initial

traefik.yaml

@@ -0,0 +1,449 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRoute
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
+#RBAC  --------------------------------------------
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps  #-------------
+      - tlsoptions
+      - tlsstores #-------------
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik
+    namespace: kube-system
+
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: traefik-data
+  namespace: kube-system
+spec:
+  capacity:
+    storage: 1Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  claimRef:
+    namespace: kube-system
+    name: traefik-data
+  csi:
+    driver: driver.longhorn.io
+    fsType: ext4
+    volumeHandle: traefik-data
+  storageClassName: longhorn-durable
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik-data
+  namespace: kube-system
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn-durable
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: "traefik-data"
+#INGRESS --------------------------------------------
+---
+#####################################################
+# Secure traefik dashboard with https and basic auth
+#####################################################
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+    - match: Host(`traefik.eugeniocarvalho.dev`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+      # optional: add basic auth
+      #middlewares:
+      #  - name: basic-auth
+
+###############################
+# ServiceAccount
+###############################
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik
+  namespace: kube-system
+
+###############################
+# Deployment
+###############################
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: traefik
+    release: traefik
+  name: traefik
+  namespace: kube-system
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+      release: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+        release: traefik
+    spec:
+      containers:
+        - args:
+            - --api
+            - --api.insecure=true
+            # Set insecure to fals to enable basic auth
+            #- --api.insecure=false
+            - --api.dashboard=true
+            - --accesslog
+            - --global.checknewversion=true
+            - --entryPoints.traefik.address=:8100
+            - --entryPoints.web.address=:80
+            - --entryPoints.websecure.address=:443
+
+            # permanent redirecting of all requests on http (80) to https (443)
+            - --entrypoints.web.http.redirections.entryPoint.to=websecure
+            - --entrypoints.websecure.http.tls.certResolver=default
+
+            # Let's Encrypt Configurtion:
+            # Please note that this is the staging Let's Encrypt server configuration.
+            # Once you get things working, you should remove that following line.
+            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+            - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com
+            - --certificatesresolvers.default.acme.storage=/var/lib/traefik/acme.json
+            - --certificatesresolvers.default.acme.tlschallenge=true
+
+            - --ping=true
+            - --providers.kubernetescrd=true
+            - --providers.kubernetesingress=true
+
+            # Use log level= INFO or DEBUG
+            - --log.level=INFO
+          image: traefik:2.2.1
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ping
+              port: 8100
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          name: traefik
+          ports:
+            - containerPort: 8100
+              name: admin
+              protocol: TCP
+            - containerPort: 80
+              name: web
+              protocol: TCP
+            - containerPort: 443
+              name: websecure
+              protocol: TCP
+
+          # optional storage
+          # enable this option only in case you have defined a persistence volume claim
+          volumeMounts:
+            - name: traefik-data
+              mountPath: /var/lib/traefik
+
+          readinessProbe:
+            failureThreshold: 1
+            httpGet:
+              path: /ping
+              port: 8100
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: traefik
+      serviceAccountName: traefik
+      terminationGracePeriodSeconds: 60
+
+      # optional storage
+      # enable this option only in case you have defined a persistence volume claim
+      volumes:
+        - name: traefik-data
+          persistentVolumeClaim:
+            claimName: traefik-data
+
+###############################
+# Service
+###############################
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: traefik
+    release: traefik
+  name: traefik
+  namespace: kube-system
+spec:
+  externalIPs:
+    - 10.128.0.8
+  externalTrafficPolicy: Cluster
+  ports:
+    - name: web
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: websecure
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    - name: admin
+      port: 8100
+      protocol: TCP
+      targetPort: 8100
+  selector:
+    app: traefik
+    release: traefik
+  sessionAffinity: None
+  type: LoadBalancer
+status:
+  loadBalancer: {}
+
+#########################################################
+# The Middleware configuration contains middleware componenst
+# for a HTTP->HTTS redirection and a BasicAuth example.
+#########################################################
+
+###############################
+# Middleware for basicAuth
+###############################
+---
+# apiVersion: traefik.containo.us/v1alpha1
+# kind: Middleware
+# metadata:
+#   name: basic-auth
+# spec:
+#   basicAuth:
+#     secret: authsecret
+
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: authsecret
+#   namespace: default
+
+# #------------ Paste your own password file content here (default user/password=admin/adminadmin)--------------
+# data:
+#   users: |2
+#     YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
+#     cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=
+
+###############################
+# Middleware for HTTP->HTTPS
+# This middleware is not needed in case of:
+#      entrypoints.web.http.redirections.entryPoint.to=websecure
+###############################
+#---
+#apiVersion: traefik.containo.us/v1alpha1
+#kind: Middleware
+#metadata:
+#  name: https-redirect
+#spec:
+#  redirectScheme:
+#    scheme: https
+#    permanent: true
+#    #port: 443
+
+###############################
+# Middleware for CORS
+###############################
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: cors-all
+spec:
+  headers:
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+      - "POST"
+    accessControlAllowOriginList:
+      - "origin-list-or-null"
+    accessControlMaxAge: 100
+    accessControlAllowHeaders:
+      - "Content-Type"
+    addVaryHeader: true
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"