Init commit

.ansible-lint

@@ -0,0 +1,8 @@
+exclude_paths:
+  - molecule/
+
+skip_list:
+  - 'unknown-module'
+  - 'name[template]'
+  - 'no-changed-when'
+  - 'risky-shell-pipe'

.github/workflows/validation.yml

@@ -0,0 +1,44 @@
+name: Validate infrastructure as code
+
+on:
+  push:
+    branches:
+      - "dev"
+      - "main"
+  pull_request:
+    branches:
+      - "dev"
+      - "main"
+  schedule:
+    - cron: "0 7 * * 0"
+jobs:
+  Linting:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@cc7f2f599318aa344fca575c635c2caa6d492a14
+
+  Security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Ensure results dir
+        run: mkdir -p kics-results/
+      - name: Run kics scan
+        uses: checkmarx/kics-github-action@3f21d96af19575aae6bf83ebdd7dee91d02fa746
+        with:
+          path: ./
+          output_path: kics-results/
+          fail_on: high,medium
+          type: Ansible
+      - name: Remove results directory
+        run: rm -rf kics-results/
+
+  Deprications:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Ensure pluto is present
+        uses: FairwindsOps/pluto/github-action@ba8fec507d0e5ae0960530a60cd519875704a4b3
+      - name: Find deprecations
+        run: pluto detect-files -d ./

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

README.md

@@ -0,0 +1,46 @@
+# ansible_role_ensure_traefik_basic_auth_middleware
+
+[![Validate infrastructure as code](https://github.com/garliclabs/ansible_role_ensure_traefik_basic_auth_middleware/actions/workflows/validation.yml/badge.svg)](https://github.com/garliclabs/ansible_role_ensure_traefik_basic_auth_middleware/actions/workflows/validation.yml)
+
+This role creates basic auth middleware for traefik on a given kubernetes.  
+
+## Requirements
+
+kubectl, kubernetes
+
+## Role Variables
+
+**traefik_basic_auth_kubeconfig:** Path to the kubeconf of the kubernetes you want to configure
+
+```yml
+traefik_basic_auth_items: []
+  # - secretName: nginx-basic-auth-secret
+  #   namespace: default
+  #   middlewareName: nginx-basic-auth
+  #   state: "present"
+  #   username: 
+  #   password: 
+  #   hostname: "nginx.example.com"
+  #   serviceName: nginx
+  #   servicePort: 80
+```
+
+## Development
+
+### Linting & static security analyser
+
+Both the linter and the static security analyser are running on each push on the github actions pipeline.  
+
+* As linter [ansible-lint](https://ansible.readthedocs.io/projects/lint/) is used. For installation documentation see [ansible lint installing](https://ansible.readthedocs.io/projects/lint/)
+  * Just run `ansible-lint`
+
+* To check if there are any passwords, tokens... hardcoded, [kics](https://kics.io/index.html) is used to ensure a secure IaC repository.  
+  * Run it locally `docker run -t -v $PWD:/path checkmarx/kics:latest scan -p /path -o "/path/"`
+
+## Dependencies
+
+* The server this role is executed need to have kubectl with a connection to the kubernetes you want to configure
+
+## License
+
+GNU General Public License version 3

defaults/main.yml

@@ -0,0 +1,14 @@
+---
+
+traefik_basic_auth_kubeconfig: "{{ undef(hint='You need to provide a kubeconfig') }"
+
+traefik_basic_auth_items: []
+  # - secretName: nginx-basic-auth-secret
+  #   namespace: default
+  #   middlewareName: nginx-basic-auth
+  #   state: "present"
+  #   username: 
+  #   password: 
+  #   hostname: "nginx.example.com"
+  #   serviceName: nginx
+  #   servicePort: 80

meta/main.yml

@@ -0,0 +1,16 @@
+galaxy_info:
+  author: ngotzmann, lsiemer
+  namespace: garliclabs
+  description: Ensures basic auth on traefik ingress on kubernetes
+  license: GPL-3.0-only
+
+  min_ansible_version: "2.11"
+
+  platforms:
+  - name: Debian
+
+  galaxy_tags:
+    - helm
+    - kubernetes
+    - ingress
+    - traefik

pip_requirements.txt

@@ -0,0 +1,68 @@
+ansible==9.1.0
+ansible-compat==4.1.10
+ansible-core==2.16.2
+asttokens==2.4.1
+attrs==23.2.0
+bracex==2.4
+cachetools==5.3.2
+certifi==2023.11.17
+cffi==1.16.0
+charset-normalizer==3.3.2
+click==8.1.7
+click-help-colors==0.9.4
+comm==0.2.0
+cryptography==41.0.7
+decorator==5.1.1
+docker==7.0.0
+enrich==1.2.7
+executing==2.0.1
+google-auth==2.25.2
+idna==3.6
+ipython==8.19.0
+ipywidgets==8.1.1
+jedi==0.19.1
+Jinja2==3.1.2
+jsonschema==4.20.0
+jsonschema-specifications==2023.12.1
+jupyterlab-widgets==3.0.9
+k3d==2.16.0
+kubernetes==28.1.0
+markdown-it-py==3.0.0
+MarkupSafe==2.1.3
+matplotlib-inline==0.1.6
+mdurl==0.1.2
+molecule==6.0.3
+molecule-k3d==0.1.0
+msgpack==1.0.7
+numpy==1.26.2
+oauthlib==3.2.2
+packaging==23.2
+parso==0.8.3
+pexpect==4.9.0
+pluggy==1.3.0
+prompt-toolkit==3.0.43
+ptyprocess==0.7.0
+pure-eval==0.2.2
+pyasn1==0.5.1
+pyasn1-modules==0.3.0
+pycparser==2.21
+Pygments==2.17.2
+python-dateutil==2.8.2
+PyYAML==6.0.1
+referencing==0.32.0
+requests==2.31.0
+requests-oauthlib==1.3.1
+resolvelib==1.0.1
+rich==13.7.0
+rpds-py==0.16.2
+rsa==4.9
+six==1.16.0
+stack-data==0.6.3
+subprocess-tee==0.4.1
+traitlets==5.14.0
+traittypes==0.2.1
+urllib3==1.26.18
+wcmatch==8.5
+wcwidth==0.2.12
+websocket-client==1.7.0
+widgetsnbextension==4.0.9

tasks/ensure_basic_auth_state.yml

@@ -0,0 +1,53 @@
+---
+
+- name: "Ensure secrets for basic auth {{ item.secretName }} is {{ item.state }}"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ traefik_basic_auth_kubeconfig }}"
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ item.secretName }}"
+        namespace: "{{ item.namespace }}"
+      type: "kubernetes.io/basic-auth"
+      data:
+        username: "{{ item.username | b64encode }}"
+        password: "{{ item.password | b64encode }}"
+      state: "{{ item.state }}"
+
+- name: "Ensure traefik middleware {{ item.middlewareName }} is {{ item.state }}"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ traefik_basic_auth_kubeconfig }}"
+    definition:
+      apiVersion: traefik.containo.us/v1alpha1
+      kind: Middleware
+      metadata:
+        name: "{{ item.middlewareName }}"
+        namespace: "{{ item.namespace }}"
+      spec:
+        basicAuth:
+          secret: "{{ item.secretName }}"
+    state: "{{ item.state }}"
+
+- name: "Ensure traefik middleware route {{ item.middlewareName }} is {{ item.state }}"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ traefik_basic_auth_kubeconfig }}"
+    definition:
+      apiVersion: traefik.containo.us/v1alpha1
+      kind: IngressRoute
+      metadata:
+        name: "{{ item.middlewareName }}"
+        namespace: "{{ item.namespace }}"
+      spec:
+        entryPoints:
+          - web
+        routes:
+          - kind: Rule
+            match: "Host(`{{ item.hostname }}`)"
+            middlewares:
+              - name: "{{ item.middlewareName }}"
+            services:
+              - kind: Service
+                name: "{{ item.serviceName }}"
+                port: "{{ item.servicePort }}"
+    state: "{{ item.state }}"

tasks/main.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Get ingressClass name
+  ansible.builtin.shell: kubectl get ingressClass -o json | jq --join-output '.items | .[] | .metadata | .name'
+  register: "ingress_class_name"
+
+- name: Check if traefik is ingressClassName 
+  ansible.builtin.fail:
+    msg: '{{ ingressClassName.stdout }} is not traefik'
+  when: ingress_class_name.stdout != "traefik"
+
+- name: Ensure basic auth state
+  ansible.builtin.include_tasks: ensure_basic_auth_state.yml
+  when: traefik_basic_auth_items is defined
+  with_items: "{{ traefik_basic_auth_items }}"