurePolicy: "vibrate 'self'"
            stsSeconds: 315360000
            sslRedirect: true
            contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
    #        customResponseHeaders:
    #          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
    #          server: ""
{% if ingress_whitelist is defined %}
        traefik-ipwhitelist:
          ipWhiteList:
            sourceRange:
{% for acl_whitelist in ingress_whitelist %}
              - {{ acl_whitelist }}
{% endfor %}
{% endif %}
{% if basic_auth|bool %}
        basic-auth:
          basicAuth:
            removeHeader: true
            usersFile: "/etc/traefik/basic-auth/basic_auth"
    #        users:
    #          - {{ basic_auth_data }}
{% endif %}
{% if false %}
        authelia:
          forwardAuth:
            address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
            trustForwardHeader: true
            authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]
{% endif %}

  traefik-tls-defaults-options.yaml: |
    tls:
      options:
          default:
            sniStrict: true
            minVersion: VersionTLS12
            curvePreferences:
              - CurveP521
              - CurveP384
            cipherSuites:
              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
{% if false %}
      stores:
        default:
          defaultCertificate:
            certFile: path/to/wildcardcert.crt
            keyFile: path/to/wildcardcert.key

      certificates:
      - certFile: /path/to/domain.cert
        keyFile: /path/to/domain.key
      - certFile: /path/to/other-domain.cert
        keyFile: /path/to/other-domain.key
{% endif %}