ansible-role-k8s-traefik/templates/traefik-dp.yml.j2

kind: DaemonSet
apiVersion: apps/v1
metadata:
  namespace: {{ traefik_namespace }}
  name: traefik
  labels:
    app: traefik

spec:
#  replicas: {% if traefik_node_selector is defined %}{{ traefik_node_selector|length }}{% else %}1{% endif %} 
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
#      securityContext:
#        sysctls:
#        - name: kernel.net.ipv4.ip_unprivileged_port_start
#          value: "80"
      containers:
        - name: traefik
          image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }}
          args:
            - --configfile=/config/traefik.yaml
#          imagePullPolicy: IfNotPresent
          ports:
{% for traefik_entrypoint in traefik_entrypoints %}
            - name: {{ traefik_entrypoint.name }}
              containerPort: {{ traefik_entrypoint.port }}
              protocol: {{ traefik_entrypoint.proto }}
{% if traefik_entrypoint.hostport is defined %}
              hostPort: {{ traefik_entrypoint.hostport }}
{% endif %}
{% endfor %}
          readinessProbe:
            httpGet:
              path: /ping
              port: traefik
            failureThreshold: 1
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            httpGet:
              path: /ping
              port: traefik
            failureThreshold: 3
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            runAsUser: 1000
            runAsGroup: 1000
            allowPrivilegeEscalation: true
          resources:
            limits:
              cpu: {{ traefik_cpu_limit }}
              memory: {{ traefik_memory_limit }}
            requests:
              cpu: 100m
              memory: 20Mi
          volumeMounts:
            - mountPath: /config
              name: config
{% if traefik_node_selector is defined %}
      nodeSelector:
        reslinger.net/entrypoint: traefik
{% endif %}
      dnsPolicy: ClusterFirst
      hostNetwork: false
      restartPolicy: Always
      terminationGracePeriodSeconds: 1
      tolerations:
        - effect: NoSchedule
          operator: Exists
      volumes:
        - configMap:
            defaultMode: 420
            name: traefik
          name: config