|
|
@@ -0,0 +1,449 @@
|
|
|
+---
|
|
|
+apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ name: ingressroutes.traefik.containo.us
|
|
|
+
|
|
|
+spec:
|
|
|
+ group: traefik.containo.us
|
|
|
+ version: v1alpha1
|
|
|
+ names:
|
|
|
+ kind: IngressRoute
|
|
|
+ plural: ingressroutes
|
|
|
+ singular: ingressroute
|
|
|
+ scope: Namespaced
|
|
|
+
|
|
|
+---
|
|
|
+apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ name: ingressroutetcps.traefik.containo.us
|
|
|
+
|
|
|
+spec:
|
|
|
+ group: traefik.containo.us
|
|
|
+ version: v1alpha1
|
|
|
+ names:
|
|
|
+ kind: IngressRouteTCP
|
|
|
+ plural: ingressroutetcps
|
|
|
+ singular: ingressroutetcp
|
|
|
+ scope: Namespaced
|
|
|
+
|
|
|
+---
|
|
|
+apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ name: middlewares.traefik.containo.us
|
|
|
+
|
|
|
+spec:
|
|
|
+ group: traefik.containo.us
|
|
|
+ version: v1alpha1
|
|
|
+ names:
|
|
|
+ kind: Middleware
|
|
|
+ plural: middlewares
|
|
|
+ singular: middleware
|
|
|
+ scope: Namespaced
|
|
|
+
|
|
|
+---
|
|
|
+apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ name: tlsoptions.traefik.containo.us
|
|
|
+spec:
|
|
|
+ group: traefik.containo.us
|
|
|
+ version: v1alpha1
|
|
|
+ names:
|
|
|
+ kind: TLSOption
|
|
|
+ plural: tlsoptions
|
|
|
+ singular: tlsoption
|
|
|
+ scope: Namespaced
|
|
|
+
|
|
|
+---
|
|
|
+apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ name: traefikservices.traefik.containo.us
|
|
|
+
|
|
|
+spec:
|
|
|
+ group: traefik.containo.us
|
|
|
+ version: v1alpha1
|
|
|
+ names:
|
|
|
+ kind: TraefikService
|
|
|
+ plural: traefikservices
|
|
|
+ singular: traefikservice
|
|
|
+ scope: Namespaced
|
|
|
+
|
|
|
+---
|
|
|
+apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ name: tlsstores.traefik.containo.us
|
|
|
+
|
|
|
+spec:
|
|
|
+ group: traefik.containo.us
|
|
|
+ version: v1alpha1
|
|
|
+ names:
|
|
|
+ kind: TLSStore
|
|
|
+ plural: tlsstores
|
|
|
+ singular: tlsstore
|
|
|
+ scope: Namespaced
|
|
|
+
|
|
|
+---
|
|
|
+apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ name: ingressrouteudps.traefik.containo.us
|
|
|
+
|
|
|
+spec:
|
|
|
+ group: traefik.containo.us
|
|
|
+ version: v1alpha1
|
|
|
+ names:
|
|
|
+ kind: IngressRouteUDP
|
|
|
+ plural: ingressrouteudps
|
|
|
+ singular: ingressrouteudp
|
|
|
+ scope: Namespaced
|
|
|
+
|
|
|
+#RBAC --------------------------------------------
|
|
|
+---
|
|
|
+kind: ClusterRole
|
|
|
+apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
|
+metadata:
|
|
|
+ name: traefik-ingress-controller
|
|
|
+
|
|
|
+rules:
|
|
|
+ - apiGroups:
|
|
|
+ - ""
|
|
|
+ resources:
|
|
|
+ - services
|
|
|
+ - endpoints
|
|
|
+ - secrets
|
|
|
+ verbs:
|
|
|
+ - get
|
|
|
+ - list
|
|
|
+ - watch
|
|
|
+ - apiGroups:
|
|
|
+ - extensions
|
|
|
+ resources:
|
|
|
+ - ingresses
|
|
|
+ verbs:
|
|
|
+ - get
|
|
|
+ - list
|
|
|
+ - watch
|
|
|
+ - apiGroups:
|
|
|
+ - extensions
|
|
|
+ resources:
|
|
|
+ - ingresses/status
|
|
|
+ verbs:
|
|
|
+ - update
|
|
|
+ - apiGroups:
|
|
|
+ - traefik.containo.us
|
|
|
+ resources:
|
|
|
+ - middlewares
|
|
|
+ - ingressroutes
|
|
|
+ - traefikservices
|
|
|
+ - ingressroutetcps
|
|
|
+ - ingressrouteudps #-------------
|
|
|
+ - tlsoptions
|
|
|
+ - tlsstores #-------------
|
|
|
+ verbs:
|
|
|
+ - get
|
|
|
+ - list
|
|
|
+ - watch
|
|
|
+
|
|
|
+---
|
|
|
+kind: ClusterRoleBinding
|
|
|
+apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
|
+metadata:
|
|
|
+ name: traefik-ingress-controller
|
|
|
+roleRef:
|
|
|
+ apiGroup: rbac.authorization.k8s.io
|
|
|
+ kind: ClusterRole
|
|
|
+ name: traefik-ingress-controller
|
|
|
+subjects:
|
|
|
+ - kind: ServiceAccount
|
|
|
+ name: traefik
|
|
|
+ namespace: kube-system
|
|
|
+
|
|
|
+---
|
|
|
+kind: PersistentVolume
|
|
|
+apiVersion: v1
|
|
|
+metadata:
|
|
|
+ name: traefik-data
|
|
|
+ namespace: kube-system
|
|
|
+spec:
|
|
|
+ capacity:
|
|
|
+ storage: 1Gi
|
|
|
+ volumeMode: Filesystem
|
|
|
+ accessModes:
|
|
|
+ - ReadWriteOnce
|
|
|
+ claimRef:
|
|
|
+ namespace: kube-system
|
|
|
+ name: traefik-data
|
|
|
+ csi:
|
|
|
+ driver: driver.longhorn.io
|
|
|
+ fsType: ext4
|
|
|
+ volumeHandle: traefik-data
|
|
|
+ storageClassName: longhorn-durable
|
|
|
+---
|
|
|
+apiVersion: v1
|
|
|
+kind: PersistentVolumeClaim
|
|
|
+metadata:
|
|
|
+ name: traefik-data
|
|
|
+ namespace: kube-system
|
|
|
+spec:
|
|
|
+ accessModes:
|
|
|
+ - ReadWriteOnce
|
|
|
+ storageClassName: longhorn-durable
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ storage: 1Gi
|
|
|
+ volumeName: "traefik-data"
|
|
|
+#INGRESS --------------------------------------------
|
|
|
+---
|
|
|
+#####################################################
|
|
|
+# Secure traefik dashboard with https and basic auth
|
|
|
+#####################################################
|
|
|
+apiVersion: traefik.containo.us/v1alpha1
|
|
|
+kind: IngressRoute
|
|
|
+metadata:
|
|
|
+ name: traefik-dashboard
|
|
|
+spec:
|
|
|
+ routes:
|
|
|
+ - match: Host(`traefik.eugeniocarvalho.dev`)
|
|
|
+ kind: Rule
|
|
|
+ services:
|
|
|
+ - name: api@internal
|
|
|
+ kind: TraefikService
|
|
|
+ # optional: add basic auth
|
|
|
+ #middlewares:
|
|
|
+ # - name: basic-auth
|
|
|
+
|
|
|
+###############################
|
|
|
+# ServiceAccount
|
|
|
+###############################
|
|
|
+---
|
|
|
+apiVersion: v1
|
|
|
+kind: ServiceAccount
|
|
|
+metadata:
|
|
|
+ name: traefik
|
|
|
+ namespace: kube-system
|
|
|
+
|
|
|
+###############################
|
|
|
+# Deployment
|
|
|
+###############################
|
|
|
+---
|
|
|
+apiVersion: apps/v1
|
|
|
+kind: Deployment
|
|
|
+metadata:
|
|
|
+ labels:
|
|
|
+ app: traefik
|
|
|
+ release: traefik
|
|
|
+ name: traefik
|
|
|
+ namespace: kube-system
|
|
|
+
|
|
|
+spec:
|
|
|
+ replicas: 1
|
|
|
+ selector:
|
|
|
+ matchLabels:
|
|
|
+ app: traefik
|
|
|
+ release: traefik
|
|
|
+ template:
|
|
|
+ metadata:
|
|
|
+ labels:
|
|
|
+ app: traefik
|
|
|
+ release: traefik
|
|
|
+ spec:
|
|
|
+ containers:
|
|
|
+ - args:
|
|
|
+ - --api
|
|
|
+ - --api.insecure=true
|
|
|
+ # Set insecure to fals to enable basic auth
|
|
|
+ #- --api.insecure=false
|
|
|
+ - --api.dashboard=true
|
|
|
+ - --accesslog
|
|
|
+ - --global.checknewversion=true
|
|
|
+ - --entryPoints.traefik.address=:8100
|
|
|
+ - --entryPoints.web.address=:80
|
|
|
+ - --entryPoints.websecure.address=:443
|
|
|
+
|
|
|
+ # permanent redirecting of all requests on http (80) to https (443)
|
|
|
+ - --entrypoints.web.http.redirections.entryPoint.to=websecure
|
|
|
+ - --entrypoints.websecure.http.tls.certResolver=default
|
|
|
+
|
|
|
+ # Let's Encrypt Configurtion:
|
|
|
+ # Please note that this is the staging Let's Encrypt server configuration.
|
|
|
+ # Once you get things working, you should remove that following line.
|
|
|
+ - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
|
|
|
+ - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com
|
|
|
+ - --certificatesresolvers.default.acme.storage=/var/lib/traefik/acme.json
|
|
|
+ - --certificatesresolvers.default.acme.tlschallenge=true
|
|
|
+
|
|
|
+ - --ping=true
|
|
|
+ - --providers.kubernetescrd=true
|
|
|
+ - --providers.kubernetesingress=true
|
|
|
+
|
|
|
+ # Use log level= INFO or DEBUG
|
|
|
+ - --log.level=INFO
|
|
|
+ image: traefik:2.2.1
|
|
|
+ imagePullPolicy: IfNotPresent
|
|
|
+ livenessProbe:
|
|
|
+ failureThreshold: 3
|
|
|
+ httpGet:
|
|
|
+ path: /ping
|
|
|
+ port: 8100
|
|
|
+ scheme: HTTP
|
|
|
+ initialDelaySeconds: 10
|
|
|
+ periodSeconds: 10
|
|
|
+ successThreshold: 1
|
|
|
+ timeoutSeconds: 2
|
|
|
+ name: traefik
|
|
|
+ ports:
|
|
|
+ - containerPort: 8100
|
|
|
+ name: admin
|
|
|
+ protocol: TCP
|
|
|
+ - containerPort: 80
|
|
|
+ name: web
|
|
|
+ protocol: TCP
|
|
|
+ - containerPort: 443
|
|
|
+ name: websecure
|
|
|
+ protocol: TCP
|
|
|
+
|
|
|
+ # optional storage
|
|
|
+ # enable this option only in case you have defined a persistence volume claim
|
|
|
+ volumeMounts:
|
|
|
+ - name: traefik-data
|
|
|
+ mountPath: /var/lib/traefik
|
|
|
+
|
|
|
+ readinessProbe:
|
|
|
+ failureThreshold: 1
|
|
|
+ httpGet:
|
|
|
+ path: /ping
|
|
|
+ port: 8100
|
|
|
+ scheme: HTTP
|
|
|
+ initialDelaySeconds: 10
|
|
|
+ periodSeconds: 10
|
|
|
+ successThreshold: 1
|
|
|
+ timeoutSeconds: 2
|
|
|
+ resources: {}
|
|
|
+ terminationMessagePath: /dev/termination-log
|
|
|
+ terminationMessagePolicy: File
|
|
|
+ dnsPolicy: ClusterFirst
|
|
|
+ restartPolicy: Always
|
|
|
+ schedulerName: default-scheduler
|
|
|
+ securityContext: {}
|
|
|
+ serviceAccount: traefik
|
|
|
+ serviceAccountName: traefik
|
|
|
+ terminationGracePeriodSeconds: 60
|
|
|
+
|
|
|
+ # optional storage
|
|
|
+ # enable this option only in case you have defined a persistence volume claim
|
|
|
+ volumes:
|
|
|
+ - name: traefik-data
|
|
|
+ persistentVolumeClaim:
|
|
|
+ claimName: traefik-data
|
|
|
+
|
|
|
+###############################
|
|
|
+# Service
|
|
|
+###############################
|
|
|
+---
|
|
|
+apiVersion: v1
|
|
|
+kind: Service
|
|
|
+metadata:
|
|
|
+ labels:
|
|
|
+ app: traefik
|
|
|
+ release: traefik
|
|
|
+ name: traefik
|
|
|
+ namespace: kube-system
|
|
|
+spec:
|
|
|
+ externalIPs:
|
|
|
+ - 10.128.0.8
|
|
|
+ externalTrafficPolicy: Cluster
|
|
|
+ ports:
|
|
|
+ - name: web
|
|
|
+ port: 80
|
|
|
+ protocol: TCP
|
|
|
+ targetPort: 80
|
|
|
+ - name: websecure
|
|
|
+ port: 443
|
|
|
+ protocol: TCP
|
|
|
+ targetPort: 443
|
|
|
+ - name: admin
|
|
|
+ port: 8100
|
|
|
+ protocol: TCP
|
|
|
+ targetPort: 8100
|
|
|
+ selector:
|
|
|
+ app: traefik
|
|
|
+ release: traefik
|
|
|
+ sessionAffinity: None
|
|
|
+ type: LoadBalancer
|
|
|
+status:
|
|
|
+ loadBalancer: {}
|
|
|
+
|
|
|
+#########################################################
|
|
|
+# The Middleware configuration contains middleware componenst
|
|
|
+# for a HTTP->HTTS redirection and a BasicAuth example.
|
|
|
+#########################################################
|
|
|
+
|
|
|
+###############################
|
|
|
+# Middleware for basicAuth
|
|
|
+###############################
|
|
|
+---
|
|
|
+# apiVersion: traefik.containo.us/v1alpha1
|
|
|
+# kind: Middleware
|
|
|
+# metadata:
|
|
|
+# name: basic-auth
|
|
|
+# spec:
|
|
|
+# basicAuth:
|
|
|
+# secret: authsecret
|
|
|
+
|
|
|
+# ---
|
|
|
+# apiVersion: v1
|
|
|
+# kind: Secret
|
|
|
+# metadata:
|
|
|
+# name: authsecret
|
|
|
+# namespace: default
|
|
|
+
|
|
|
+# #------------ Paste your own password file content here (default user/password=admin/adminadmin)--------------
|
|
|
+# data:
|
|
|
+# users: |2
|
|
|
+# YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
|
|
|
+# cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=
|
|
|
+
|
|
|
+###############################
|
|
|
+# Middleware for HTTP->HTTPS
|
|
|
+# This middleware is not needed in case of:
|
|
|
+# entrypoints.web.http.redirections.entryPoint.to=websecure
|
|
|
+###############################
|
|
|
+#---
|
|
|
+#apiVersion: traefik.containo.us/v1alpha1
|
|
|
+#kind: Middleware
|
|
|
+#metadata:
|
|
|
+# name: https-redirect
|
|
|
+#spec:
|
|
|
+# redirectScheme:
|
|
|
+# scheme: https
|
|
|
+# permanent: true
|
|
|
+# #port: 443
|
|
|
+
|
|
|
+###############################
|
|
|
+# Middleware for CORS
|
|
|
+###############################
|
|
|
+---
|
|
|
+apiVersion: traefik.containo.us/v1alpha1
|
|
|
+kind: Middleware
|
|
|
+metadata:
|
|
|
+ name: cors-all
|
|
|
+spec:
|
|
|
+ headers:
|
|
|
+ accessControlAllowMethods:
|
|
|
+ - "GET"
|
|
|
+ - "OPTIONS"
|
|
|
+ - "PUT"
|
|
|
+ - "POST"
|
|
|
+ accessControlAllowOriginList:
|
|
|
+ - "origin-list-or-null"
|
|
|
+ accessControlMaxAge: 100
|
|
|
+ accessControlAllowHeaders:
|
|
|
+ - "Content-Type"
|
|
|
+ addVaryHeader: true
|
|
|
+ customRequestHeaders:
|
|
|
+ X-Forwarded-Proto: "https"
|
EUGENIO SOUZA CARVALHO
4 tahun lalu