- name: Traefik cluster role k8s: state: present definition: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - name: Traefik cluster role binding k8s: state: present definition: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system - name: Traefik service account k8s: state: present definition: apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system # - name: Traefik configuration # k8s: # state: present # definition: # apiVersion: v1 # kind: ConfigMap # metadata: # name: traefik-conf # namespace: kube-system # data: # traefik.toml: | # defaultEntryPoints = ["http", "https"] # logLevel = "INFO" # [entryPoints] # [entryPoints.http] # address = ":80" # [entryPoints.http.redirect] # entryPoint = "https" # [entryPoints.https] # address = ":443" # [entryPoints.https.tls] # [entryPoints.api] # address = ":8080" # [api] # entryPoint = "api" # dashboard = true # debug = false # [kubernetes] - name: Traefik daemon set k8s: state: present definition: kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 containers: - image: traefik name: traefik-ingress-lb # volumeMounts: # - mountPath: /config # name: traefik-config ports: - name: http containerPort: 80 hostPort: 80 - name: admin containerPort: 8080 securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --api - --kubernetes - --logLevel=INFO # volumes: # - name: traefik-config # configMap: # name: traefik-conf - name: Traefik service k8s: state: present definition: kind: Service apiVersion: v1 metadata: name: traefik-ingress-service namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 8080 name: admin - name: Traefik UI service k8s: state: present definition: apiVersion: v1 kind: Service metadata: name: traefik-web-ui namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - name: web port: 80 targetPort: 8080 - name: Traefik UI basic auth secret k8s: state: present definition: apiVersion: v1 data: auth: "{{('admin:' + traefik_dashboard_password_hash) | b64encode}}" kind: Secret metadata: name: traefik-auth namespace: kube-system - name: Traefik UI ingress k8s: state: present definition: apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: kube-system annotations: traefik.ingress.kubernetes.io/auth-type: "basic" traefik.ingress.kubernetes.io/auth-secret: "traefik-auth" traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-permanent: "true" ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/ssl-temporary-redirect: "false" spec: rules: - host: "{{traefik_domain}}" http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web tls: - secretName: traefik-cert - name: Traefik UI certificate k8s: state: present definition: apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: traefik-cert namespace: kube-system spec: secretName: traefik-cert issuerRef: name: "{{cert_manager_issuer}}" commonName: "{{traefik_domain}}" acme: config: - http01: ingressClass: traefik domains: - "{{traefik_domain}}"