From 3c77cb007a40fa4b6dd70db96c8faae925a659ac Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Mon, 26 Aug 2024 19:27:45 +0200
Subject: [PATCH] upgrade to traefik v3 - switched to DaemonSet to prevent NAT
 and keep source IP

---
 .../arcodange/factory/playbooks/01_system.yml | 36 ++++++++++++++-----
 .../arcodange/factory/playbooks/03_cicd.yml   |  2 +-
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/ansible/arcodange/factory/playbooks/01_system.yml b/ansible/arcodange/factory/playbooks/01_system.yml
index 6b23770..95c4fcf 100644
--- a/ansible/arcodange/factory/playbooks/01_system.yml
+++ b/ansible/arcodange/factory/playbooks/01_system.yml
@@ -14,6 +14,12 @@
       become: yes
       when: inventory_hostname != ansible_hostname
     
+    - name: Prevent apt source conflict
+      ansible.builtin.file:
+        state: absent
+        path: /etc/apt/sources.list.d/docker.list
+      become: yes
+    
     - name: Install role geerlingguy.docker
       community.general.ansible_galaxy_install:
         type: role
@@ -71,7 +77,7 @@
   vars:
     k3s_version: v1.30.3+k3s1
     token: changeme!
-    extra_server_args: "--docker"
+    extra_server_args: "--docker --disable traefik"
     extra_agent_args: "--docker"
     api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
 
@@ -98,7 +104,7 @@
           community.general.ipify_facts:
         - become: true
           ansible.builtin.copy:
-            dest: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
+            dest: /var/lib/rancher/k3s/server/manifests/traefik-v3.yaml
             content: |-
               apiVersion: v1
               data:
@@ -110,11 +116,15 @@
                 namespace: kube-system
               ---
               apiVersion: helm.cattle.io/v1
-              kind: HelmChartConfig
+              kind: HelmChart
               metadata:
                 name: traefik
                 namespace: kube-system
               spec:
+                repo: https://traefik.github.io/charts
+                chart: traefik
+                version: v30.1.0
+                targetNamespace: kube-system
                 valuesContent: |-
                   {{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }}
           vars:
@@ -149,21 +159,29 @@
                       - websecure
                 middlewares:
                   localIp:
-                    ipWhiteList:
+                    IPAllowList:
                       sourceRange:
                         - "192.168.1.0/24"
                         - "{{ ipify_public_ip }}/32"
-            traefik_helm_values: # https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
+            traefik_helm_values:
+              # default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
+              # current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml
+              deployment:
+                kind: DaemonSet
               service:
                 spec:
                   externalTrafficPolicy: Local
               ports:
                 traefik:
-                  expose: true
+                  expose:
+                    default: true
+              ingressRoute:
+                dashboard:
+                  enabled: true
               globalArguments: [] # deactivate --global.sendanonymoususage
               logs:
                 general:
-                  level: TRACE
+                  level: DEBUG
                   # format: json
                 access:
                   enabled: true
@@ -204,9 +222,9 @@
                     name: traefik-duckdns-token
                 # MY_TOKEN=<my token (see https://www.duckdns.org/domains)>
                 # kubectl create secret generic traefik-duckdns-token --from-literal="DUCKDNS_TOKEN=$MY_TOKEN" -n kube-system
-    - name: touch manifests/traefik-config.yaml to trigger update
+    - name: touch manifests/traefik.yaml to trigger update
       ansible.builtin.file:
-        path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
+        path: /var/lib/rancher/k3s/server/manifests/traefik-v3.yaml
         state: touch
       become: true
     
diff --git a/ansible/arcodange/factory/playbooks/03_cicd.yml b/ansible/arcodange/factory/playbooks/03_cicd.yml
index 3fad1b9..9ba417b 100644
--- a/ansible/arcodange/factory/playbooks/03_cicd.yml
+++ b/ansible/arcodange/factory/playbooks/03_cicd.yml
@@ -215,7 +215,7 @@
         gitea_credentials:
           username: arcodange
           password: "{{ argocd_token }}"
-        argocd_helm_values:
+        argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
           global:
             domain: argocd.arcodange.duckdns.org
           configs: