###############################
# ServiceAccount
###############################
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik
  namespace: kube-system

---
apiVersion: v1
kind: Secret
metadata:
  name: google-crendential
  labels:
    name: google-crendential
  namespace: kube-system
type: Opaque
data:
  gcloud-credentials.json: "ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibXlyb290LTI4MzYwMyIsCiAgInByaXZhdGVfa2V5X2lkIjogIjliYzkwODA4ODlmZjAxMDRiODI1ODE1ZTkwMGNjNGU0ZmVmNWNmYmQiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ2ZxWHgzT2xtUmhyRWNcbmx2TXRnTnJ2QXdHTldSS0l0cmRPTDQ4QXFCd2xYTU9KYldyVURScWw2RHE5QTlZekVlWGRia0dVSm9UWDdSR2hcbnFqc2dHWjRtRWR3aWkybVpJNHIxajEwOXdUeGVBMkIwNjRlSXR6TXlGWGMrVXk1a3N5S3BzVWxHczBqWWdPUjVcbnY0QkE0NTBYZTBMYk9BWi8yMmhNNGRSNGRnRXcyNnBqMUVYMEc2d0lEaS8zM0dVYjAyZTRTbTRLNWU0T3VHSWVcblRzVHZzc2I3aHF1VzlsZ2VpZERPd3hYcXlIdHAzWFVENjJLK2ZZV2ZZYmhWbXhlWkFRK1NTaGpFSFArT0s1SUdcbkpJVmd3eEwvaTdaby82dnZyYytZRXlFMnF1eWNlZXRnQjJqUWorQllwYVYyWEphNWdOUHFGYWFpZStWeDBhN0NcbnJHRnlpYTUvQWdNQkFBRUNnZ0VBQS96RkxmMnFXWTNxbGlWOEZQZEV0MUtITHE1ZThFU094TkdJckFiUDZiVStcbjhPYjVwZUU1NW02SEJaVWt6ZVRaaU9wT2JVQlZCQ0pZaTZwVTFhNkppQ1VCd1dnK3hab3FXaDJkZUtoYVdiNGtcbnRCMnNBZHFBUnZUdC8wem1ndjlOdCtIRWxTVktoZ05qTVZvTTJjamVsaktLU25peDNXNG1WUjAwL3hBRWlIUHdcbnRNSHAwS1VCdnlkMnJWRFduRlZlNy9qT1RRUm52WEpic3NVRlRaZ2lXUG5EQXVhZlhsbU04ZTlQZ2lnVURtTU5cbnI4b1oxNlNHR2N0OXZsUktZdjVJSmNDWVRXMlV5MHdKWmtBbmw1S0R0bktIdnA4dzBKZmcyTFkrdEdkTytTQStcbkpEWFBaQ3BYU251VzVLOTl2L3VMclB0cHEyLysya09SQmZ1allZOVhVUUtCZ1FEVXpXQWxQYk9qK3NyOHV3RkNcbkNKUG5iZkpnN2VSeFVHR0VJWUFWdkxRc1NYRGRKVVE0OEpabEtTZjZuWUNOMXljVkQ2aS9ENmJIemkwaW9weExcbmZjbm5ZaEk0NEk1Y3h5dy9EK3BoVlNOK1ZMRVpuZm1iNFlGQjFGN2wwV293ODBOVHB5Nnl6NU9BSzBBUVBibjVcbmUySmdUMmpuZ0lJbHpjZHg1OUFjNHVndGlRS0JnUURBRXBkNSt3Z1hJYWNFU0N2S0hoYUdGMDRGUnBjTjJWYWVcbitvY0phMDBXUS9SdEI5RnpndnZvOGcwRUphTzY5UTR0UjN0WER6S2QvbHc2bTFQRjJhUkpsb0d4SkFuOHFtYU9cbjNmRUNnU05wdEgyNEV2dWFzUXU2WWlKTmNCREVoK0xrc2R3OGxvNTdRNVRJVXhrUG1DU2duTm5IeC9VbEhHTjFcbmJ6YVlFMnJCeHdLQmdRREFHOWdjUnFPUithcWVsY1FBOVBWeERCU3Y1Sk5DcUtvZ09vNERFYVFtQnZiWTdmZTBcbjM1MG1IZzExZGhMRCtlUFNZNXlYUDIzMUd2QXNRRmlRM2pJVHJMbCtsMXB0NzNER1RYdnQrb3BjVmVDN201M25cblY2RDA2Ti95NFNiWW9nTzUxVWVYTFVXZmcyd0dQWE5UQWt4QlhlNzZiMDBQQzhKdDFqUk9uNW15NFFLQmdBVkJcbi9RZUh5YWJvY3V2NUZjbkluUkU2bmhZaTRvdXNnV1NFc3lHYzRGVlZzdUV4TDVpYjQwMXpJc3dVUTdFZ2VDemhcbklnMDJDMHFyNWRaczNoUXlhdjdnc2RncGhtUjJQYXgzZ3R0d3NZbDVPVi9LbFR5YzBCZGdERlJXVnY4cVFSbkZcbmpLUFQ4ejZJa1JBU3hrTFpCVmVvTTRYMmdVMXN3NFE1Y1NNa2xPMk5Bb0dCQUlMbTNkVXoxSk5lS1RDeDBMdVVcbkVoaWJNTTJZY0k3VEdzdlBMUzFSTWlGMW1QS2lNL0RRbU1HeTdOUjZ5THE0dnJYZ2VLS2dEUXlMUUtCaklJYVlcbkpaVS9SdXdxVVN0SVp6MTBIa09GOHB2UEtOYWdkVDlLU1hjUnJjUVZLTWFTVlo4Wno2T2hXSUVjd093MXh6NHBcbitlSG41ZkFKdUNYSnpHR3JBd1lhNXVnZVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwKICAiY2xpZW50X2VtYWlsIjogInRyYWVmaWtAbXlyb290LTI4MzYwMy5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiAgImNsaWVudF9pZCI6ICIxMDM1MDEzNzgwMDg2ODQ1MjIwNjkiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L3RyYWVmaWslNDBteXJvb3QtMjgzNjAzLmlhbS5nc2VydmljZWFjY291bnQuY29tIgp9Cgo="

###############################
# Deployment
###############################
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      labels:
        app: traefik
        release: traefik
    spec:
      volumes:
      - name: google-crendential
        secret:
          secretName: google-crendential
      containers:
      - args:
          - --api
          #- --api.insecure=true
          # Set insecure to fals to enable basic auth
          - --api.insecure=false
          - --api.dashboard=true
          - --accesslog
          - --global.checknewversion=true
          - --entryPoints.traefik.address=:8100
          - --entryPoints.web.address=:80
          - --entryPoints.websecure.address=:443

          # permanent redirecting of all requests on http (80) to https (443)
          - --entrypoints.web.http.redirections.entryPoint.to=websecure
          - --entrypoints.websecure.http.tls.certResolver=default
          - --entrypoints.websecure.http.tls.domains[0].main=eugeniocarvalho.dev
          - --entrypoints.websecure.http.tls.domains[0].sans=*.k8s.eugeniocarvalho.dev
          #- --entrypoints.websecure.http.tls.certResolver=letsencrypt

          # Let's Encrypt Configurtion:
          # Please note that this is the staging Let's Encrypt server configuration.
          # Once you get things working, you should remove that following line.
          - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com
          - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
          - --certificatesresolvers.default.acme.storage=acme.json

          # - --certificatesresolvers.default.acme.tlschallenge=true
          - --certificatesresolvers.default.acme.dnsChallenge.provider=gcloud
          - --certificatesresolvers.default.acme.dnschallenge.delaybeforecheck=0
          - --certificatesresolvers.default.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
          # - --certificatesresolvers.default.acme.dnsChallenge.entryPoint=http
          - --ping=true
          - --providers.kubernetescrd=true
          - --providers.kubernetesingress=true

          # Use log level= INFO or DEBUG
          - --log.level=INFO
        image: traefik:2.2.1
        env:
          - name: GCE_PROJECT
            value: "myroot-283603"
          # - name: GCE_SERVICE_ACCOUNT
          #   value: "traefik@myroot-283603.iam.gserviceaccount.com"
          - name: GCE_SERVICE_ACCOUNT_FILE
            value: /secrets/gcloud-credentials.json
          - name: GCE_DEBUG
            value: "true"
        volumeMounts:
          - mountPath: /secrets
            name: google-crendential

        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        name: traefik
        ports:
          - containerPort: 8100
            name: admin
            protocol: TCP
          - containerPort: 80
            name: web
            protocol: TCP
          - containerPort: 443
            name: websecure
            protocol: TCP

        # optional storage
        # enable this option only in case you have defined a persistence volume claim
        #volumeMounts:
        #- name: traefik-data
        #  mountPath: /var/lib/traefik

        readinessProbe:
          failureThreshold: 1
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60
    
      # optional storage
      # enable this option only in case you have defined a persistence volume claim
      #volumes:
      #  - name: traefik-data
      #    persistentVolumeClaim:
      #      claimName: traefik-data

###############################
# Service
###############################
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system
spec:
  externalIPs:
    - "10.128.0.8"
  externalTrafficPolicy: Cluster
  ports:
    - name: web
      port: 80
      protocol: TCP
      targetPort: 80
    - name: websecure
      port: 443
      protocol: TCP
      targetPort: 443
    - name: admin
      port: 8100
      protocol: TCP
      targetPort: 8100
  selector:
    app: traefik
    release: traefik
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

#########################################################
# The Middleware configuration contains middleware componenst
# for a HTTP->HTTS redirection and a BasicAuth example.
#########################################################

###############################
# Middleware for basicAuth
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: basic-auth
spec:
  basicAuth:
    secret: authsecret

---
apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: default

#------------ Paste your own password file content here (default user/password=admin/adminadmin)--------------
data:
  users: |2
    YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
    cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=


###############################
# Middleware for HTTP->HTTPS
# This middleware is not needed in case of:
#      entrypoints.web.http.redirections.entryPoint.to=websecure
###############################
#---
#apiVersion: traefik.containo.us/v1alpha1
#kind: Middleware
#metadata:
#  name: https-redirect
#spec:
#  redirectScheme:
#    scheme: https
#    permanent: true
#    #port: 443

###############################
# Middleware for CORS
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cors-all
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
    accessControlAllowOriginList:
      - "origin-list-or-null"
    accessControlMaxAge: 100
    accessControlAllowHeaders:
      - "Content-Type"
    addVaryHeader: true
    customRequestHeaders:
      X-Forwarded-Proto: "https"