eugeniucarvalho
/
traefik


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243
							###############################
# ServiceAccount
###############################
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik
  namespace: kube-system

###############################
# Deployment
###############################
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      labels:
        app: traefik
        release: traefik
    spec:
      containers:
      - args:
        - --api
        #- --api.insecure=true
        # Set insecure to fals to enable basic auth
        - --api.insecure=false
        - --api.dashboard=true
        - --accesslog
        - --global.checknewversion=true
        - --entryPoints.traefik.address=:8100
        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443

        # permanent redirecting of all requests on http (80) to https (443)
        - --entrypoints.web.http.redirections.entryPoint.to=websecure
        - --entrypoints.websecure.http.tls.certResolver=default
        - --entrypoints.websecure.http.tls.domains[0].main=k8s.eugeniocarvalho.dev
        - --entrypoints.websecure.http.tls.domains[0].sans=*.k8s.eugeniocarvalho.dev
        #- --entrypoints.websecure.http.tls.certResolver=letsencrypt

        # Let's Encrypt Configurtion:
        # Please note that this is the staging Let's Encrypt server configuration.
        # Once you get things working, you should remove that following line.
        - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
        - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com
        - --certificatesresolvers.default.acme.storage=acme.json

        - --certificatesresolvers.default.acme.tlschallenge=true
        - --certificatesresolvers.default.acme.httpchallenge=true
        - --certificatesresolvers.default.acme.httpchallenge.entryPoint=http
        - --ping=true
        - --providers.kubernetescrd=true
        - --providers.kubernetesingress=true

        # Use log level= INFO or DEBUG
        - --log.level=INFO
        image: traefik:2.2.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        name: traefik
        ports:
        - containerPort: 8100
          name: admin
          protocol: TCP
        - containerPort: 80
          name: web
          protocol: TCP
        - containerPort: 443
          name: websecure
          protocol: TCP

        # optional storage 
        # enable this option only in case you have defined a persistence volume claim
        #volumeMounts:
        #- name: traefik-data
        #  mountPath: /var/lib/traefik

        readinessProbe:
          failureThreshold: 1
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60
      
      # optional storage
      # enable this option only in case you have defined a persistence volume claim
      #volumes:
      #  - name: traefik-data
      #    persistentVolumeClaim:
      #      claimName: traefik-data


###############################
# Service
###############################
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system
spec:
  externalIPs:
  - "10.128.0.8"
  externalTrafficPolicy: Cluster
  ports:
  - name: web
    port: 80
    protocol: TCP
    targetPort: 80
  - name: websecure
    port: 443
    protocol: TCP
    targetPort: 443
  - name: admin
    port: 8100
    protocol: TCP
    targetPort: 8100
  selector:
    app: traefik
    release: traefik
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

#########################################################
# The Middleware configuration contains middleware componenst
# for a HTTP->HTTS redirection and a BasicAuth example. 
#########################################################


###############################
# Middleware for basicAuth 
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: basic-auth
spec:
  basicAuth:
    secret: authsecret

---
apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: default

#------------ Paste your own password file content here (default user/password=admin/adminadmin)--------------
data:
  users: |2
    YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
    cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=

###############################
# Middleware for HTTP->HTTPS
# This middleware is not needed in case of: 
#      entrypoints.web.http.redirections.entryPoint.to=websecure
###############################
#---
#apiVersion: traefik.containo.us/v1alpha1
#kind: Middleware
#metadata:
#  name: https-redirect
#spec:
#  redirectScheme:
#    scheme: https
#    permanent: true
#    #port: 443


###############################
# Middleware for CORS
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cors-all
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
    accessControlAllowOriginList: 
      - "origin-list-or-null"
    accessControlMaxAge: 100
    accessControlAllowHeaders:
      - "Content-Type"
    addVaryHeader: true
    customRequestHeaders:
      X-Forwarded-Proto: "https"