Traefik: Move to host mode

coreos-config/plays/services/traefik/docker-compose.yaml

@@ -10,9 +10,7 @@ services:
         soft: 4000
         hard: 15000
     restart: always
-    ports:
-      - "443:443"
-      - "80:80"
+    network_mode: host
     privileged: true
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:z"
@@ -22,16 +20,11 @@ services:
     labels:
       - "prometheus-scrape.enabled=true"
       - "prometheus-scrape.port=9091"
-    networks:
-      - gateway
-      - default
 
 {% if deploy_traefik_fa %}
   traefik-fa:
     image: quay.io/oauth2-proxy/oauth2-proxy:latest
     restart: unless-stopped
-    networks:
-      - gateway
     depends_on:
       - traefik
     labels:
@@ -63,8 +56,6 @@ services:
 
   whoami:
     image: containous/whoami
-    networks:
-      - gateway
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.whoami.loadbalancer.server.port=80"
@@ -78,9 +69,6 @@ volumes:
   acme:
 
 networks:
-  gateway:
-    name: gateway
-    internal: false
   default:
     driver: bridge
 ...

coreos-config/plays/services/traefik/dynamic.yaml

@@ -1,5 +1,12 @@
 http:
   middlewares:
+    metrics-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.0.0/16"
+          - "172.16.0.0/16"
+          - "10.254.1.0/24"
     auth-headers:
       headers:
         sslRedirect: true

coreos-config/plays/services/traefik/traefik.yaml

@@ -8,7 +8,6 @@ metrics:
     entryPoint: metrics
 providers:
   docker:
-    network: gateway
     exposedbydefault: false
   file:
     filename: /etc/traefik/dynamic.yaml
@@ -23,6 +22,9 @@ entryPoints:
           permanent: true
   metrics:
     address: ":9091"
+    http:
+      middlewares:
+        - "metrics-ipwhitelist@file"
   websecure:
     address: ":443"
     http: