From 1da0724ab42e7052bd9586aee8404ac3d7feb8ed Mon Sep 17 00:00:00 2001
From: Michael Schietzsch <schietzsch@gmail.com>
Date: Fri, 4 Mar 2022 15:02:54 +0100
Subject: [PATCH] added traefik option for 'insecureSkipVerify'

---
 init.tf                           | 1 +
 templates/traefik_config.yaml.tpl | 3 +++
 terraform.tfvars.example          | 4 ++++
 variables.tf                      | 6 ++++++
 4 files changed, 14 insertions(+)

diff --git a/init.tf b/init.tf
index 7f7e021..9626d0e 100644
--- a/init.tf
+++ b/init.tf
@@ -101,6 +101,7 @@ resource "null_resource" "kustomization" {
         location                   = var.location
         traefik_acme_tls           = var.traefik_acme_tls
         traefik_acme_email         = var.traefik_acme_email
+        insecureSkipVerify         = var.insecureSkipVerify
     })
     destination = "/tmp/post_install/traefik.yaml"
   }
diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl
index 75ce20f..4183e3e 100644
--- a/templates/traefik_config.yaml.tpl
+++ b/templates/traefik_config.yaml.tpl
@@ -24,6 +24,9 @@ spec:
       - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
       - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
       - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
+%{ if insecureSkipVerify ~}
+      - "--serversTransport.insecureSkipVerify=true"
+%{ endif ~}
 %{ if traefik_acme_tls ~}
       - "--certificatesresolvers.le.acme.tlschallenge=true"
       - "--certificatesresolvers.le.acme.email=${traefik_acme_email}"
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
index 047c8bc..b2c353f 100644
--- a/terraform.tfvars.example
+++ b/terraform.tfvars.example
@@ -78,3 +78,7 @@ load_balancer_type        = "lb11"
 #     ]
 #   },
 # ]
+
+# If you want to configure traefik with "insecureSkipVerify". This might be required if your ingress is connecting to TLS services; see https://doc.traefik.io/traefik/routing/overview/#insecureskipverify
+# You probably should not use this in production
+# insecureSkipVerify = true
diff --git a/variables.tf b/variables.tf
index 15ecb17..db213da 100644
--- a/variables.tf
+++ b/variables.tf
@@ -119,3 +119,9 @@ variable "extra_firewall_rules" {
   default     = []
   description = "Additional firewall rules to apply to the cluster"
 }
+
+variable "insecureSkipVerify" {
+  type        = bool
+  default     = false
+  description = "Whether to set the insecureSkipVerify=true configuration with the Traefik configuration"
+}