- name: Traefik cluster role
  k8s:
    state: present
    definition:
      kind: ClusterRole
      apiVersion: rbac.authorization.k8s.io/v1beta1
      metadata:
        name: traefik-ingress-controller
      rules:
        - apiGroups:
            - ""
          resources:
            - services
            - endpoints
            - secrets
          verbs:
            - get
            - list
            - watch
        - apiGroups:
            - extensions
          resources:
            - ingresses
          verbs:
            - get
            - list
            - watch

- name: Traefik cluster role binding
  k8s:
    state: present
    definition:
      kind: ClusterRoleBinding
      apiVersion: rbac.authorization.k8s.io/v1beta1
      metadata:
        name: traefik-ingress-controller
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: traefik-ingress-controller
      subjects:
      - kind: ServiceAccount
        name: traefik-ingress-controller
        namespace: kube-system

- name: Traefik service account
  k8s:
    state: present
    definition:
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: traefik-ingress-controller
        namespace: kube-system

- name: Traefik daemon set
  k8s:
    state: present
    definition:
      kind: DaemonSet
      apiVersion: extensions/v1beta1
      metadata:
        name: traefik-ingress-controller
        namespace: kube-system
        labels:
          k8s-app: traefik-ingress-lb
      spec:
        template:
          metadata:
            labels:
              k8s-app: traefik-ingress-lb
              name: traefik-ingress-lb
          spec:
            serviceAccountName: traefik-ingress-controller
            terminationGracePeriodSeconds: 60
            containers:
            - image: traefik
              name: traefik-ingress-lb
              ports:
              - name: http
                containerPort: 80
                hostPort: 80
              - name: admin
                containerPort: 8080
              securityContext:
                capabilities:
                  drop:
                  - ALL
                  add:
                  - NET_BIND_SERVICE
              args:
              - --api
              - --kubernetes
              - --logLevel=INFO

- name: Traefik service
  k8s:
    state: present
    definition:
      kind: Service
      apiVersion: v1
      metadata:
        name: traefik-ingress-service
        namespace: kube-system
      spec:
        selector:
          k8s-app: traefik-ingress-lb
        ports:
          - protocol: TCP
            port: 80
            name: web
          - protocol: TCP
            port: 8080
            name: admin

- name: Traefik UI service
  k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Service
      metadata:
        name: traefik-web-ui
        namespace: kube-system
      spec:
        selector:
          k8s-app: traefik-ingress-lb
        ports:
        - name: web
          port: 80
          targetPort: 8080

- name: Traefik UI basic auth secret
  k8s:
    state: present
    definition:
      apiVersion: v1
      data:
        auth: "{{('admin:' + traefik_dashboard_password_hash) | b64encode}}"
      kind: Secret
      metadata:
        name: traefik-auth
        namespace: kube-system

- name: Traefik UI ingress
  k8s:
    state: present
    definition:
      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
        name: traefik-web-ui
        namespace: kube-system
        annotations:
          traefik.ingress.kubernetes.io/auth-type: "basic"
          traefik.ingress.kubernetes.io/auth-secret: "traefik-auth"
      spec:
        rules:
        - host: traefik.k8s.banditlair.com
          http:
            paths:
            - path: /
              backend:
                serviceName: traefik-web-ui
                servicePort: web