Commit new App releases for TrueCharts

Signed-off-by: TrueCharts-Bot <bot@truecharts.org>
This commit is contained in:
TrueCharts-Bot 2022-04-08 21:36:38 +00:00
parent 9936b8c93b
commit cafec3c8cb
40 changed files with 5428 additions and 0 deletions

View File

@ -0,0 +1,99 @@
# Changelog<br>
<a name="traefik-11.1.3"></a>
### [traefik-11.1.3](https://github.com/truecharts/apps/compare/traefik-11.1.2...traefik-11.1.3) (2022-04-08)
<a name="traefik-11.1.2"></a>
### [traefik-11.1.2](https://github.com/truecharts/apps/compare/traefik-11.1.1...traefik-11.1.2) (2022-04-06)
<a name="traefik-11.1.1"></a>
### [traefik-11.1.1](https://github.com/truecharts/apps/compare/traefik-11.1.0...traefik-11.1.1) (2022-04-04)
<a name="traefik-11.1.0"></a>
### [traefik-11.1.0](https://github.com/truecharts/apps/compare/traefik-11.0.13...traefik-11.1.0) (2022-04-04)
#### Feat
* Add stripPrefixRegex ([#2422](https://github.com/truecharts/apps/issues/2422))
<a name="traefik-11.0.13"></a>
### [traefik-11.0.13](https://github.com/truecharts/apps/compare/traefik-11.0.12...traefik-11.0.13) (2022-04-03)
#### Chore
* update helm general non-major helm releases ([#2410](https://github.com/truecharts/apps/issues/2410))
<a name="traefik-11.0.12"></a>
### [traefik-11.0.12](https://github.com/truecharts/apps/compare/traefik-11.0.11...traefik-11.0.12) (2022-04-01)
#### Chore
* update docker general non-major
<a name="traefik-11.0.11"></a>
### [traefik-11.0.11](https://github.com/truecharts/apps/compare/traefik-11.0.10...traefik-11.0.11) (2022-03-31)
#### Chore
* update helm general non-major helm releases ([#2361](https://github.com/truecharts/apps/issues/2361))
<a name="traefik-11.0.10"></a>
### [traefik-11.0.10](https://github.com/truecharts/apps/compare/traefik-11.0.9...traefik-11.0.10) (2022-03-30)
#### Chore
* update helm general non-major helm releases ([#2354](https://github.com/truecharts/apps/issues/2354))
<a name="traefik-11.0.9"></a>
### [traefik-11.0.9](https://github.com/truecharts/apps/compare/traefik-11.0.8...traefik-11.0.9) (2022-03-30)
#### Chore
* update docker general non-major ([#2338](https://github.com/truecharts/apps/issues/2338))
<a name="traefik-11.0.8"></a>
### [traefik-11.0.8](https://github.com/truecharts/apps/compare/traefik-11.0.7...traefik-11.0.8) (2022-03-26)
#### Chore
* bump all apps to trigger ci
<a name="traefik-11.0.6"></a>
### [traefik-11.0.6](https://github.com/truecharts/apps/compare/traefik-11.0.5...traefik-11.0.6) (2022-03-26)
#### Chore
* update docker general non-major
<a name="traefik-11.0.2"></a>
### [traefik-11.0.2](https://github.com/truecharts/apps/compare/traefik-11.0.1...traefik-11.0.2) (2022-03-07)
#### Chore
* update helm general non-major helm releases ([#2111](https://github.com/truecharts/apps/issues/2111))

View File

@ -0,0 +1,7 @@
# Configuration Options
##### Connecting to other apps
If you need to connect this App to other Apps on TrueNAS SCALE, please refer to our [Linking Apps Internally](https://truecharts.org/manual/Quick-Start%20Guides/06-linking-apps/) quick-start guide.
##### Available config options
In the future this page is going to contain an automated list of options available in the installation/edit UI.

View File

@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 9.2.7
digest: sha256:927fec2499d55b3de8a7522d936aaf4f21f668370deb33239fb06f12051ff5b1
generated: "2022-04-08T21:32:00.915587411Z"

View File

@ -0,0 +1,30 @@
apiVersion: v2
appVersion: "2.6.3"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 9.2.7
deprecated: false
description: Traefik is a flexible reverse proxy and Ingress Provider.
home: https://github.com/truecharts/apps/tree/master/charts/stable/traefik
icon: https://truecharts.org/_static/img/appicons/traefik.png
keywords:
- traefik
- ingress
kubeVersion: '>=1.16.0-0'
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: traefik
sources:
- https://github.com/traefik/traefik
- https://github.com/traefik/traefik-helm-chart
- https://traefik.io/
type: application
version: 11.1.3
annotations:
truecharts.org/catagories: |
- network
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

View File

@ -0,0 +1,39 @@
# Introduction
Traefik is a flexible reverse proxy and Ingress Provider.
TrueCharts are designed to be installed as TrueNAS SCALE app only. We can not guarantee this charts works as a stand-alone helm installation.
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/apps/issues/new/choose)**
## Source Code
* <https://github.com/traefik/traefik>
* <https://github.com/traefik/traefik-helm-chart>
* <https://traefik.io/>
## Requirements
Kubernetes: `>=1.16.0-0`
## Dependencies
| Repository | Name | Version |
|------------|------|---------|
| https://library-charts.truecharts.org | common | 9.2.7 |
## Installing the Chart
To install this App on TrueNAS SCALE check our [Quick-Start Guide](https://truecharts.org/manual/Quick-Start%20Guides/02-Installing-an-App/).
## Upgrading, Rolling Back and Uninstalling the Chart
To upgrade, rollback or delete this App from TrueNAS SCALE check our [Quick-Start Guide](https://truecharts.org/manual/Quick-Start%20Guides/04-Upgrade-rollback-delete-an-App/).
## Support
- Please check our [quick-start guides](https://truecharts.org/manual/Quick-Start%20Guides/01-Adding-TrueCharts/) first.
- See the [Wiki](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/apps/issues/new/choose)
---
All Rights Reserved - The TrueCharts Project

View File

@ -0,0 +1,3 @@
Traefik is a flexible reverse proxy and Ingress Provider.
This App is supplied by TrueCharts, for more information please visit https://truecharts.org

Binary file not shown.

View File

@ -0,0 +1,198 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRoute is an Ingress CRD specification.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IngressRouteSpec is a specification for a IngressRouteSpec
resource.
properties:
entryPoints:
items:
type: string
type: array
routes:
items:
description: Route contains the set of routes.
properties:
kind:
enum:
- Rule
type: string
match:
type: string
middlewares:
items:
description: MiddlewareRef is a ref to the Middleware resources.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
type: array
priority:
type: integer
services:
items:
description: Service defines an upstream to proxy traffic.
properties:
kind:
enum:
- Service
- TraefikService
type: string
name:
description: Name is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The
differentiation between the two is specified in the
Kind field.
type: string
namespace:
type: string
passHostHeader:
type: boolean
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding holds configuration for
the forward of the response.
properties:
flushInterval:
type: string
type: object
scheme:
type: string
serversTransport:
type: string
sticky:
description: Sticky holds the sticky configuration.
properties:
cookie:
description: Cookie holds the sticky configuration
based on cookie.
properties:
httpOnly:
type: boolean
name:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
strategy:
type: string
weight:
description: Weight should only be specified when Name
references a TraefikService object (and to be precise,
one that embeds a Weighted Round Robin).
type: integer
required:
- name
type: object
type: array
required:
- kind
- match
type: object
type: array
tls:
description: "TLS contains the TLS certificates configuration of the
routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in
YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:
# block format"
properties:
certResolver:
type: string
domains:
items:
description: Domain holds a domain name with SANs.
properties:
main:
type: string
sans:
items:
type: string
type: array
type: object
type: array
options:
description: Options is a reference to a TLSOption, that specifies
the parameters of the TLS connection.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
store:
description: Store is a reference to a TLSStore, that specifies
the parameters of the TLS store.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
type: object
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,160 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: ingressroutetcps.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: IngressRouteTCP
listKind: IngressRouteTCPList
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRouteTCP is an Ingress CRD specification.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec
resource.
properties:
entryPoints:
items:
type: string
type: array
routes:
items:
description: RouteTCP contains the set of routes.
properties:
match:
type: string
middlewares:
description: Middlewares contains references to MiddlewareTCP
resources.
items:
description: ObjectReference is a generic reference to a Traefik
resource.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
type: array
services:
items:
description: ServiceTCP defines an upstream to proxy traffic.
properties:
name:
type: string
namespace:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
proxyProtocol:
description: ProxyProtocol holds the ProxyProtocol configuration.
properties:
version:
type: integer
type: object
terminationDelay:
type: integer
weight:
type: integer
required:
- name
- port
type: object
type: array
required:
- match
type: object
type: array
tls:
description: "TLSTCP contains the TLS certificates configuration of
the routes. To enable Let's Encrypt, use an empty TLS struct, e.g.
in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:
# block format"
properties:
certResolver:
type: string
domains:
items:
description: Domain holds a domain name with SANs.
properties:
main:
type: string
sans:
items:
type: string
type: array
type: object
type: array
options:
description: Options is a reference to a TLSOption, that specifies
the parameters of the TLS connection.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
passthrough:
type: boolean
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
store:
description: Store is a reference to a TLSStore, that specifies
the parameters of the TLS store.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
type: object
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,84 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: ingressrouteudps.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: IngressRouteUDP
listKind: IngressRouteUDPList
plural: ingressrouteudps
singular: ingressrouteudp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRouteUDP is an Ingress CRD specification.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec
resource.
properties:
entryPoints:
items:
type: string
type: array
routes:
items:
description: RouteUDP contains the set of routes.
properties:
services:
items:
description: ServiceUDP defines an upstream to proxy traffic.
properties:
name:
type: string
namespace:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
weight:
type: integer
required:
- name
- port
type: object
type: array
type: object
type: array
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,563 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: Middleware
listKind: MiddlewareList
plural: middlewares
singular: middleware
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Middleware is a specification for a Middleware resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: MiddlewareSpec holds the Middleware configuration.
properties:
addPrefix:
description: AddPrefix holds the AddPrefix configuration.
properties:
prefix:
type: string
type: object
basicAuth:
description: BasicAuth holds the HTTP basic authentication configuration.
properties:
headerField:
type: string
realm:
type: string
removeHeader:
type: boolean
secret:
type: string
type: object
buffering:
description: Buffering holds the request/response buffering configuration.
properties:
maxRequestBodyBytes:
format: int64
type: integer
maxResponseBodyBytes:
format: int64
type: integer
memRequestBodyBytes:
format: int64
type: integer
memResponseBodyBytes:
format: int64
type: integer
retryExpression:
type: string
type: object
chain:
description: Chain holds a chain of middlewares.
properties:
middlewares:
items:
description: MiddlewareRef is a ref to the Middleware resources.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
type: array
type: object
circuitBreaker:
description: CircuitBreaker holds the circuit breaker configuration.
properties:
expression:
type: string
type: object
compress:
description: Compress holds the compress configuration.
properties:
excludedContentTypes:
items:
type: string
type: array
type: object
contentType:
description: ContentType middleware - or rather its unique `autoDetect`
option - specifies whether to let the `Content-Type` header, if
it has not been set by the backend, be automatically set to a value
derived from the contents of the response. As a proxy, the default
behavior should be to leave the header alone, regardless of what
the backend did with it. However, the historic default was to always
auto-detect and set the header if it was nil, and it is going to
be kept that way in order to support users currently relying on
it. This middleware exists to enable the correct behavior until
at least the default one can be changed in a future version.
properties:
autoDetect:
type: boolean
type: object
digestAuth:
description: DigestAuth holds the Digest HTTP authentication configuration.
properties:
headerField:
type: string
realm:
type: string
removeHeader:
type: boolean
secret:
type: string
type: object
errors:
description: ErrorPage holds the custom error page configuration.
properties:
query:
type: string
service:
description: Service defines an upstream to proxy traffic.
properties:
kind:
enum:
- Service
- TraefikService
type: string
name:
description: Name is a reference to a Kubernetes Service object
(for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type: string
namespace:
type: string
passHostHeader:
type: boolean
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding holds configuration for the
forward of the response.
properties:
flushInterval:
type: string
type: object
scheme:
type: string
serversTransport:
type: string
sticky:
description: Sticky holds the sticky configuration.
properties:
cookie:
description: Cookie holds the sticky configuration based
on cookie.
properties:
httpOnly:
type: boolean
name:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
strategy:
type: string
weight:
description: Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type: integer
required:
- name
type: object
status:
items:
type: string
type: array
type: object
forwardAuth:
description: ForwardAuth holds the http forward authentication configuration.
properties:
address:
type: string
authRequestHeaders:
items:
type: string
type: array
authResponseHeaders:
items:
type: string
type: array
authResponseHeadersRegex:
type: string
tls:
description: ClientTLS holds TLS specific configurations as client.
properties:
caOptional:
type: boolean
caSecret:
type: string
certSecret:
type: string
insecureSkipVerify:
type: boolean
type: object
trustForwardHeader:
type: boolean
type: object
headers:
description: Headers holds the custom header configuration.
properties:
accessControlAllowCredentials:
description: AccessControlAllowCredentials is only valid if true.
false is ignored.
type: boolean
accessControlAllowHeaders:
description: AccessControlAllowHeaders must be used in response
to a preflight request with Access-Control-Request-Headers set.
items:
type: string
type: array
accessControlAllowMethods:
description: AccessControlAllowMethods must be used in response
to a preflight request with Access-Control-Request-Method set.
items:
type: string
type: array
accessControlAllowOriginList:
description: AccessControlAllowOriginList is a list of allowable
origins. Can also be a wildcard origin "*".
items:
type: string
type: array
accessControlAllowOriginListRegex:
description: AccessControlAllowOriginListRegex is a list of allowable
origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
items:
type: string
type: array
accessControlExposeHeaders:
description: AccessControlExposeHeaders sets valid headers for
the response.
items:
type: string
type: array
accessControlMaxAge:
description: AccessControlMaxAge sets the time that a preflight
request may be cached.
format: int64
type: integer
addVaryHeader:
description: AddVaryHeader controls if the Vary header is automatically
added/updated when the AccessControlAllowOriginList is set.
type: boolean
allowedHosts:
items:
type: string
type: array
browserXssFilter:
type: boolean
contentSecurityPolicy:
type: string
contentTypeNosniff:
type: boolean
customBrowserXSSValue:
type: string
customFrameOptionsValue:
type: string
customRequestHeaders:
additionalProperties:
type: string
type: object
customResponseHeaders:
additionalProperties:
type: string
type: object
featurePolicy:
type: string
forceSTSHeader:
type: boolean
frameDeny:
type: boolean
hostsProxyHeaders:
items:
type: string
type: array
isDevelopment:
type: boolean
publicKey:
type: string
referrerPolicy:
type: string
sslForceHost:
description: 'Deprecated: use RedirectRegex instead.'
type: boolean
sslHost:
description: 'Deprecated: use RedirectRegex instead.'
type: string
sslProxyHeaders:
additionalProperties:
type: string
type: object
sslRedirect:
description: 'Deprecated: use EntryPoint redirection or RedirectScheme
instead.'
type: boolean
sslTemporaryRedirect:
description: 'Deprecated: use EntryPoint redirection or RedirectScheme
instead.'
type: boolean
stsIncludeSubdomains:
type: boolean
stsPreload:
type: boolean
stsSeconds:
format: int64
type: integer
type: object
inFlightReq:
description: InFlightReq limits the number of requests being processed
and served concurrently.
properties:
amount:
format: int64
type: integer
sourceCriterion:
description: SourceCriterion defines what criterion is used to
group requests as originating from a common source. If none
are set, the default is to use the request's remote address
field. All fields are mutually exclusive.
properties:
ipStrategy:
description: IPStrategy holds the ip strategy configuration.
properties:
depth:
type: integer
excludedIPs:
items:
type: string
type: array
type: object
requestHeaderName:
type: string
requestHost:
type: boolean
type: object
type: object
ipWhiteList:
description: IPWhiteList holds the ip white list configuration.
properties:
ipStrategy:
description: IPStrategy holds the ip strategy configuration.
properties:
depth:
type: integer
excludedIPs:
items:
type: string
type: array
type: object
sourceRange:
items:
type: string
type: array
type: object
passTLSClientCert:
description: PassTLSClientCert holds the TLS client cert headers configuration.
properties:
info:
description: TLSClientCertificateInfo holds the client TLS certificate
info configuration.
properties:
issuer:
description: TLSCLientCertificateDNInfo holds the client TLS
certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
properties:
commonName:
type: boolean
country:
type: boolean
domainComponent:
type: boolean
locality:
type: boolean
organization:
type: boolean
province:
type: boolean
serialNumber:
type: boolean
type: object
notAfter:
type: boolean
notBefore:
type: boolean
sans:
type: boolean
serialNumber:
type: boolean
subject:
description: TLSCLientCertificateDNInfo holds the client TLS
certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
properties:
commonName:
type: boolean
country:
type: boolean
domainComponent:
type: boolean
locality:
type: boolean
organization:
type: boolean
province:
type: boolean
serialNumber:
type: boolean
type: object
type: object
pem:
type: boolean
type: object
plugin:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
type: object
rateLimit:
description: RateLimit holds the rate limiting configuration for a
given router.
properties:
average:
format: int64
type: integer
burst:
format: int64
type: integer
period:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
sourceCriterion:
description: SourceCriterion defines what criterion is used to
group requests as originating from a common source. If none
are set, the default is to use the request's remote address
field. All fields are mutually exclusive.
properties:
ipStrategy:
description: IPStrategy holds the ip strategy configuration.
properties:
depth:
type: integer
excludedIPs:
items:
type: string
type: array
type: object
requestHeaderName:
type: string
requestHost:
type: boolean
type: object
type: object
redirectRegex:
description: RedirectRegex holds the redirection configuration.
properties:
permanent:
type: boolean
regex:
type: string
replacement:
type: string
type: object
redirectScheme:
description: RedirectScheme holds the scheme redirection configuration.
properties:
permanent:
type: boolean
port:
type: string
scheme:
type: string
type: object
replacePath:
description: ReplacePath holds the ReplacePath configuration.
properties:
path:
type: string
type: object
replacePathRegex:
description: ReplacePathRegex holds the ReplacePathRegex configuration.
properties:
regex:
type: string
replacement:
type: string
type: object
retry:
description: Retry holds the retry configuration.
properties:
attempts:
type: integer
initialInterval:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
stripPrefix:
description: StripPrefix holds the StripPrefix configuration.
properties:
forceSlash:
type: boolean
prefixes:
items:
type: string
type: array
type: object
stripPrefixRegex:
description: StripPrefixRegex holds the StripPrefixRegex configuration.
properties:
regex:
items:
type: string
type: array
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,59 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: middlewaretcps.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: MiddlewareTCP
listKind: MiddlewareTCPList
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: MiddlewareTCP is a specification for a MiddlewareTCP resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.
properties:
ipWhiteList:
description: TCPIPWhiteList holds the TCP ip white list configuration.
properties:
sourceRange:
items:
type: string
type: array
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,101 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: serverstransports.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: ServersTransport
listKind: ServersTransportList
plural: serverstransports
singular: serverstransport
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ServersTransport is a specification for a ServersTransport resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ServersTransportSpec options to configure communication between
Traefik and the servers.
properties:
certificatesSecrets:
description: Certificates for mTLS.
items:
type: string
type: array
disableHTTP2:
description: Disable HTTP/2 for connections with backend servers.
type: boolean
forwardingTimeouts:
description: Timeouts for requests forwarded to the backend servers.
properties:
dialTimeout:
anyOf:
- type: integer
- type: string
description: The amount of time to wait until a connection to
a backend server can be established. If zero, no timeout exists.
x-kubernetes-int-or-string: true
idleConnTimeout:
anyOf:
- type: integer
- type: string
description: The maximum period for which an idle HTTP keep-alive
connection will remain open before closing itself.
x-kubernetes-int-or-string: true
responseHeaderTimeout:
anyOf:
- type: integer
- type: string
description: The amount of time to wait for a server's response
headers after fully writing the request (including its body,
if any). If zero, no timeout exists.
x-kubernetes-int-or-string: true
type: object
insecureSkipVerify:
description: Disable SSL certificate verification.
type: boolean
maxIdleConnsPerHost:
description: If non-zero, controls the maximum idle (keep-alive) to
keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
type: integer
rootCAsSecrets:
description: Add cert file for self-signed certificate.
items:
type: string
type: array
serverName:
description: ServerName used to contact the server.
type: string
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,87 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: TLSOption
listKind: TLSOptionList
plural: tlsoptions
singular: tlsoption
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: TLSOption is a specification for a TLSOption resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TLSOptionSpec configures TLS for an entry point.
properties:
cipherSuites:
items:
type: string
type: array
clientAuth:
description: ClientAuth defines the parameters of the client authentication
part of the TLS connection, if any.
properties:
clientAuthType:
description: ClientAuthType defines the client authentication
type to apply.
enum:
- NoClientCert
- RequestClientCert
- VerifyClientCertIfGiven
- RequireAndVerifyClientCert
type: string
secretNames:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
items:
type: string
type: array
type: object
curvePreferences:
items:
type: string
type: array
maxVersion:
type: string
minVersion:
type: string
preferServerCipherSuites:
type: boolean
sniStrict:
type: boolean
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,64 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: tlsstores.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: TLSStore
listKind: TLSStoreList
plural: tlsstores
singular: tlsstore
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: TLSStore is a specification for a TLSStore resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TLSStoreSpec configures a TLSStore resource.
properties:
defaultCertificate:
description: DefaultCertificate holds a secret name for the TLSOption
resource.
properties:
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
required:
- secretName
type: object
required:
- defaultCertificate
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,270 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: traefikservices.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: TraefikService
listKind: TraefikServiceList
plural: traefikservices
singular: traefikservice
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: TraefikService is the specification for a service (that an IngressRoute
refers to) that is usually not a terminal service (i.e. not a pod of servers),
as opposed to a Kubernetes Service. That is to say, it usually refers to
other (children) services, which themselves can be TraefikServices or Services.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ServiceSpec defines whether a TraefikService is a load-balancer
of services or a mirroring service.
properties:
mirroring:
description: Mirroring defines a mirroring service, which is composed
of a main load-balancer, and a list of mirrors.
properties:
kind:
enum:
- Service
- TraefikService
type: string
maxBodySize:
format: int64
type: integer
mirrors:
items:
description: MirrorService defines one of the mirrors of a Mirroring
service.
properties:
kind:
enum:
- Service
- TraefikService
type: string
name:
description: Name is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type: string
namespace:
type: string
passHostHeader:
type: boolean
percent:
type: integer
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding holds configuration for
the forward of the response.
properties:
flushInterval:
type: string
type: object
scheme:
type: string
serversTransport:
type: string
sticky:
description: Sticky holds the sticky configuration.
properties:
cookie:
description: Cookie holds the sticky configuration based
on cookie.
properties:
httpOnly:
type: boolean
name:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
strategy:
type: string
weight:
description: Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type: integer
required:
- name
type: object
type: array
name:
description: Name is a reference to a Kubernetes Service object
(for a load-balancer of servers), or to a TraefikService object
(service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type: string
namespace:
type: string
passHostHeader:
type: boolean
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding holds configuration for the forward
of the response.
properties:
flushInterval:
type: string
type: object
scheme:
type: string
serversTransport:
type: string
sticky:
description: Sticky holds the sticky configuration.
properties:
cookie:
description: Cookie holds the sticky configuration based on
cookie.
properties:
httpOnly:
type: boolean
name:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
strategy:
type: string
weight:
description: Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type: integer
required:
- name
type: object
weighted:
description: WeightedRoundRobin defines a load-balancer of services.
properties:
services:
items:
description: Service defines an upstream to proxy traffic.
properties:
kind:
enum:
- Service
- TraefikService
type: string
name:
description: Name is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type: string
namespace:
type: string
passHostHeader:
type: boolean
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding holds configuration for
the forward of the response.
properties:
flushInterval:
type: string
type: object
scheme:
type: string
serversTransport:
type: string
sticky:
description: Sticky holds the sticky configuration.
properties:
cookie:
description: Cookie holds the sticky configuration based
on cookie.
properties:
httpOnly:
type: boolean
name:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
strategy:
type: string
weight:
description: Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type: integer
required:
- name
type: object
type: array
sticky:
description: Sticky holds the sticky configuration.
properties:
cookie:
description: Cookie holds the sticky configuration based on
cookie.
properties:
httpOnly:
type: boolean
name:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,55 @@
# Default Helm-Values
TrueCharts is primarily build to supply TrueNAS SCALE Apps.
However, we also supply all Apps as standard Helm-Charts. In this document we aim to document the default values in our values.yaml file.
Most of our Apps also consume our "common" Helm Chart.
If this is the case, this means that all values.yaml values are set to the common chart values.yaml by default. This values.yaml file will only contain values that deviate from the common chart.
You will, however, be able to use all values referenced in the common chart here, besides the values listed in this document.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalArguments | list | `["--metrics.prometheus","--ping","--serverstransport.insecureskipverify=true","--providers.kubernetesingress.allowexternalnameservices=true"]` | Additional arguments to be passed at Traefik's binary All available options available on https://docs.traefik.io/reference/static-configuration/cli/ |
| globalArguments[0] | string | `"--global.checknewversion"` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"tccr.io/truecharts/traefik"` | |
| image.tag | string | `"v2.6.3@sha256:fab794392ae3e63eef4009b97dfbd57fda9806b70b36333bc502a0ef72838852"` | |
| ingressClass | object | `{"enabled":false,"fallbackApiVersion":"","isDefaultClass":false}` | Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x |
| ingressRoute | object | `{"dashboard":{"annotations":{},"enabled":true,"labels":{}}}` | Create an IngressRoute for the dashboard |
| logs | object | `{"access":{"enabled":false,"fields":{"general":{"defaultmode":"keep","names":{}},"headers":{"defaultmode":"drop","names":{}}},"filters":{}},"general":{"level":"ERROR"}}` | Logs https://docs.traefik.io/observability/logs/ |
| logs.access.fields | object | `{"general":{"defaultmode":"keep","names":{}},"headers":{"defaultmode":"drop","names":{}}}` | retryattempts: true minduration: 10ms Fields https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers |
| logs.access.filters | object | `{}` | To write logs in JSON, use json in the format option. If the given format is unsupported, the default (CLF) is used instead. format: json To write the logs in an asynchronous fashion, specify a bufferingSize option. This option represents the number of log lines Traefik will keep in memory before writing them to the selected output. In some cases, this option can greatly help performances. bufferingSize: 100 Filtering https://docs.traefik.io/observability/access-logs/#filtering |
| logs.general.level | string | `"ERROR"` | also ask for the json format in the format option format: json By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. |
| metrics.prometheus | object | `{"entryPoint":"metrics"}` | address: 127.0.0.1:8125 influxdb: address: localhost:8089 protocol: udp |
| middlewares | object | `{"basicAuth":[],"chain":[],"forwardAuth":[],"ipWhiteList":[],"rateLimit":[],"redirectRegex":[],"redirectScheme":[],"stripPrefixRegex":[]}` | SCALE Middleware Handlers |
| middlewares.chain | list | `[]` | address: https://auth.example.com/ authResponseHeaders: - X-Secret - X-Auth-User authRequestHeaders: - "Accept" - "X-CustomHeader" authResponseHeadersRegex: "^X-" trustForwardHeader: true |
| middlewares.forwardAuth | list | `[]` | users: - username: testuser password: testpassword |
| middlewares.ipWhiteList | list | `[]` | regex: [] |
| middlewares.rateLimit | list | `[]` | scheme: https permanent: true |
| middlewares.redirectRegex | list | `[]` | average: 300 burst: 200 |
| middlewares.redirectScheme | list | `[]` | middlewares: - name: compress |
| middlewares.stripPrefixRegex | list | `[]` | regex: putregexhere replacement: replacementurlhere permanent: false |
| pilot | object | `{"enabled":false,"token":""}` | Activate Pilot integration |
| podAnnotations."prometheus.io/path" | string | `"/metrics"` | |
| podAnnotations."prometheus.io/port" | string | `"9180"` | |
| podAnnotations."prometheus.io/scrape" | string | `"true"` | |
| portalhook.enabled | bool | `true` | |
| probes.liveness | object | See below | Liveness probe configuration |
| probes.liveness.path | string | "/" | If a HTTP probe is used (default for HTTP/HTTPS services) this path is used |
| probes.liveness.type | string | "TCP" | sets the probe type when not using a custom probe |
| probes.readiness | object | See below | Redainess probe configuration |
| probes.readiness.path | string | "/" | If a HTTP probe is used (default for HTTP/HTTPS services) this path is used |
| probes.readiness.type | string | "TCP" | sets the probe type when not using a custom probe |
| probes.startup | object | See below | Startup probe configuration |
| probes.startup.path | string | "/" | If a HTTP probe is used (default for HTTP/HTTPS services) this path is used |
| probes.startup.type | string | "TCP" | sets the probe type when not using a custom probe |
| providers | object | `{"kubernetesCRD":{"enabled":true,"namespaces":[]},"kubernetesIngress":{"enabled":true,"namespaces":[],"publishedService":{"enabled":true}}}` | Configure providers |
| providers.kubernetesIngress.publishedService | object | `{"enabled":true}` | IP used for Kubernetes Ingress endpoints |
| rbac | object | `{"enabled":true,"rules":[{"apiGroups":[""],"resources":["services","endpoints","secrets"],"verbs":["get","list","watch"]},{"apiGroups":["extensions","networking.k8s.io"],"resources":["ingresses","ingressclasses"],"verbs":["get","list","watch"]},{"apiGroups":["extensions","networking.k8s.io"],"resources":["ingresses/status"],"verbs":["update"]},{"apiGroups":["traefik.containo.us"],"resources":["ingressroutes","ingressroutetcps","ingressrouteudps","middlewares","middlewaretcps","tlsoptions","tlsstores","traefikservices","serverstransports"],"verbs":["get","list","watch"]}]}` | Whether Role Based Access Control objects like roles and rolebindings should be created |
| service | object | `{"main":{"ports":{"main":{"port":9000,"protocol":"HTTP","targetPort":9000}},"type":"LoadBalancer"},"metrics":{"enabled":true,"ports":{"metrics":{"enabled":true,"port":9180,"protocol":"HTTP","targetPort":9180}},"type":"ClusterIP"},"tcp":{"enabled":true,"ports":{"web":{"enabled":true,"port":9080,"protocol":"HTTP","redirectTo":"websecure"},"websecure":{"enabled":true,"port":9443,"protocol":"HTTPS"}},"type":"LoadBalancer"},"udp":{"enabled":false}}` | Options for the main traefik service, where the entrypoints traffic comes from from. |
| serviceAccount | object | `{"create":true}` | The service account the pods will use to interact with the Kubernetes API |
| tlsOptions | object | `{"default":{"cipherSuites":["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"],"curvePreferences":["CurveP521","CurveP384"],"minVersion":"VersionTLS12","sniStrict":false}}` | TLS Options to be created as TLSOption CRDs https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options Example: |
All Rights Reserved - The TrueCharts Project

View File

@ -0,0 +1,319 @@
image:
repository: tccr.io/truecharts/traefik
# defaults to appVersion
tag: v2.6.3@sha256:fab794392ae3e63eef4009b97dfbd57fda9806b70b36333bc502a0ef72838852
pullPolicy: IfNotPresent
# -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
ingressClass:
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
enabled: false
isDefaultClass: false
# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
fallbackApiVersion: ""
# -- Activate Pilot integration
pilot:
enabled: false
token: ""
# Toggle Pilot Dashboard
# dashboard: false
# -- Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
enabled: true
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "9180"
#
# -- Configure providers
providers:
kubernetesCRD:
enabled: true
namespaces: []
# - "default"
kubernetesIngress:
enabled: true
# labelSelector: environment=production,method=traefik
namespaces: []
# - "default"
# IP used for Kubernetes Ingress endpoints
publishedService:
enabled: true
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: ""
# -- Logs
# https://docs.traefik.io/observability/logs/
logs:
# Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
general:
# By default, the logs use a text format (common), but you can
# also ask for the json format in the format option
# format: json
# By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
level: ERROR
access:
# To enable access logs
enabled: false
# By default, logs are written using the Common Log Format (CLF).
# To write logs in JSON, use json in the format option.
# If the given format is unsupported, the default (CLF) is used instead.
# format: json
# To write the logs in an asynchronous fashion, specify a bufferingSize option.
# This option represents the number of log lines Traefik will keep in memory before writing
# them to the selected output. In some cases, this option can greatly help performances.
# bufferingSize: 100
# Filtering https://docs.traefik.io/observability/access-logs/#filtering
filters: {}
# statuscodes: "200,300-302"
# retryattempts: true
# minduration: 10ms
# Fields
# https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
fields:
general:
defaultmode: keep
names: {}
# Examples:
# ClientUsername: drop
headers:
defaultmode: drop
names: {}
# Examples:
# User-Agent: redact
# Authorization: drop
# Content-Type: keep
metrics:
# datadog:
# address: 127.0.0.1:8125
# influxdb:
# address: localhost:8089
# protocol: udp
prometheus:
entryPoint: metrics
# statsd:
# address: localhost:8125
globalArguments:
- "--global.checknewversion"
##
# -- Additional arguments to be passed at Traefik's binary
# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
additionalArguments:
- "--metrics.prometheus"
- "--ping"
- "--serverstransport.insecureskipverify=true"
- "--providers.kubernetesingress.allowexternalnameservices=true"
# -- TLS Options to be created as TLSOption CRDs
# https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options
# Example:
tlsOptions:
default:
sniStrict: false
minVersion: VersionTLS12
curvePreferences:
- CurveP521
- CurveP384
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
# -- Options for the main traefik service, where the entrypoints traffic comes from
# from.
service:
main:
type: LoadBalancer
ports:
main:
port: 9000
targetPort: 9000
protocol: HTTP
tcp:
enabled: true
type: LoadBalancer
ports:
web:
enabled: true
port: 9080
protocol: HTTP
redirectTo: websecure
# Options: Empty, 0 (ingore), or positive int
# redirectPort:
websecure:
enabled: true
port: 9443
protocol: HTTPS
# tcpexample:
# enabled: true
# targetPort: 9443
# protocol: TCP
# tls:
# enabled: false
# # this is the name of a TLSOption definition
# options: ""
# certResolver: ""
# domains: []
# # - main: example.com
# # sans:
# # - foo.example.com
# # - bar.example.com
metrics:
enabled: true
type: ClusterIP
ports:
metrics:
enabled: true
port: 9180
targetPort: 9180
protocol: HTTP
udp:
enabled: false
probes:
# -- Liveness probe configuration
# @default -- See below
liveness:
# -- sets the probe type when not using a custom probe
# @default -- "TCP"
type: HTTP
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
# @default -- "/"
path: "/ping"
# -- Redainess probe configuration
# @default -- See below
readiness:
# -- sets the probe type when not using a custom probe
# @default -- "TCP"
type: HTTP
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
# @default -- "/"
path: "/ping"
# -- Startup probe configuration
# @default -- See below
startup:
# -- sets the probe type when not using a custom probe
# @default -- "TCP"
type: HTTP
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
# @default -- "/"
path: "/ping"
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
rbac:
enabled: true
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
verbs:
- get
- list
- watch
# -- The service account the pods will use to interact with the Kubernetes API
serviceAccount:
create: true
# -- SCALE Middleware Handlers
middlewares:
basicAuth: []
# - name: basicauthexample
# users:
# - username: testuser
# password: testpassword
forwardAuth: []
# - name: forwardAuthexample
# address: https://auth.example.com/
# authResponseHeaders:
# - X-Secret
# - X-Auth-User
# authRequestHeaders:
# - "Accept"
# - "X-CustomHeader"
# authResponseHeadersRegex: "^X-"
# trustForwardHeader: true
chain: []
# - name: chainname
# middlewares:
# - name: compress
redirectScheme: []
# - name: redirectSchemeName
# scheme: https
# permanent: true
rateLimit: []
# - name: rateLimitName
# average: 300
# burst: 200
redirectRegex: []
# - name: redirectRegexName
# regex: putregexhere
# replacement: replacementurlhere
# permanent: false
stripPrefixRegex: []
# - name: stripPrefixRegexName
# regex: []
ipWhiteList: []
# - name: ipWhiteListName
# sourceRange: []
# ipStrategy:
# depth: 2
# excludedIPs: []
portalhook:
enabled: true

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,121 @@
---
hide:
- toc
---
# Security Overview
<link href="https://truecharts.org/_static/trivy.css" type="text/css" rel="stylesheet" />
## Helm-Chart
##### Scan Results
#### Chart Object: traefik/templates/common.yaml
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | <details><summary>Expand...</summary> A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.allowPrivilegeEscalation&#39; to false </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv001">https://avd.aquasec.com/appshield/ksv001</a><br></details> |
| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | <details><summary>Expand...</summary> The container should drop all default capabilities and add only those that are needed for its execution. <br> <hr> <br> Container &#39;RELEASE-NAME-traefik&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should add &#39;ALL&#39; to &#39;securityContext.capabilities.drop&#39; </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/">https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/</a><br><a href="https://avd.aquasec.com/appshield/ksv003">https://avd.aquasec.com/appshield/ksv003</a><br></details> |
| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | <details><summary>Expand...</summary> The container should drop all default capabilities and add only those that are needed for its execution. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should add &#39;ALL&#39; to &#39;securityContext.capabilities.drop&#39; </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/">https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/</a><br><a href="https://avd.aquasec.com/appshield/ksv003">https://avd.aquasec.com/appshield/ksv003</a><br></details> |
| Kubernetes Security Check | KSV011 | CPU not limited | LOW | <details><summary>Expand...</summary> Enforcing CPU limits prevents DoS via resource exhaustion. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;resources.limits.cpu&#39; </details>| <details><summary>Expand...</summary><a href="https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits">https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits</a><br><a href="https://avd.aquasec.com/appshield/ksv011">https://avd.aquasec.com/appshield/ksv011</a><br></details> |
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | <details><summary>Expand...</summary> &#39;runAsNonRoot&#39; forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container &#39;autopermissions&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsNonRoot&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details> |
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | <details><summary>Expand...</summary> &#39;runAsNonRoot&#39; forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsNonRoot&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details> |
| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container &#39;autopermissions&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.readOnlyRootFilesystem&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details> |
| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.readOnlyRootFilesystem&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details> |
| Kubernetes Security Check | KSV015 | CPU requests not specified | LOW | <details><summary>Expand...</summary> When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;resources.requests.cpu&#39; </details>| <details><summary>Expand...</summary><a href="https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits">https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits</a><br><a href="https://avd.aquasec.com/appshield/ksv015">https://avd.aquasec.com/appshield/ksv015</a><br></details> |
| Kubernetes Security Check | KSV016 | Memory requests not specified | LOW | <details><summary>Expand...</summary> When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;resources.requests.memory&#39; </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-resources-limits-memory/">https://kubesec.io/basics/containers-resources-limits-memory/</a><br><a href="https://avd.aquasec.com/appshield/ksv016">https://avd.aquasec.com/appshield/ksv016</a><br></details> |
| Kubernetes Security Check | KSV017 | Privileged container | HIGH | <details><summary>Expand...</summary> Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.privileged&#39; to false </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline">https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline</a><br><a href="https://avd.aquasec.com/appshield/ksv017">https://avd.aquasec.com/appshield/ksv017</a><br></details> |
| Kubernetes Security Check | KSV018 | Memory not limited | LOW | <details><summary>Expand...</summary> Enforcing memory limits prevents DoS via resource exhaustion. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;resources.limits.memory&#39; </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-resources-limits-memory/">https://kubesec.io/basics/containers-resources-limits-memory/</a><br><a href="https://avd.aquasec.com/appshield/ksv018">https://avd.aquasec.com/appshield/ksv018</a><br></details> |
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with user ID &gt; 10000 to avoid conflicts with the hosts user table. <br> <hr> <br> Container &#39;RELEASE-NAME-traefik&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsUser&#39; &gt; 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv020">https://avd.aquasec.com/appshield/ksv020</a><br></details> |
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with user ID &gt; 10000 to avoid conflicts with the hosts user table. <br> <hr> <br> Container &#39;autopermissions&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsUser&#39; &gt; 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv020">https://avd.aquasec.com/appshield/ksv020</a><br></details> |
| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with user ID &gt; 10000 to avoid conflicts with the hosts user table. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsUser&#39; &gt; 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv020">https://avd.aquasec.com/appshield/ksv020</a><br></details> |
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with group ID &gt; 10000 to avoid conflicts with the hosts user table. <br> <hr> <br> Container &#39;RELEASE-NAME-traefik&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsGroup&#39; &gt; 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv021">https://avd.aquasec.com/appshield/ksv021</a><br></details> |
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with group ID &gt; 10000 to avoid conflicts with the hosts user table. <br> <hr> <br> Container &#39;autopermissions&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsGroup&#39; &gt; 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv021">https://avd.aquasec.com/appshield/ksv021</a><br></details> |
| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM | <details><summary>Expand...</summary> Force the container to run with group ID &gt; 10000 to avoid conflicts with the hosts user table. <br> <hr> <br> Container &#39;hostpatch&#39; of Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;securityContext.runAsGroup&#39; &gt; 10000 </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-runasuser/">https://kubesec.io/basics/containers-securitycontext-runasuser/</a><br><a href="https://avd.aquasec.com/appshield/ksv021">https://avd.aquasec.com/appshield/ksv021</a><br></details> |
| Kubernetes Security Check | KSV023 | hostPath volumes mounted | MEDIUM | <details><summary>Expand...</summary> HostPath volumes must be forbidden. <br> <hr> <br> Deployment &#39;RELEASE-NAME-traefik&#39; should not set &#39;spec.template.volumes.hostPath&#39; </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline">https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline</a><br><a href="https://avd.aquasec.com/appshield/ksv023">https://avd.aquasec.com/appshield/ksv023</a><br></details> |
| Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW | <details><summary>Expand...</summary> Containers should be forbidden from running with a root primary or supplementary GID. <br> <hr> <br> Deployment &#39;RELEASE-NAME-traefik&#39; should set &#39;spec.securityContext.runAsGroup&#39;, &#39;spec.securityContext.supplementalGroups[*]&#39; and &#39;spec.securityContext.fsGroup&#39; to integer greater than 0 </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv029">https://avd.aquasec.com/appshield/ksv029</a><br></details> |
| No Misconfigurations found |
|:---------------------------------|
| No Misconfigurations found |
|:---------------------------------|
| No Misconfigurations found |
|:---------------------------------|
| No Misconfigurations found |
|:---------------------------------|
## Containers
##### Detected Containers
tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583
tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583
tccr.io/truecharts/traefik:v2.6.3@sha256:fab794392ae3e63eef4009b97dfbd57fda9806b70b36333bc502a0ef72838852
##### Scan Results
#### Container: tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583 (alpine 3.15.2)
**alpine**
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | <details><summary>Expand...</summary><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch</a><br><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch</a><br><a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661">https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661</a><br></details> |
| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | <details><summary>Expand...</summary><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch</a><br><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch</a><br><a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661">https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661</a><br></details> |
| zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 | <details><summary>Expand...</summary><a href="http://www.openwall.com/lists/oss-security/2022/03/25/2">http://www.openwall.com/lists/oss-security/2022/03/25/2</a><br><a href="http://www.openwall.com/lists/oss-security/2022/03/26/1">http://www.openwall.com/lists/oss-security/2022/03/26/1</a><br><a href="https://access.redhat.com/security/cve/CVE-2018-25032">https://access.redhat.com/security/cve/CVE-2018-25032</a><br><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032</a><br><a href="https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531">https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531</a><br><a href="https://github.com/madler/zlib/compare/v1.2.11...v1.2.12">https://github.com/madler/zlib/compare/v1.2.11...v1.2.12</a><br><a href="https://github.com/madler/zlib/issues/605">https://github.com/madler/zlib/issues/605</a><br><a href="https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html">https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html</a><br><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-25032">https://nvd.nist.gov/vuln/detail/CVE-2018-25032</a><br><a href="https://ubuntu.com/security/notices/USN-5355-1">https://ubuntu.com/security/notices/USN-5355-1</a><br><a href="https://ubuntu.com/security/notices/USN-5355-2">https://ubuntu.com/security/notices/USN-5355-2</a><br><a href="https://ubuntu.com/security/notices/USN-5359-1">https://ubuntu.com/security/notices/USN-5359-1</a><br><a href="https://www.debian.org/security/2022/dsa-5111">https://www.debian.org/security/2022/dsa-5111</a><br><a href="https://www.openwall.com/lists/oss-security/2022/03/24/1">https://www.openwall.com/lists/oss-security/2022/03/24/1</a><br><a href="https://www.openwall.com/lists/oss-security/2022/03/28/1">https://www.openwall.com/lists/oss-security/2022/03/28/1</a><br><a href="https://www.openwall.com/lists/oss-security/2022/03/28/3">https://www.openwall.com/lists/oss-security/2022/03/28/3</a><br></details> |
#### Container: tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583 (alpine 3.15.2)
**alpine**
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | <details><summary>Expand...</summary><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch</a><br><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch</a><br><a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661">https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661</a><br></details> |
| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | <details><summary>Expand...</summary><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch</a><br><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch</a><br><a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661">https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661</a><br></details> |
| zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 | <details><summary>Expand...</summary><a href="http://www.openwall.com/lists/oss-security/2022/03/25/2">http://www.openwall.com/lists/oss-security/2022/03/25/2</a><br><a href="http://www.openwall.com/lists/oss-security/2022/03/26/1">http://www.openwall.com/lists/oss-security/2022/03/26/1</a><br><a href="https://access.redhat.com/security/cve/CVE-2018-25032">https://access.redhat.com/security/cve/CVE-2018-25032</a><br><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032</a><br><a href="https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531">https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531</a><br><a href="https://github.com/madler/zlib/compare/v1.2.11...v1.2.12">https://github.com/madler/zlib/compare/v1.2.11...v1.2.12</a><br><a href="https://github.com/madler/zlib/issues/605">https://github.com/madler/zlib/issues/605</a><br><a href="https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html">https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html</a><br><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-25032">https://nvd.nist.gov/vuln/detail/CVE-2018-25032</a><br><a href="https://ubuntu.com/security/notices/USN-5355-1">https://ubuntu.com/security/notices/USN-5355-1</a><br><a href="https://ubuntu.com/security/notices/USN-5355-2">https://ubuntu.com/security/notices/USN-5355-2</a><br><a href="https://ubuntu.com/security/notices/USN-5359-1">https://ubuntu.com/security/notices/USN-5359-1</a><br><a href="https://www.debian.org/security/2022/dsa-5111">https://www.debian.org/security/2022/dsa-5111</a><br><a href="https://www.openwall.com/lists/oss-security/2022/03/24/1">https://www.openwall.com/lists/oss-security/2022/03/24/1</a><br><a href="https://www.openwall.com/lists/oss-security/2022/03/28/1">https://www.openwall.com/lists/oss-security/2022/03/28/1</a><br><a href="https://www.openwall.com/lists/oss-security/2022/03/28/3">https://www.openwall.com/lists/oss-security/2022/03/28/3</a><br></details> |
#### Container: tccr.io/truecharts/traefik:v2.6.3@sha256:fab794392ae3e63eef4009b97dfbd57fda9806b70b36333bc502a0ef72838852 (alpine 3.14.5)
**alpine**
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
| busybox | CVE-2022-28391 | UNKNOWN | 1.33.1-r6 | 1.33.1-r7 | <details><summary>Expand...</summary><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch</a><br><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch</a><br><a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661">https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661</a><br></details> |
| ssl_client | CVE-2022-28391 | UNKNOWN | 1.33.1-r6 | 1.33.1-r7 | <details><summary>Expand...</summary><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch</a><br><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch">https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch</a><br><a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661">https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661</a><br></details> |
**gobinary**
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
| github.com/containerd/containerd | CVE-2022-23648 | HIGH | v1.5.9 | 1.4.13, 1.5.10, 1.6.1 | <details><summary>Expand...</summary><a href="http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html">http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html</a><br><a href="https://access.redhat.com/security/cve/CVE-2022-23648">https://access.redhat.com/security/cve/CVE-2022-23648</a><br><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648</a><br><a href="https://github.com/advisories/GHSA-crp2-qrr5-8pq7">https://github.com/advisories/GHSA-crp2-qrr5-8pq7</a><br><a href="https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70">https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70</a><br><a href="https://github.com/containerd/containerd/releases/tag/v1.4.13">https://github.com/containerd/containerd/releases/tag/v1.4.13</a><br><a href="https://github.com/containerd/containerd/releases/tag/v1.5.10">https://github.com/containerd/containerd/releases/tag/v1.5.10</a><br><a href="https://github.com/containerd/containerd/releases/tag/v1.6.1">https://github.com/containerd/containerd/releases/tag/v1.6.1</a><br><a href="https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7">https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7</a><br><a href="https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7.">https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7.</a><br><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/</a><br><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/</a><br><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/</a><br><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23648">https://nvd.nist.gov/vuln/detail/CVE-2022-23648</a><br><a href="https://ubuntu.com/security/notices/USN-5311-1">https://ubuntu.com/security/notices/USN-5311-1</a><br><a href="https://www.debian.org/security/2022/dsa-5091">https://www.debian.org/security/2022/dsa-5091</a><br></details> |
| github.com/docker/distribution | GMS-2022-20 | UNKNOWN | v2.7.1+incompatible | v2.8.0 | <details><summary>Expand...</summary><a href="https://github.com/advisories/GHSA-qq97-vm5h-rrhg">https://github.com/advisories/GHSA-qq97-vm5h-rrhg</a><br><a href="https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586">https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586</a><br><a href="https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg">https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg</a><br><a href="https://github.com/opencontainers/image-spec/pull/411">https://github.com/opencontainers/image-spec/pull/411</a><br></details> |
| github.com/hashicorp/consul | CVE-2022-24687 | MEDIUM | v1.10.4 | 1.9.15, 1.10.8, 1.11.3 | <details><summary>Expand...</summary><a href="https://discuss.hashicorp.com">https://discuss.hashicorp.com</a><br><a href="https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/">https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/</a><br><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-24687">https://nvd.nist.gov/vuln/detail/CVE-2022-24687</a><br><a href="https://security.netapp.com/advisory/ntap-20220331-0006/">https://security.netapp.com/advisory/ntap-20220331-0006/</a><br></details> |
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.6 | 0.3.7 | <details><summary>Expand...</summary><a href="https://go-review.googlesource.com/c/text/+/340830">https://go-review.googlesource.com/c/text/+/340830</a><br><a href="https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f">https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f</a><br><a href="https://pkg.go.dev/vuln/GO-2021-0113">https://pkg.go.dev/vuln/GO-2021-0113</a><br></details> |

View File

@ -0,0 +1,146 @@
{{/* Define the args */}}
{{- define "traefik.args" -}}
args:
{{/* merge all ports */}}
{{- $ports := dict }}
{{- range $.Values.service }}
{{- range $name, $value := .ports }}
{{- $_ := set $ports $name $value }}
{{- end }}
{{- end }}
{{/* start of actual arguments */}}
{{- with .Values.globalArguments }}
{{- range . }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- range $name, $config := $ports }}
{{- if $config }}
{{- if or ( eq $config.protocol "HTTP" ) ( eq $config.protocol "HTTPS" ) ( eq $config.protocol "TCP" ) }}
{{- $_ := set $config "protocol" "TCP" }}
{{- end }}
- "--entryPoints.{{$name}}.address=:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}"
{{- end }}
{{- end }}
- "--api.dashboard=true"
- "--ping=true"
{{- if .Values.metrics }}
{{- if .Values.metrics.datadog }}
- "--metrics.datadog=true"
- "--metrics.datadog.address={{ .Values.metrics.datadog.address }}"
{{- end }}
{{- if .Values.metrics.influxdb }}
- "--metrics.influxdb=true"
- "--metrics.influxdb.address={{ .Values.metrics.influxdb.address }}"
- "--metrics.influxdb.protocol={{ .Values.metrics.influxdb.protocol }}"
{{- end }}
{{- if .Values.metrics.prometheus }}
- "--metrics.prometheus=true"
- "--metrics.prometheus.entrypoint={{ .Values.metrics.prometheus.entryPoint }}"
{{- end }}
{{- if .Values.metrics.statsd }}
- "--metrics.statsd=true"
- "--metrics.statsd.address={{ .Values.metrics.statsd.address }}"
{{- end }}
{{- end }}
{{- if .Values.providers.kubernetesCRD.enabled }}
- "--providers.kubernetescrd"
{{- end }}
{{- if .Values.providers.kubernetesIngress.enabled }}
- "--providers.kubernetesingress"
{{- if .Values.providers.kubernetesIngress.publishedService.enabled }}
- "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}"
{{- end }}
{{- if .Values.providers.kubernetesIngress.labelSelector }}
- "--providers.kubernetesingress.labelSelector={{ .Values.providers.kubernetesIngress.labelSelector }}"
{{- end }}
{{- end }}
{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
{{- if .Values.providers.kubernetesCRD.enabled }}
- "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" . }}"
{{- end }}
{{- if .Values.providers.kubernetesIngress.enabled }}
- "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" . }}"
{{- end }}
{{- end }}
{{- range $entrypoint, $config := $ports }}
{{- if $config.redirectTo }}
{{- $toPort := index $ports $config.redirectTo }}
- "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.port }}"
- "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https"
{{- else if $config.redirectPort }}
{{ if gt $config.redirectPort 0.0 }}
- "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $config.redirectPort }}"
- "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https"
{{- end }}
{{- end }}
{{- if or ( $config.tls ) ( eq $config.protocol "HTTPS" ) }}
{{- if or ( $config.tls.enabled ) ( eq $config.protocol "HTTPS" ) }}
- "--entrypoints.{{ $entrypoint }}.http.tls=true"
{{- if $config.tls.options }}
- "--entrypoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}"
{{- end }}
{{- if $config.tls.certResolver }}
- "--entrypoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}"
{{- end }}
{{- if $config.tls.domains }}
{{- range $index, $domain := $config.tls.domains }}
{{- if $domain.main }}
- "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}"
{{- end }}
{{- if $domain.sans }}
- "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.logs }}
{{- if .general.format }}
- "--log.format={{ .general.format }}"
{{- end }}
{{- if ne .general.level "ERROR" }}
- "--log.level={{ .general.level | upper }}"
{{- end }}
{{- if .access.enabled }}
- "--accesslog=true"
{{- if .access.format }}
- "--accesslog.format={{ .access.format }}"
{{- end }}
{{- if .access.bufferingsize }}
- "--accesslog.bufferingsize={{ .access.bufferingsize }}"
{{- end }}
{{- if .access.filters }}
{{- if .access.filters.statuscodes }}
- "--accesslog.filters.statuscodes={{ .access.filters.statuscodes }}"
{{- end }}
{{- if .access.filters.retryattempts }}
- "--accesslog.filters.retryattempts"
{{- end }}
{{- if .access.filters.minduration }}
- "--accesslog.filters.minduration={{ .access.filters.minduration }}"
{{- end }}
{{- end }}
- "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}"
{{- range $fieldname, $fieldaction := .access.fields.general.names }}
- "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}"
{{- end }}
- "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}"
{{- range $fieldname, $fieldaction := .access.fields.headers.names }}
- "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}"
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.pilot.enabled }}
- "--pilot.token={{ .Values.pilot.token }}"
{{- end }}
{{- if hasKey .Values.pilot "dashboard" }}
- "--pilot.dashboard={{ .Values.pilot.dashboard }}"
{{- end }}
{{- with .Values.additionalArguments }}
{{- range . }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,22 @@
{{/*
Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice.
By convention this will simply use the <namespace>/<service-name> to match the name of the
service generated.
Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride`
*/}}
{{- define "providers.kubernetesIngress.publishedServicePath" -}}
{{- $fullName := include "common.names.fullname" . -}}
{{- $defServiceName := printf "%s/%s-tcp" .Release.Namespace $fullName -}}
{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct a comma-separated list of whitelisted namespaces
*/}}
{{- define "providers.kubernetesIngress.namespaces" -}}
{{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }}
{{- end -}}
{{- define "providers.kubernetesCRD.namespaces" -}}
{{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }}
{{- end -}}

View File

@ -0,0 +1,24 @@
{{/* Define the ingressClass */}}
{{- define "traefik.ingressClass" -}}
---
{{ if .Values.ingressClass.enabled }}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }}
apiVersion: networking.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass" }}
apiVersion: networking.k8s.io/v1beta1
{{- else if or (eq .Values.ingressClass.fallbackApiVersion "v1beta1") (eq .Values.ingressClass.fallbackApiVersion "v1") }}
apiVersion: {{ printf "networking.k8s.io/%s" .Values.ingressClass.fallbackApiVersion }}
{{- else }}
{{- fail "\n\n ERROR: You must have at least networking.k8s.io/v1beta1 to use ingressClass" }}
{{- end }}
kind: IngressClass
metadata:
annotations:
ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }}
labels:
{{- include "common.labels" . | nindent 4 }}
name: {{ .Release.Name }}
spec:
controller: traefik.io/ingress-controller
{{- end }}
{{- end }}

View File

@ -0,0 +1,25 @@
{{/* Define the ingressRoute */}}
{{- define "traefik.ingressRoute" -}}
{{ if .Values.ingressRoute.dashboard.enabled }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: {{ include "common.names.fullname" . }}-dashboard
annotations:
{{- with .Values.ingressRoute.dashboard.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "common.labels" . | nindent 4 }}
spec:
entryPoints:
- main
routes:
- match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
{{ end }}
{{- end -}}

View File

@ -0,0 +1,26 @@
{{/* Define the portalHook */}}
{{- define "traefik.portalhook" -}}
{{- if .Values.portalhook.enabled }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: portalhook
namespace: {{ $namespace }}
data:
{{- $ports := dict }}
{{- range $.Values.service }}
{{- range $name, $value := .ports }}
{{- $_ := set $ports $name $value }}
{{- end }}
{{- end }}
{{- range $name, $value := $ports }}
{{ $name }}: {{ $value.port | quote }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,12 @@
{{/* Define the tlsOptions */}}
{{- define "traefik.tlsOptions" -}}
{{- range $name, $config := .Values.tlsOptions }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: {{ $name }}
spec:
{{- toYaml $config | nindent 2 }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,24 @@
{{/* Make sure all variables are set properly */}}
{{- include "common.setup" . }}
{{- if .Values.metrics }}
{{- if .Values.metrics.prometheus }}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "9180" -}}
{{- end }}
{{- end }}
{{- $newArgs := (include "traefik.args" . | fromYaml) }}
{{- $_ := set .Values "newArgs" $newArgs -}}
{{- $mergedargs := concat .Values.args .Values.newArgs.args }}
{{- $_ := set .Values "args" $mergedargs -}}
{{- include "traefik.portalhook" . }}
{{- include "traefik.tlsOptions" . }}
{{- include "traefik.ingressRoute" . }}
{{- include "traefik.ingressClass" . }}
{{/* Render the templates */}}
{{ include "common.postSetup" . }}

View File

@ -0,0 +1,65 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: compress
namespace: {{ $namespace }}
spec:
compress: {}
---
# Here, an average of 300 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-ratelimit
namespace: {{ $namespace }}
spec:
rateLimit:
average: 600
burst: 400
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-secure-headers
namespace: {{ $namespace }}
spec:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- HEAD
- PUT
accessControlMaxAge: 100
sslRedirect: true
stsSeconds: 63072000
# stsIncludeSubdomains: false
# stsPreload: false
forceSTSHeader: true
contentTypeNosniff: true
browserXssFilter: true
sslForceHost: true
referrerPolicy: same-origin
customRequestHeaders:
X-Forwarded-Proto: "https"
customResponseHeaders:
X-Robots-Tag: 'none'
server: ''
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: chain-basic
namespace: {{ $namespace }}
spec:
chain:
middlewares:
- name: basic-ratelimit
- name: basic-secure-headers
- name: compress

View File

@ -0,0 +1,34 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.basicAuth }}
---
{{- $users := list }}
{{ range $index, $userdata := $middlewareData.users }}
{{ $users = append $users ( htpasswd $userdata.username $userdata.password ) }}
{{ end }}
apiVersion: v1
kind: Secret
metadata:
name: {{printf "%v-%v" $middlewareData.name "secret" }}
namespace: {{ $namespace }}
type: Opaque
stringData:
users: |
{{- range $index, $user := $users }}
{{ printf "%s" $user }}
{{- end }}
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
basicAuth:
secret: {{printf "%v-%v" $middlewareData.name "secret" }}
{{ end }}

View File

@ -0,0 +1,21 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.chain }}
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
chain:
middlewares:
{{ range $index, $chainData := . }}
- name: {{ printf "%v-%v@%v" $namespace $chainData.name "kubernetescrd" }}
{{ end }}
{{ end }}

View File

@ -0,0 +1,30 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.forwardAuth }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
forwardAuth:
address: {{ $middlewareData.address }}
{{- with $middlewareData.authResponseHeaders }}
authResponseHeaders:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $middlewareData.authRequestHeaders }}
authRequestHeaders:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if $middlewareData.authResponseHeadersRegex }}
authResponseHeadersRegex: {{ $middlewareData.authResponseHeadersRegex }}
{{- end }}
{{- if $middlewareData.trustForwardHeader }}
trustForwardHeader: true
{{- end }}
{{ end }}

View File

@ -0,0 +1,33 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.ipWhiteList }}
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
ipWhiteList:
sourceRange:
{{- range $middlewareData.sourceRange }}
- {{ . }}
{{- end }}
{{- if $middlewareData.ipStrategy }}
ipStrategy:
{{- if $middlewareData.ipStrategy.depth }}
depth: {{ $middlewareData.ipStrategy.depth }}
{{- end }}
{{- if $middlewareData.ipStrategy.excludedIPs }}
excludedIPs:
{{- range $middlewareData.ipStrategy.excludedIPs }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{ end }}

View File

@ -0,0 +1,19 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.rateLimit }}
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
rateLimit:
average: {{ $middlewareData.average }}
burst: {{ $middlewareData.burst }}
{{ end }}

View File

@ -0,0 +1,19 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.redirectScheme }}
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
redirectScheme:
scheme: {{ $middlewareData.scheme }}
permanent: {{ $middlewareData.permanent }}
{{ end }}

View File

@ -0,0 +1,20 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.redirectRegex }}
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
redirectRegex:
regex: {{ $middlewareData.regex | quote }}
replacement: {{ $middlewareData.replacement | quote }}
permanent: {{ $middlewareData.permanent }}
{{ end }}

View File

@ -0,0 +1,20 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
{{ range $index, $middlewareData := .Values.middlewares.stripPrefixRegex }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: {{ $namespace }}
spec:
stripPrefixRegex:
regex:
{{- range $middlewareData.regex }}
- {{ . | quote }}
{{- end }}
{{ end }}

View File

@ -0,0 +1,29 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tc-opencors-chain
namespace: {{ $namespace }}
spec:
chain:
middlewares:
- name: basic-ratelimit
- name: tc-opencors-headers
- name: compress
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tc-closedcors-chain
namespace: {{ $namespace }}
spec:
chain:
middlewares:
- name: basic-ratelimit
- name: tc-closedcors-headers
- name: compress

View File

@ -0,0 +1,64 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tc-opencors-headers
namespace: {{ $namespace }}
spec:
headers:
accessControlAllowHeaders:
- '*'
accessControlAllowMethods:
- GET
- OPTIONS
- HEAD
- PUT
- POST
accessControlAllowOriginList:
- '*'
accessControlMaxAge: 100
browserXssFilter: true
contentTypeNosniff: true
customRequestHeaders:
X-Forwarded-Proto: https
customResponseHeaders:
X-Robots-Tag: none
server: ""
forceSTSHeader: true
referrerPolicy: same-origin
sslForceHost: true
sslRedirect: true
stsSeconds: 63072000
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tc-closedcors-headers
namespace: {{ $namespace }}
spec:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- HEAD
- PUT
accessControlMaxAge: 100
sslRedirect: true
stsSeconds: 63072000
# stsIncludeSubdomains: false
# stsPreload: false
forceSTSHeader: true
contentTypeNosniff: true
browserXssFilter: true
sslForceHost: true
referrerPolicy: same-origin
customRequestHeaders:
X-Forwarded-Proto: "https"
customResponseHeaders:
X-Robots-Tag: 'none'
server: ''

View File

@ -0,0 +1,25 @@
{{- $values := .Values }}
{{- $namespace := ( printf "ix-%s" .Release.Name ) }}
{{- if or ( not .Values.ingressClass.enabled ) ( and ( .Values.ingressClass.enabled ) ( .Values.ingressClass.isDefaultClass ) ) }}
{{- $namespace = "default" }}
{{- end }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tc-nextcloud-redirectregex-dav
namespace: {{ $namespace }}
spec:
redirectRegex:
regex: "https://(.*)/.well-known/(card|cal)dav"
replacement: "https://${1}/remote.php/dav/"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tc-nextcloud-chain
namespace: {{ $namespace }}
spec:
chain:
middlewares:
- name: tc-nextcloud-redirectregex-dav

View File