traefik/020-deployment.yaml

###############################
# ServiceAccount
###############################
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik
  namespace: kube-system

---
apiVersion: v1
kind: Secret
metadata:
  name: gce-secrets
type: Opaque
data:
  gcloud-credentials.json: "ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibXlyb290LTI4MzYwMyIsCiAgInByaXZhdGVfa2V5X2lkIjogIjliYzkwODA4ODlmZjAxMDRiODI1ODE1ZTkwMGNjNGU0ZmVmNWNmYmQiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS0KTUlJRXZnSUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NCS2d3Z2dTa0FnRUFBb0lCQVFDZnFYeDNPbG1SaHJFYwpsdk10Z05ydkF3R05XUktJdHJkT0w0OEFxQndsWE1PSmJXclVEUnFsNkRxOUE5WXpFZVhkYmtHVUpvVFg3UkdoCnFqc2dHWjRtRWR3aWkybVpJNHIxajEwOXdUeGVBMkIwNjRlSXR6TXlGWGMrVXk1a3N5S3BzVWxHczBqWWdPUjUKdjRCQTQ1MFhlMExiT0FaLzIyaE00ZFI0ZGdFdzI2cGoxRVgwRzZ3SURpLzMzR1ViMDJlNFNtNEs1ZTRPdUdJZQpUc1R2c3NiN2hxdVc5bGdlaWRET3d4WHF5SHRwM1hVRDYySytmWVdmWWJoVm14ZVpBUStTU2hqRUhQK09LNUlHCkpJVmd3eEwvaTdaby82dnZyYytZRXlFMnF1eWNlZXRnQjJqUWorQllwYVYyWEphNWdOUHFGYWFpZStWeDBhN0MKckdGeWlhNS9BZ01CQUFFQ2dnRUFBL3pGTGYycVdZM3FsaVY4RlBkRXQxS0hMcTVlOEVTT3hOR0lyQWJQNmJVKwo4T2I1cGVFNTVtNkhCWlVremVUWmlPcE9iVUJWQkNKWWk2cFUxYTZKaUNVQndXZyt4Wm9xV2gyZGVLaGFXYjRrCnRCMnNBZHFBUnZUdC8wem1ndjlOdCtIRWxTVktoZ05qTVZvTTJjamVsaktLU25peDNXNG1WUjAwL3hBRWlIUHcKdE1IcDBLVUJ2eWQyclZEV25GVmU3L2pPVFFSbnZYSmJzc1VGVFpnaVdQbkRBdWFmWGxtTThlOVBnaWdVRG1NTgpyOG9aMTZTR0djdDl2bFJLWXY1SUpjQ1lUVzJVeTB3SlprQW5sNUtEdG5LSHZwOHcwSmZnMkxZK3RHZE8rU0ErCkpEWFBaQ3BYU251VzVLOTl2L3VMclB0cHEyLysya09SQmZ1allZOVhVUUtCZ1FEVXpXQWxQYk9qK3NyOHV3RkMKQ0pQbmJmSmc3ZVJ4VUdHRUlZQVZ2TFFzU1hEZEpVUTQ4SlpsS1NmNm5ZQ04xeWNWRDZpL0Q2Ykh6aTBpb3B4TApmY25uWWhJNDRJNWN4eXcvRCtwaFZTTitWTEVabmZtYjRZRkIxRjdsMFdvdzgwTlRweTZ5ejVPQUswQVFQYm41CmUySmdUMmpuZ0lJbHpjZHg1OUFjNHVndGlRS0JnUURBRXBkNSt3Z1hJYWNFU0N2S0hoYUdGMDRGUnBjTjJWYWUKK29jSmEwMFdRL1J0QjlGemd2dm84ZzBFSmFPNjlRNHRSM3RYRHpLZC9sdzZtMVBGMmFSSmxvR3hKQW44cW1hTwozZkVDZ1NOcHRIMjRFdnVhc1F1NllpSk5jQkRFaCtMa3NkdzhsbzU3UTVUSVV4a1BtQ1Nnbk5uSHgvVWxIR04xCmJ6YVlFMnJCeHdLQmdRREFHOWdjUnFPUithcWVsY1FBOVBWeERCU3Y1Sk5DcUtvZ09vNERFYVFtQnZiWTdmZTAKMzUwbUhnMTFkaExEK2VQU1k1eVhQMjMxR3ZBc1FGaVEzaklUckxsK2wxcHQ3M0RHVFh2dCtvcGNWZUM3bTUzbgpWNkQwNk4veTRTYllvZ081MVVlWExVV2ZnMndHUFhOVEFreEJYZTc2YjAwUEM4SnQxalJPbjVteTRRS0JnQVZCCi9RZUh5YWJvY3V2NUZjbkluUkU2bmhZaTRvdXNnV1NFc3lHYzRGVlZzdUV4TDVpYjQwMXpJc3dVUTdFZ2VDemgKSWcwMkMwcXI1ZFpzM2hReWF2N2dzZGdwaG1SMlBheDNndHR3c1lsNU9WL0tsVHljMEJkZ0RGUldWdjhxUVJuRgpqS1BUOHo2SWtSQVN4a0xaQlZlb000WDJnVTFzdzRRNWNTTWtsTzJOQW9HQkFJTG0zZFV6MUpOZUtUQ3gwTHVVCkVoaWJNTTJZY0k3VEdzdlBMUzFSTWlGMW1QS2lNL0RRbU1HeTdOUjZ5THE0dnJYZ2VLS2dEUXlMUUtCaklJYVkKSlpVL1J1d3FVU3RJWnoxMEhrT0Y4cHZQS05hZ2RUOUtTWGNScmNRVktNYVNWWjhaejZPaFdJRWN3T3cxeHo0cAorZUhuNWZBSnVDWEp6R0dyQXdZYTV1Z2UKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQoiLAogICJjbGllbnRfZW1haWwiOiAidHJhZWZpa0BteXJvb3QtMjgzNjAzLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjEwMzUwMTM3ODAwODY4NDUyMjA2OSIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vb2F1dGgyLmdvb2dsZWFwaXMuY29tL3Rva2VuIiwKICAiYXV0aF9wcm92aWRlcl94NTA5X2NlcnRfdXJsIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL29hdXRoMi92MS9jZXJ0cyIsCiAgImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3JvYm90L3YxL21ldGFkYXRhL3g1MDkvdHJhZWZpayU0MG15cm9vdC0yODM2MDMuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iCn0K"
# apiVersion: v1
# kind: Secret
# metadata:
#   name: GCE_ACCOUNT_SECRET
# data:

###############################
# Deployment
###############################
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      labels:
        app: traefik
        release: traefik
    spec:
      containers:
        - args:
            - --api
            #- --api.insecure=true
            # Set insecure to fals to enable basic auth
            - --api.insecure=false
            - --api.dashboard=true
            - --accesslog
            - --global.checknewversion=true
            - --entryPoints.traefik.address=:8100
            - --entryPoints.web.address=:80
            - --entryPoints.websecure.address=:443

            # permanent redirecting of all requests on http (80) to https (443)
            - --entrypoints.web.http.redirections.entryPoint.to=websecure
            - --entrypoints.websecure.http.tls.certResolver=default
            - --entrypoints.websecure.http.tls.domains[0].main=k8s.eugeniocarvalho.dev
            - --entrypoints.websecure.http.tls.domains[0].sans=*.k8s.eugeniocarvalho.dev
            #- --entrypoints.websecure.http.tls.certResolver=letsencrypt

            # Let's Encrypt Configurtion:
            # Please note that this is the staging Let's Encrypt server configuration.
            # Once you get things working, you should remove that following line.
            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
            - --certificatesresolvers.default.acme.email=eugeniucarvalho@gmail.com
            - --certificatesresolvers.default.acme.storage=acme.json

            # - --certificatesresolvers.default.acme.tlschallenge=true
            - --certificatesresolvers.default.acme.dnsChallenge.provider=gcloud
            - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
            # - --certificatesresolvers.default.acme.dnsChallenge.entryPoint=http
            - --ping=true
            - --providers.kubernetescrd=true
            - --providers.kubernetesingress=true

            # Use log level= INFO or DEBUG
            - --log.level=INFO
          image: traefik:2.2.1
          env:
            - name: GCE_PROJECT
              value: "myroot-283603"
            - name: GCE_SERVICE_ACCOUNT
              value: "traefik@myroot-283603.iam.gserviceaccount.com"
            - name: GCE_SERVICE_ACCOUNT_FILE
              value: /secrets/gcloud-credentials.json
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /ping
              port: 8100
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          name: traefik
          ports:
            - containerPort: 8100
              name: admin
              protocol: TCP
            - containerPort: 80
              name: web
              protocol: TCP
            - containerPort: 443
              name: websecure
              protocol: TCP

          # optional storage
          # enable this option only in case you have defined a persistence volume claim
          #volumeMounts:
          #- name: traefik-data
          #  mountPath: /var/lib/traefik

          readinessProbe:
            failureThreshold: 1
            httpGet:
              path: /ping
              port: 8100
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File

      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60

      # optional storage
      # enable this option only in case you have defined a persistence volume claim
      #volumes:
      #  - name: traefik-data
      #    persistentVolumeClaim:
      #      claimName: traefik-data

###############################
# Service
###############################
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system
spec:
  externalIPs:
    - "10.128.0.8"
  externalTrafficPolicy: Cluster
  ports:
    - name: web
      port: 80
      protocol: TCP
      targetPort: 80
    - name: websecure
      port: 443
      protocol: TCP
      targetPort: 443
    - name: admin
      port: 8100
      protocol: TCP
      targetPort: 8100
  selector:
    app: traefik
    release: traefik
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

#########################################################
# The Middleware configuration contains middleware componenst
# for a HTTP->HTTS redirection and a BasicAuth example.
#########################################################

###############################
# Middleware for basicAuth
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: basic-auth
spec:
  basicAuth:
    secret: authsecret

---
apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: default

#------------ Paste your own password file content here (default user/password=admin/adminadmin)--------------
data:
  users: |2
    YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
    cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=


###############################
# Middleware for HTTP->HTTPS
# This middleware is not needed in case of:
#      entrypoints.web.http.redirections.entryPoint.to=websecure
###############################
#---
#apiVersion: traefik.containo.us/v1alpha1
#kind: Middleware
#metadata:
#  name: https-redirect
#spec:
#  redirectScheme:
#    scheme: https
#    permanent: true
#    #port: 443

###############################
# Middleware for CORS
###############################
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cors-all
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
    accessControlAllowOriginList:
      - "origin-list-or-null"
    accessControlMaxAge: 100
    accessControlAllowHeaders:
      - "Content-Type"
    addVaryHeader: true
    customRequestHeaders:
      X-Forwarded-Proto: "https"