eugeniucarvalho
/
traefik


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449
							---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced

#RBAC  --------------------------------------------
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps  #-------------
      - tlsoptions
      - tlsstores #-------------
    verbs:
      - get
      - list
      - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik
    namespace: kube-system

---
kind: PersistentVolume
apiVersion: v1
metadata:
  name: traefik-data
  namespace: kube-system
spec:
  capacity:
    storage: 1Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  claimRef:
    namespace: kube-system
    name: traefik-data
  csi:
    driver: driver.longhorn.io
    fsType: ext4
    volumeHandle: traefik-data
  storageClassName: longhorn-durable
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: traefik-data
  namespace: kube-system
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn-durable
  resources:
    requests:
      storage: 1Gi
  volumeName: "traefik-data"
#INGRESS --------------------------------------------
---
#####################################################
# Secure traefik dashboard with https and basic auth
#####################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
spec:
  routes:
    - match: Host(`traefik.eugeniocarvalho.dev`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      # optional: add basic auth
      #middlewares:
      #  - name: basic-auth

###############################
# ServiceAccount
###############################
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik
  namespace: kube-system

###############################
# Deployment
###############################
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      labels:
        app: traefik
        release: traefik
    spec:
      containers:
        - args:
            - --api
            - --api.insecure=true
            # Set insecure to fals to enable basic auth
            #- --api.insecure=false
            - --api.dashboard=true
            - --accesslog
            - --global.checknewversion=true
            - --entryPoints.traefik.address=:8100
            - --entryPoints.web.address=:80
            - --entryPoints.websecure.address=:443

            # permanent redirecting of all requests on http (80) to https (443)
            - --entrypoints.web.http.redirections.entryPoint.to=websecure
            - --entrypoints.websecure.http.tls.certResolver=default

            # Let's Encrypt Configurtion:
            # Please note that this is the staging Let's Encrypt server configuration.
            # Once you get things working, you should remove that following line.
            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
            - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com
            - --certificatesresolvers.default.acme.storage=/var/lib/traefik/acme.json
            - --certificatesresolvers.default.acme.tlschallenge=true

            - --ping=true
            - --providers.kubernetescrd=true
            - --providers.kubernetesingress=true

            # Use log level= INFO or DEBUG
            - --log.level=INFO
          image: traefik:2.2.1
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /ping
              port: 8100
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          name: traefik
          ports:
            - containerPort: 8100
              name: admin
              protocol: TCP
            - containerPort: 80
              name: web
              protocol: TCP
            - containerPort: 443
              name: websecure
              protocol: TCP

          # optional storage
          # enable this option only in case you have defined a persistence volume claim
          volumeMounts:
            - name: traefik-data
              mountPath: /var/lib/traefik

          readinessProbe:
            failureThreshold: 1
            httpGet:
              path: /ping
              port: 8100
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60

      # optional storage
      # enable this option only in case you have defined a persistence volume claim
      volumes:
        - name: traefik-data
          persistentVolumeClaim:
            claimName: traefik-data

###############################
# Service
###############################
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system
spec:
  externalIPs:
    - 10.128.0.8
  externalTrafficPolicy: Cluster
  ports:
    - name: web
      port: 80
      protocol: TCP
      targetPort: 80
    - name: websecure
      port: 443
      protocol: TCP
      targetPort: 443
    - name: admin
      port: 8100
      protocol: TCP
      targetPort: 8100
  selector:
    app: traefik
    release: traefik
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

#########################################################
# The Middleware configuration contains middleware componenst
# for a HTTP->HTTS redirection and a BasicAuth example.
#########################################################

###############################
# Middleware for basicAuth
###############################
---
# apiVersion: traefik.containo.us/v1alpha1
# kind: Middleware
# metadata:
#   name: basic-auth
# spec:
#   basicAuth:
#     secret: authsecret

# ---
# apiVersion: v1
# kind: Secret
# metadata:
#   name: authsecret
#   namespace: default

# #------------ Paste your own password file content here (default user/password=admin/adminadmin)--------------
# data:
#   users: |2
#     YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
#     cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=

###############################
# Middleware for HTTP->HTTPS
# This middleware is not needed in case of:
#      entrypoints.web.http.redirections.entryPoint.to=websecure
###############################
#---
#apiVersion: traefik.containo.us/v1alpha1
#kind: Middleware
#metadata:
#  name: https-redirect
#spec:
#  redirectScheme:
#    scheme: https
#    permanent: true
#    #port: 443

###############################
# Middleware for CORS
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cors-all
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
    accessControlAllowOriginList:
      - "origin-list-or-null"
    accessControlMaxAge: 100
    accessControlAllowHeaders:
      - "Content-Type"
    addVaryHeader: true
    customRequestHeaders:
      X-Forwarded-Proto: "https"