--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: middlewares.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: traefikservices.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TraefikService plural: traefikservices singular: traefikservice scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsstores.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSStore plural: tlsstores singular: tlsstore scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressrouteudps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteUDP plural: ingressrouteudps singular: ingressrouteudp scope: Namespaced #RBAC -------------------------------------------- --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - middlewares - ingressroutes - traefikservices - ingressroutetcps - ingressrouteudps #------------- - tlsoptions - tlsstores #------------- verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik namespace: kube-system --- kind: PersistentVolume apiVersion: v1 metadata: name: traefik-data namespace: kube-system spec: capacity: storage: 1Gi volumeMode: Filesystem accessModes: - ReadWriteOnce claimRef: namespace: kube-system name: traefik-data csi: driver: driver.longhorn.io fsType: ext4 volumeHandle: traefik-data storageClassName: longhorn-durable --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: traefik-data namespace: kube-system spec: accessModes: - ReadWriteOnce storageClassName: longhorn-durable resources: requests: storage: 1Gi volumeName: "traefik-data" #INGRESS -------------------------------------------- --- ##################################################### # Secure traefik dashboard with https and basic auth ##################################################### apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard spec: routes: - match: Host(`traefik.eugeniocarvalho.dev`) kind: Rule services: - name: api@internal kind: TraefikService # optional: add basic auth #middlewares: # - name: basic-auth ############################### # ServiceAccount ############################### --- apiVersion: v1 kind: ServiceAccount metadata: name: traefik namespace: kube-system ############################### # Deployment ############################### --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: traefik release: traefik name: traefik namespace: kube-system spec: replicas: 1 selector: matchLabels: app: traefik release: traefik template: metadata: labels: app: traefik release: traefik spec: containers: - args: - --api - --api.insecure=true # Set insecure to fals to enable basic auth #- --api.insecure=false - --api.dashboard=true - --accesslog - --global.checknewversion=true - --entryPoints.traefik.address=:8100 - --entryPoints.web.address=:80 - --entryPoints.websecure.address=:443 # permanent redirecting of all requests on http (80) to https (443) - --entrypoints.web.http.redirections.entryPoint.to=websecure - --entrypoints.websecure.http.tls.certResolver=default # Let's Encrypt Configurtion: # Please note that this is the staging Let's Encrypt server configuration. # Once you get things working, you should remove that following line. - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com - --certificatesresolvers.default.acme.storage=/var/lib/traefik/acme.json - --certificatesresolvers.default.acme.tlschallenge=true - --ping=true - --providers.kubernetescrd=true - --providers.kubernetesingress=true # Use log level= INFO or DEBUG - --log.level=INFO image: traefik:2.2.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /ping port: 8100 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2 name: traefik ports: - containerPort: 8100 name: admin protocol: TCP - containerPort: 80 name: web protocol: TCP - containerPort: 443 name: websecure protocol: TCP # optional storage # enable this option only in case you have defined a persistence volume claim volumeMounts: - name: traefik-data mountPath: /var/lib/traefik readinessProbe: failureThreshold: 1 httpGet: path: /ping port: 8100 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: traefik serviceAccountName: traefik terminationGracePeriodSeconds: 60 # optional storage # enable this option only in case you have defined a persistence volume claim volumes: - name: traefik-data persistentVolumeClaim: claimName: traefik-data ############################### # Service ############################### --- apiVersion: v1 kind: Service metadata: labels: app: traefik release: traefik name: traefik namespace: kube-system spec: externalIPs: - 10.128.0.8 externalTrafficPolicy: Cluster ports: - name: web port: 80 protocol: TCP targetPort: 80 - name: websecure port: 443 protocol: TCP targetPort: 443 - name: admin port: 8100 protocol: TCP targetPort: 8100 selector: app: traefik release: traefik sessionAffinity: None type: LoadBalancer status: loadBalancer: {} ######################################################### # The Middleware configuration contains middleware componenst # for a HTTP->HTTS redirection and a BasicAuth example. ######################################################### ############################### # Middleware for basicAuth ############################### --- # apiVersion: traefik.containo.us/v1alpha1 # kind: Middleware # metadata: # name: basic-auth # spec: # basicAuth: # secret: authsecret # --- # apiVersion: v1 # kind: Secret # metadata: # name: authsecret # namespace: default # #------------ Paste your own password file content here (default user/password=admin/adminadmin)-------------- # data: # users: |2 # YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl # cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo= ############################### # Middleware for HTTP->HTTPS # This middleware is not needed in case of: # entrypoints.web.http.redirections.entryPoint.to=websecure ############################### #--- #apiVersion: traefik.containo.us/v1alpha1 #kind: Middleware #metadata: # name: https-redirect #spec: # redirectScheme: # scheme: https # permanent: true # #port: 443 ############################### # Middleware for CORS ############################### --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: cors-all spec: headers: accessControlAllowMethods: - "GET" - "OPTIONS" - "PUT" - "POST" accessControlAllowOriginList: - "origin-list-or-null" accessControlMaxAge: 100 accessControlAllowHeaders: - "Content-Type" addVaryHeader: true customRequestHeaders: X-Forwarded-Proto: "https"