traefik/020-deployment.yaml

###############################
# ServiceAccount
###############################
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik
  namespace: kube-system

###############################
# Deployment
###############################
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      labels:
        app: traefik
        release: traefik
    spec:
      containers:
      - args:
        - --api
        - --api.insecure=true
        # Set insecure to fals to enable basic auth
        #- --api.insecure=false
        - --api.dashboard=true
        - --accesslog
        - --global.checknewversion=true
        - --entryPoints.traefik.address=:8100
        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443

        # permanent redirecting of all requests on http (80) to https (443)
        - --entrypoints.web.http.redirections.entryPoint.to=websecure
        - --entrypoints.websecure.http.tls.certResolver=default
        #- --entrypoints.websecure.http.tls.certResolver=letsencrypt

        # Let's Encrypt Configurtion:
        # Please note that this is the staging Let's Encrypt server configuration.
        # Once you get things working, you should remove that following line.
        - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
        - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com
        - --certificatesresolvers.default.acme.storage=/var/lib/traefik/acme.json
        - --certificatesresolvers.default.acme.tlschallenge=true

        - --ping=true
        - --providers.kubernetescrd=true
        - --providers.kubernetesingress=true

        # Use log level= INFO or DEBUG
        - --log.level=INFO
        image: traefik:2.2.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        name: traefik
        ports:
        - containerPort: 8100
          name: admin
          protocol: TCP
        - containerPort: 80
          name: web
          protocol: TCP
        - containerPort: 443
          name: websecure
          protocol: TCP

        # optional storage 
        # enable this option only in case you have defined a persistence volume claim
        #volumeMounts:
        #- name: traefik-data
        #  mountPath: /var/lib/traefik

        readinessProbe:
          failureThreshold: 1
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60
      
      # optional storage
      # enable this option only in case you have defined a persistence volume claim
      #volumes:
      #  - name: traefik-data
      #    persistentVolumeClaim:
      #      claimName: traefik-data



###############################
# Service
###############################
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system
spec:
  externalIPs:
  - "10.128.0.8"
  externalTrafficPolicy: Cluster
  ports:
  - name: web
    port: 80
    protocol: TCP
    targetPort: 80
  - name: websecure
    port: 443
    protocol: TCP
    targetPort: 443
  - name: admin
    port: 8100
    protocol: TCP
    targetPort: 8100
  selector:
    app: traefik
    release: traefik
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

#########################################################
# The Middleware configuration contains middleware componenst
# for a HTTP->HTTS redirection and a BasicAuth example. 
#########################################################


###############################
# Middleware for basicAuth 
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: basic-auth
spec:
  basicAuth:
    secret: authsecret

---
apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: default

#------------ Paste your own password file content here (default user/password=admin/adminadmin)--------------
data:
  users: |2
    YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
    cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=

###############################
# Middleware for HTTP->HTTPS
# This middleware is not needed in case of: 
#      entrypoints.web.http.redirections.entryPoint.to=websecure
###############################
#---
#apiVersion: traefik.containo.us/v1alpha1
#kind: Middleware
#metadata:
#  name: https-redirect
#spec:
#  redirectScheme:
#    scheme: https
#    permanent: true
#    #port: 443


###############################
# Middleware for CORS
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cors-all
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
    accessControlAllowOriginList: 
      - "origin-list-or-null"
    accessControlMaxAge: 100
    accessControlAllowHeaders:
      - "Content-Type"
    addVaryHeader: true
    customRequestHeaders:
      X-Forwarded-Proto: "https"