apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
namespace: traefik
spec:
minReadySeconds: 0
replicas: 1
selector:
matchLabels:
app: traefik
strategy:
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9100"
prometheus.io/scrape: "true"
labels:
app: traefik
spec:
containers:
- resources: {}
name: traefik
args:
- --global.sendanonymoususage=false
- --global.checknewversion=false
- --entrypoints.metrics.address=:9100/tcp
- --entrypoints.traefik.address=:9000/tcp
- --entrypoints.dns.address=:53/udp
- --entrypoints.web-local.address=:80/tcp
- --entrypoints.web-local.transport.respondingTimeouts.readTimeout=300
- --entrypoints.web-local.transport.respondingTimeouts.idleTimeout=0
- --entrypoints.websecure-local.address=:443/tcp
- --entrypoints.websecure-local.http.middlewares=traefik-default-headers
- --entrypoints.websecure-local.http.tls=true
- --entrypoints.websecure-local.transport.respondingTimeouts.readTimeout=300
- --entrypoints.websecure-local.transport.respondingTimeouts.idleTimeout=0
- --entrypoints.websecure-front.address=:8443/tcp
- --entrypoints.websecure-front.http.middlewares=traefik-default-headers
- --entrypoints.websecure-front.http.tls=true
- --entrypoints.websecure-front.transport.respondingTimeouts.readTimeout=300
- --entrypoints.websecure-front.transport.respondingTimeouts.idleTimeout=0
- --certificatesResolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesResolvers.default.acme.email=steffen.illium@gmail.com
- --certificatesResolvers.default.acme.dnsChallenge.provider=ionos
- --certificatesResolvers.default.acme.storage=/certs/acme.json
- --api.dashboard=true
- --ping=true
- --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics
- --providers.kubernetescrd
# - --providers.kubernetescrd.labelSelector=local=true
- --providers.kubernetescrd.allowExternalNameServices=true
- --accesslog=false
- --accesslog.fields.defaultmode=keep
- --accesslog.fields.headers.defaultmode=drop
- --serversTransport.insecureSkipVerify=true
- --log.level=INFO
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: IONOS_API_KEY
valueFrom:
secretKeyRef:
name: ionos-secret
key: IONOS_API_KEY
image: docker.io/traefik:latest
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: 9000
scheme: HTTP
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 9100
name: metrics
protocol: TCP
- containerPort: 9000
name: traefik
protocol: TCP
- containerPort: 80
name: web-local
protocol: TCP
- containerPort: 443
name: websecure-local
protocol: TCP
- containerPort: 8443
name: websecure-front
protocol: TCP
readinessProbe:
failureThreshold: 1
httpGet:
path: /ping
port: 9000
scheme: HTTP
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /certs
name: traefik-pvc
subPath: certs
- mountPath: /data
name: traefik-pvc
subPath: data
- mountPath: /tmp
name: traefik-pvc
subPath: tmp
securityContext:
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
volumes:
- name: traefik-pvc
persistentVolumeClaim:
claimName: traefik-pvc