windschord/GKE and Traefik with let's encript

## GKE and Traefik with let's encript
These configuration files are for using Traefik outside of kubernetes(GKE) .

Details on how to use the file can be found at the following below URL:

[クラウドで安く自分のkubernetesを持ちたい]{https://blog.windschord.com/posts/2020-02-15/setup_gke_with_traefik) (Japanese only)

-- This source code licensed under a MIT. --

## traefik-config.yaml
# this file based on https://docs.traefik.io/user-guides/crd-acme/

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutetcps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - tlsoptions
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - traefikservices
    verbs:
      - get
      - list
      - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: traefik-ingress-controller

## traefik-k8s-dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`dashbord.your-domain.example.com`)
    kind: Rule
    services:
    - name: kubernetes-dashboard
      port: 80
  tls:
    certResolver: el

# based on https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

## traefik.route.toml
# Dynamic Configuration
[http.routers]
  [http.routers.my-api]
    rule = "Host(`your-domain.example.com`)"
    service = "api@internal"
    middlewares = ["auth"]
    [http.routers.my-api.tls]
      certResolver = "le"
      [[http.routers.my-api.tls.domains]]
        main = "your-domain.example.com"
        sans = ["*.your-domain.example.com"]

[http.middlewares]
  [http.middlewares.auth.basicAuth]
    # see https://docs.traefik.io/middlewares/basicauth/
    users = [
      "test:$apr1$M2kBVUKN$ZLtvFO4f0MIi5K.jD/.F1.",
    ]

## traefik.toml
# this file based on https://github.com/containous/traefik/blob/master/traefik.sample.toml

################################################################
# Global configuration
################################################################
[global]
  checkNewVersion = true
  sendAnonymousUsage = true

################################################################
# Entrypoints configuration
################################################################
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

################################################################
# Traefik logs configuration
################################################################
[log]
  level = "ERROR"
  filePath = "/traefik-pv/log/traefik.log"

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  # format = "json"

################################################################
# Access logs configuration
################################################################
[accessLog]
  filePath = "/traefik-pv/log/log.txt"

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  # format = "json"

################################################################
# API and dashboard configuration
################################################################
[api]
  # insecure = true
  dashboard = true

################################################################
# Ping configuration
################################################################
[ping]

  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
  # entryPoint = "traefik"


################################################################
# backend configuration
################################################################
[providers]
  [providers.file]
    watch = true
    filename = "/traefik-pv/traefik.route.toml"
    debugLogGeneratedTemplate = true

  [providers.kubernetesCRD]
    endpoint = "https://your-k8s-master-ip"
    token = "your-k8s-token"
    certAuthFilePath = "/traefik-pv/ca.crt"


################################################################
# Let's encript configuration
################################################################
[certificatesResolvers.sample.acme]
  email = "your-email@example.com"
  storage = "acme.json"
  [certificatesResolvers.le.acme.dnsChallenge]
    provider = "gcloud"
    # delayBeforeCheck = 0
    # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
    # disablePropagationCheck = true
	These configuration files are for using Traefik outside of kubernetes(GKE) .

	Details on how to use the file can be found at the following below URL:

	[クラウドで安く自分のkubernetesを持ちたい]{https://blog.windschord.com/posts/2020-02-15/setup_gke_with_traefik) (Japanese only)

	-- This source code licensed under a MIT. --
	# this file based on https://docs.traefik.io/user-guides/crd-acme/

	apiVersion: apiextensions.k8s.io/v1beta1
	kind: CustomResourceDefinition
	metadata:
	name: ingressroutes.traefik.containo.us

	spec:
	group: traefik.containo.us
	version: v1alpha1
	names:
	kind: IngressRoute
	plural: ingressroutes
	singular: ingressroute
	scope: Namespaced

	---
	apiVersion: apiextensions.k8s.io/v1beta1
	kind: CustomResourceDefinition
	metadata:
	name: ingressroutetcps.traefik.containo.us

	spec:
	group: traefik.containo.us
	version: v1alpha1
	names:
	kind: IngressRouteTCP
	plural: ingressroutetcps
	singular: ingressroutetcp
	scope: Namespaced

	---
	apiVersion: apiextensions.k8s.io/v1beta1
	kind: CustomResourceDefinition
	metadata:
	name: middlewares.traefik.containo.us

	spec:
	group: traefik.containo.us
	version: v1alpha1
	names:
	kind: Middleware
	plural: middlewares
	singular: middleware
	scope: Namespaced

	---
	apiVersion: apiextensions.k8s.io/v1beta1
	kind: CustomResourceDefinition
	metadata:
	name: tlsoptions.traefik.containo.us

	spec:
	group: traefik.containo.us
	version: v1alpha1
	names:
	kind: TLSOption
	plural: tlsoptions
	singular: tlsoption
	scope: Namespaced

	---
	apiVersion: apiextensions.k8s.io/v1beta1
	kind: CustomResourceDefinition
	metadata:
	name: traefikservices.traefik.containo.us

	spec:
	group: traefik.containo.us
	version: v1alpha1
	names:
	kind: TraefikService
	plural: traefikservices
	singular: traefikservice
	scope: Namespaced

	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: traefik-ingress-controller

	rules:
	- apiGroups:
	- ""
	resources:
	- services
	- endpoints
	- secrets
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- extensions
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- extensions
	resources:
	- ingresses/status
	verbs:
	- update
	- apiGroups:
	- traefik.containo.us
	resources:
	- middlewares
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- traefik.containo.us
	resources:
	- ingressroutes
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- traefik.containo.us
	resources:
	- ingressroutetcps
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- traefik.containo.us
	resources:
	- tlsoptions
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- traefik.containo.us
	resources:
	- traefikservices
	verbs:
	- get
	- list
	- watch

	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: traefik-ingress-controller

	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: traefik-ingress-controller
	subjects:
	- kind: ServiceAccount
	name: traefik-ingress-controller
	namespace: default
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	namespace: default
	name: traefik-ingress-controller
	apiVersion: traefik.containo.us/v1alpha1
	kind: IngressRoute
	metadata:
	name: kubernetes-dashboard
	namespace: kubernetes-dashboard
	spec:
	entryPoints:
	- websecure
	routes:
	- match: Host(`dashbord.your-domain.example.com`)
	kind: Rule
	services:
	- name: kubernetes-dashboard
	port: 80
	tls:
	certResolver: el

	# based on https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: admin-user
	namespace: kubernetes-dashboard
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: admin-user
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: cluster-admin
	subjects:
	- kind: ServiceAccount
	name: admin-user
	namespace: kubernetes-dashboard
	# Dynamic Configuration
	[http.routers]
	[http.routers.my-api]
	rule = "Host(`your-domain.example.com`)"
	service = "api@internal"
	middlewares = ["auth"]
	[http.routers.my-api.tls]
	certResolver = "le"
	[[http.routers.my-api.tls.domains]]
	main = "your-domain.example.com"
	sans = ["*.your-domain.example.com"]

	[http.middlewares]
	[http.middlewares.auth.basicAuth]
	# see https://docs.traefik.io/middlewares/basicauth/
	users = [
	"test:$apr1$M2kBVUKN$ZLtvFO4f0MIi5K.jD/.F1.",
	]
	# this file based on https://github.com/containous/traefik/blob/master/traefik.sample.toml

	################################################################
	# Global configuration
	################################################################
	[global]
	checkNewVersion = true
	sendAnonymousUsage = true

	################################################################
	# Entrypoints configuration
	################################################################
	[entryPoints]
	[entryPoints.web]
	address = ":80"

	[entryPoints.websecure]
	address = ":443"

	################################################################
	# Traefik logs configuration
	################################################################
	[log]
	level = "ERROR"
	filePath = "/traefik-pv/log/traefik.log"

	# Format is either "json" or "common".
	#
	# Optional
	# Default: "common"
	#
	# format = "json"

	################################################################
	# Access logs configuration
	################################################################
	[accessLog]
	filePath = "/traefik-pv/log/log.txt"

	# Format is either "json" or "common".
	#
	# Optional
	# Default: "common"
	#
	# format = "json"

	################################################################
	# API and dashboard configuration
	################################################################
	[api]
	# insecure = true
	dashboard = true

	################################################################
	# Ping configuration
	################################################################
	[ping]

	# Name of the related entry point
	#
	# Optional
	# Default: "traefik"
	#
	# entryPoint = "traefik"


	################################################################
	# backend configuration
	################################################################
	[providers]
	[providers.file]
	watch = true
	filename = "/traefik-pv/traefik.route.toml"
	debugLogGeneratedTemplate = true

	[providers.kubernetesCRD]
	endpoint = "https://your-k8s-master-ip"
	token = "your-k8s-token"
	certAuthFilePath = "/traefik-pv/ca.crt"


	################################################################
	# Let's encript configuration
	################################################################
	[certificatesResolvers.sample.acme]
	email = "your-email@example.com"
	storage = "acme.json"
	[certificatesResolvers.le.acme.dnsChallenge]
	provider = "gcloud"
	# delayBeforeCheck = 0
	# resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
	# disablePropagationCheck = true