refactor(lb): Make configurable the Traefik endpoints

Instead of hard-coding them in the Traefik static config, they can be
set as the polaris.traefik_endpoints variable.  This means changes to
the Polaris collection aren't required every time we need to change the
endpoints (e.g. to temporarily provide public access to a usually
private service).

Author: boite

playbooks/lb/templates/traefik-config.yaml.j2

@@ -1,19 +1,7 @@
 entryPoints:
-  web:
-    address: ":80"
-{% if tls_files|length %}
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          scheme: https
-{% endif %}
-
-  websecure:
-    address: ":443"
-
-  headscale:
-    address: ":18080"
+{% for id, entrypoint in (polaris.traefik_entrypoints | default({"websecure":{"address":":443"}})).items() %}
+  {{ id }}: {{ entrypoint }}
+{% endfor %}
 
 accessLog:
   # TODO logrotation

variables.schema.yaml

@@ -96,6 +96,19 @@ properties:
       '--login-server http://swarm-manager:18080'
     ]
 
+  traefik_entrypoints:
+    type: object
+    description: >
+      Entrypoints required by Traefik for its static configuration.
+      Please see for details: https://doc.traefik.io/traefik/routing/entrypoints/
+    additionalProperties: true
+    examples:
+      - http:
+          address: ':443'
+    default:
+      websecure:
+        address: ':443'
+
   traefik_tls_files:
     type: array
     description: SOPS encrypted certificate and keyfile to inject into traefik for TLS offloading