forked from myth/ansible-traefik-docker
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update: support forward auth for dashboard (#19)
* Update: support forward auth for dashboard - enable with traefik_dashboard_fwdauth_server - added guards to ensure things are configured - append fwdauth labels to service when necessary * Update: allow setting the fqdn By default "traefik.{{ inventory_hostname }}". This new config var allows setting the complete name to something else if needed. We added this to unify all dashboards on a host to be able to fwd auth everywhere. * Update: allow overriding deps [this is ugly] * Chore: improve readme + shameless self promo :)
- Loading branch information
Showing
6 changed files
with
105 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,54 @@ | ||
Traefik (in Docker) role for Ansible | ||
==== | ||
|
||
## Feature highlights | ||
|
||
- supports the latest Traefik v1.x (e.g. v1.7) | ||
- authentication | ||
- basic auth | ||
- forward auth | ||
- enabling Traefik's dashboard | ||
- works with Docker (stand-alone/docker-compose) and Docker Swarm | ||
- potentially consul integration (**does not** install consul) | ||
|
||
#### Dependencies | ||
|
||
- Assumes Docker and Docker Compose are installed on the host | ||
- Ansible requires: | ||
- `pip install jsondiff` | ||
- `pip install pyyaml` | ||
- manage Python deps with `traefik_manage_ansible_dependencies (bool)` | ||
|
||
#### Usage | ||
|
||
Installation: | ||
|
||
``` | ||
$ ansible-galaxy install pngmbh.ansible_traefik_docker | ||
``` | ||
|
||
Or add it to your `requirements.yml`: | ||
|
||
``` | ||
- name: pngmbh.ansible_traefik_docker | ||
src: https://github.com/pngmbh/ansible-traefik-docker | ||
version: GIT-TAG-HERE | ||
``` | ||
|
||
Create a playbook (`traefik.yml`) from this role: | ||
|
||
``` | ||
--- | ||
- name: Install and configure Traefik reverse-proxy | ||
hosts: <your host group or individual host> | ||
roles: | ||
- role: roles/traefik | ||
- role: pngmbh.ansible_docker_traefik | ||
traefik_acme_email: "user@mydomain.org" | ||
traefik_dashboard_basicauth_users: ["user:$apr1$somehash"] | ||
``` | ||
|
||
For a list of all options, see [defaults/main.yml](defaults/main.yml). | ||
|
||
## About the author | ||
|
||
This is a fork, but it diverged and is actively tested and maintained here. Come check us out: [Planetary Quantum GmbH](https://www.planetary-quantum.com) :rocket: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
--- | ||
- name: Ensure only basic auth or fwd auth are enabled | ||
block: | ||
- name: Basic auth is enabled, no fwd auth server is configured | ||
block: | ||
- name: Test [basic auth, dashboard is enabled] | ||
assert: | ||
that: | ||
- traefik_dashboard_enable | ||
fail_msg: "Please enable dashboard if you want basic auth for it" | ||
quiet: true | ||
- name: Test [basic auth enabled] | ||
assert: | ||
that: | ||
- traefik_dashboard_fwdauth_server|length == 0 | ||
fail_msg: "You tried to enable basic auth AND fwd auth (hint: unconfigured traefik_dashboard_fwdauth_server)" | ||
quiet: true | ||
- name: Test [basic auth users are set] | ||
assert: | ||
that: | ||
- traefik_dashboard_basicauth_users|length > 0 | ||
fail_msg: "You enabled basic auth without users (hint: configure traefik_dashboard_basicauth_users)" | ||
quiet: true | ||
when: | ||
- traefik_dashboard_basicauth_enable | ||
|
||
- name: Fwd auth server is configured correctly | ||
block: | ||
- name: Test [fwd auth, dashboard is enabled] | ||
assert: | ||
that: | ||
- traefik_dashboard_enable | ||
fail_msg: "Please enable dashboard if you want forward auth for it" | ||
quiet: true | ||
- name: Test [fwd auth is configured] | ||
assert: | ||
that: | ||
- traefik_dashboard_basicauth_users|length == 0 | ||
- not traefik_dashboard_basicauth_enable | ||
fail_msg: "Please remove config for basic auth and enable dashboard" | ||
quiet: true | ||
when: | ||
- traefik_dashboard_fwdauth_server|length > 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,12 @@ | ||
--- | ||
traefik_dashboard_labels: | ||
_traefik_dashboard_labels: | ||
- "traefik.port={{ traefik_dashboard_entrypoint_port }}" | ||
- "traefik.docker.network={{ traefik_docker_network }}" | ||
- "traefik.backend=traefik" | ||
- "traefik.frontend.rule=Host:{{ traefik_dashboard_subdomain }}.{{ traefik_docker_domain | default(inventory_hostname) }}" | ||
- "traefik.frontend.rule=Host:{{ traefik_dashboard_fqdn }}" | ||
- "traefik.enable=true" | ||
|
||
_traefik_dashboard_fwdauth_labels: | ||
- "traefik.frontend.auth.forward.address: {{ traefik_dashboard_fwdauth_server }}" | ||
- "traefik.frontend.auth.forward.authResponseHeaders=X-Auth-User,X-Auth-Group" | ||
- "traefik.frontend.auth.forward.trustForwardHeader=true" |