From 1da0724ab42e7052bd9586aee8404ac3d7feb8ed Mon Sep 17 00:00:00 2001 From: Michael Schietzsch Date: Fri, 4 Mar 2022 15:02:54 +0100 Subject: [PATCH 1/4] added traefik option for 'insecureSkipVerify' --- init.tf | 1 + templates/traefik_config.yaml.tpl | 3 +++ terraform.tfvars.example | 4 ++++ variables.tf | 6 ++++++ 4 files changed, 14 insertions(+) diff --git a/init.tf b/init.tf index 7f7e021..9626d0e 100644 --- a/init.tf +++ b/init.tf @@ -101,6 +101,7 @@ resource "null_resource" "kustomization" { location = var.location traefik_acme_tls = var.traefik_acme_tls traefik_acme_email = var.traefik_acme_email + insecureSkipVerify = var.insecureSkipVerify }) destination = "/tmp/post_install/traefik.yaml" } diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl index 75ce20f..4183e3e 100644 --- a/templates/traefik_config.yaml.tpl +++ b/templates/traefik_config.yaml.tpl @@ -24,6 +24,9 @@ spec: - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" +%{ if insecureSkipVerify ~} + - "--serversTransport.insecureSkipVerify=true" +%{ endif ~} %{ if traefik_acme_tls ~} - "--certificatesresolvers.le.acme.tlschallenge=true" - "--certificatesresolvers.le.acme.email=${traefik_acme_email}" diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 047c8bc..b2c353f 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -78,3 +78,7 @@ load_balancer_type = "lb11" # ] # }, # ] + +# If you want to configure traefik with "insecureSkipVerify". This might be required if your ingress is connecting to TLS services; see https://doc.traefik.io/traefik/routing/overview/#insecureskipverify +# You probably should not use this in production +# insecureSkipVerify = true diff --git a/variables.tf b/variables.tf index 15ecb17..db213da 100644 --- a/variables.tf +++ b/variables.tf @@ -119,3 +119,9 @@ variable "extra_firewall_rules" { default = [] description = "Additional firewall rules to apply to the cluster" } + +variable "insecureSkipVerify" { + type = bool + default = false + description = "Whether to set the insecureSkipVerify=true configuration with the Traefik configuration" +} From 8634a1dc2fd5b05872cf2b35a5aae219ac691282 Mon Sep 17 00:00:00 2001 From: Michael Schietzsch Date: Fri, 4 Mar 2022 15:02:54 +0100 Subject: [PATCH 2/4] added additional traefik option --- init.tf | 1 + templates/traefik_config.yaml.tpl | 3 +++ terraform.tfvars.example | 4 ++++ variables.tf | 5 +++++ 4 files changed, 13 insertions(+) diff --git a/init.tf b/init.tf index 7f7e021..a29de23 100644 --- a/init.tf +++ b/init.tf @@ -101,6 +101,7 @@ resource "null_resource" "kustomization" { location = var.location traefik_acme_tls = var.traefik_acme_tls traefik_acme_email = var.traefik_acme_email + traefik_additionalOptions = var.traefik_additionalOptions }) destination = "/tmp/post_install/traefik.yaml" } diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl index 75ce20f..098d754 100644 --- a/templates/traefik_config.yaml.tpl +++ b/templates/traefik_config.yaml.tpl @@ -24,6 +24,9 @@ spec: - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" +%{ for option in traefik_additionalOptions ~} + - "${option}" +%{ endfor ~} %{ if traefik_acme_tls ~} - "--certificatesresolvers.le.acme.tlschallenge=true" - "--certificatesresolvers.le.acme.email=${traefik_acme_email}" diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 047c8bc..8c9c842 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -78,3 +78,7 @@ load_balancer_type = "lb11" # ] # }, # ] + +# If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/ +# Example: traefik_additionalOptions = ["--log.level=DEBUG", "--tracing=true"] +# traefik_additionalOptions = [] diff --git a/variables.tf b/variables.tf index 15ecb17..eb30850 100644 --- a/variables.tf +++ b/variables.tf @@ -119,3 +119,8 @@ variable "extra_firewall_rules" { default = [] description = "Additional firewall rules to apply to the cluster" } + +variable "traefik_additionalOptions" { + type = list(string) + default = [] +} From adac340457e2b5d59d08972ccbead7990c07f878 Mon Sep 17 00:00:00 2001 From: Michael Schietzsch Date: Sat, 5 Mar 2022 10:59:20 +0100 Subject: [PATCH 3/4] fix naming-conventions --- init.tf | 2 +- templates/traefik_config.yaml.tpl | 2 +- terraform.tfvars.example | 4 ++-- variables.tf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/init.tf b/init.tf index d900824..b9a7971 100644 --- a/init.tf +++ b/init.tf @@ -99,7 +99,7 @@ resource "null_resource" "kustomization" { location = var.location traefik_acme_tls = var.traefik_acme_tls traefik_acme_email = var.traefik_acme_email - traefik_additionalOptions = var.traefik_additionalOptions + traefik_additional_options = var.traefik_additional_options }) destination = "/tmp/post_install/traefik.yaml" } diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl index 098d754..05fc68d 100644 --- a/templates/traefik_config.yaml.tpl +++ b/templates/traefik_config.yaml.tpl @@ -24,7 +24,7 @@ spec: - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" -%{ for option in traefik_additionalOptions ~} +%{ for option in traefik_additional_options ~} - "${option}" %{ endfor ~} %{ if traefik_acme_tls ~} diff --git a/terraform.tfvars.example b/terraform.tfvars.example index b68f576..41e9484 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -92,5 +92,5 @@ load_balancer_type = "lb11" # ] # If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/ -# Example: traefik_additionalOptions = ["--log.level=DEBUG", "--tracing=true"] -# traefik_additionalOptions = [] +# Example: traefik_additional_options = ["--log.level=DEBUG", "--tracing=true"] +# traefik_additional_options = [] diff --git a/variables.tf b/variables.tf index b25f7e5..b299dea 100644 --- a/variables.tf +++ b/variables.tf @@ -121,7 +121,7 @@ variable "extra_firewall_rules" { description = "Additional firewall rules to apply to the cluster" } -variable "traefik_additionalOptions" { +variable "traefik_additional_options" { type = list(string) default = [] } From 5e02d7051ddce895fee4e18b8aec6fd96cc24967 Mon Sep 17 00:00:00 2001 From: Michael Schietzsch Date: Sun, 6 Mar 2022 07:27:51 +0100 Subject: [PATCH 4/4] terraform fmt --- init.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init.tf b/init.tf index b9a7971..3c73029 100644 --- a/init.tf +++ b/init.tf @@ -99,7 +99,7 @@ resource "null_resource" "kustomization" { location = var.location traefik_acme_tls = var.traefik_acme_tls traefik_acme_email = var.traefik_acme_email - traefik_additional_options = var.traefik_additional_options + traefik_additional_options = var.traefik_additional_options }) destination = "/tmp/post_install/traefik.yaml" }