diff --git a/roles/k8s-manifests/tasks/main.yml b/roles/k8s-manifests/tasks/main.yml index 660e059..b291edb 100644 --- a/roles/k8s-manifests/tasks/main.yml +++ b/roles/k8s-manifests/tasks/main.yml @@ -2,4 +2,8 @@ - include: prerequisites.yml tags: prerequisites +- include: traefik.yml + tags: traefik + - include: searx.yml + tags: searx diff --git a/roles/k8s-manifests/tasks/searx.yml b/roles/k8s-manifests/tasks/searx.yml index ae5dce7..094d60d 100644 --- a/roles/k8s-manifests/tasks/searx.yml +++ b/roles/k8s-manifests/tasks/searx.yml @@ -47,4 +47,23 @@ - port: 80 targetPort: 8888 selector: - app: searx \ No newline at end of file + app: searx + +- name: Searx ingress + k8s: + namespace: default + state: present + definition: + apiVersion: extensions/v1beta1 + kind: Ingress + metadata: + name: searx + spec: + rules: + - host: searx.k8s.banditlair.com + http: + paths: + - path: / + backend: + serviceName: searx + servicePort: 80 diff --git a/roles/k8s-manifests/tasks/traefik.yml b/roles/k8s-manifests/tasks/traefik.yml new file mode 100644 index 0000000..66898ce --- /dev/null +++ b/roles/k8s-manifests/tasks/traefik.yml @@ -0,0 +1,165 @@ +- name: Traefik cluster role + k8s: + state: present + definition: + kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: traefik-ingress-controller + rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + +- name: Traefik cluster role binding + k8s: + state: present + definition: + kind: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: traefik-ingress-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller + subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: kube-system + +- name: Traefik service account + k8s: + state: present + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: traefik-ingress-controller + namespace: kube-system + +- name: Traefik daemon set + k8s: + state: present + definition: + kind: DaemonSet + apiVersion: extensions/v1beta1 + metadata: + name: traefik-ingress-controller + namespace: kube-system + labels: + k8s-app: traefik-ingress-lb + spec: + template: + metadata: + labels: + k8s-app: traefik-ingress-lb + name: traefik-ingress-lb + spec: + serviceAccountName: traefik-ingress-controller + terminationGracePeriodSeconds: 60 + containers: + - image: traefik + name: traefik-ingress-lb + ports: + - name: http + containerPort: 80 + hostPort: 80 + - name: admin + containerPort: 8080 + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + args: + - --api + - --kubernetes + - --logLevel=INFO + +- name: Traefik service + k8s: + state: present + definition: + kind: Service + apiVersion: v1 + metadata: + name: traefik-ingress-service + namespace: kube-system + spec: + selector: + k8s-app: traefik-ingress-lb + ports: + - protocol: TCP + port: 80 + name: web + - protocol: TCP + port: 8080 + name: admin + +- name: Traefik UI service + k8s: + state: present + definition: + apiVersion: v1 + kind: Service + metadata: + name: traefik-web-ui + namespace: kube-system + spec: + selector: + k8s-app: traefik-ingress-lb + ports: + - name: web + port: 80 + targetPort: 8080 + +- name: Traefik UI basic auth secret + k8s: + state: present + definition: + apiVersion: v1 + data: + auth: "{{('admin:' + traefik_dashboard_password_hash) | b64encode}}" + kind: Secret + metadata: + name: traefik-auth + namespace: kube-system + +- name: Traefik UI ingress + k8s: + state: present + definition: + apiVersion: extensions/v1beta1 + kind: Ingress + metadata: + name: traefik-web-ui + namespace: kube-system + annotations: + traefik.ingress.kubernetes.io/auth-type: "basic" + traefik.ingress.kubernetes.io/auth-secret: "traefik-auth" + spec: + rules: + - host: traefik.k8s.banditlair.com + http: + paths: + - path: / + backend: + serviceName: traefik-web-ui + servicePort: web