forked from sleighzy/k3s-traefik-v2-kubernetes-crd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
005-deployment.yaml
120 lines (118 loc) · 4.24 KB
/
005-deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: kube-system
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
annotations:
container.apparmor.security.beta.kubernetes.io/traefik: runtime/default
spec:
serviceAccountName: traefik-ingress-controller
securityContext:
# Use nogroup (and needs nobody) for the acme.json file
# for storing TLS
fsGroup: 65534
initContainers:
- name: volume-permissions
image: busybox:1.32
command: ['sh', '-c', 'touch /etc/traefik/certs/acme.json && chown 65534:65534 /etc/traefik/certs/acme.json && chmod 600 /etc/traefik/certs/acme.json']
volumeMounts:
- name: certificates
mountPath: /etc/traefik/certs
containers:
- name: traefik
image: traefik:v2.9.4
args:
- --api.dashboard=true
- --ping=true
- --accesslog
- --entrypoints.traefik.address=:9080
- --entrypoints.web.address=:8080
- --entrypoints.websecure.address=:8443
# Uncomment the below lines to redirect http requests to https.
# This specifies the port :443 and not the https entrypoint name for the
# redirect as the service is listening on port 443 and directing traffic
# to the 8443 target port. If the entrypoint name "websecure" was used,
# instead of "to=:443", then the browser would be redirected to port 8443.
# - --entrypoints.web.http.redirections.entrypoint.to=:443
# - --entrypoints.web.http.redirections.entrypoint.scheme=https
- --providers.kubernetescrd
- --providers.kubernetescrd.allowCrossNamespace=true
- --providers.kubernetesingress
- --providers.kubernetesgateway
- --experimental.kubernetesgateway=true
- --certificatesresolvers.godaddy.acme.storage=/etc/traefik/certs/acme.json
- --certificatesResolvers.godaddy.acme.dnsChallenge.provider=godaddy
- --certificatesResolvers.godaddy.acme.dnsChallenge.delayBeforeCheck=0
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
# - --certificatesresolvers.godaddy.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --log
- --log.level=INFO
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
# Run the container as nobody:nogroup
runAsUser: 65534
runAsGroup: 65534
capabilities:
drop:
- ALL
livenessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: 9080
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
resources:
limits:
memory: '100Mi'
cpu: '1000m'
ports:
# The Traefik container is listening on ports > 1024 so the container
# can be run as a non-root user and they can bind to these ports.
- name: web
containerPort: 8080
- name: websecure
containerPort: 8443
- name: admin
containerPort: 9080
volumeMounts:
- name: certificates
mountPath: /etc/traefik/certs
env:
- name: GODADDY_API_KEY
valueFrom:
secretKeyRef:
name: godaddy
key: GODADDY_API_KEY
- name: GODADDY_API_SECRET
valueFrom:
secretKeyRef:
name: godaddy
key: GODADDY_API_SECRET
volumes:
- name: certificates
persistentVolumeClaim:
claimName: traefik-certs-pvc