503 lines
16 KiB
YAML
503 lines
16 KiB
YAML
image:
|
|
repository: tccr.io/tccr/traefik
|
|
tag: v2.11.0@sha256:543615fc27b7fb2605cf799aa627b368f4d9fe5f1a87c6b7ff6879b075694c44
|
|
pullPolicy: IfNotPresent
|
|
manifestManager:
|
|
enabled: true
|
|
workload:
|
|
main:
|
|
replicas: 2
|
|
strategy: RollingUpdate
|
|
podSpec:
|
|
containers:
|
|
main:
|
|
args: []
|
|
probes:
|
|
# -- Liveness probe configuration
|
|
# @default -- See below
|
|
liveness:
|
|
# -- sets the probe type when not using a custom probe
|
|
# @default -- "TCP"
|
|
type: tcp
|
|
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
|
|
# @default -- "/"
|
|
# path: "/ping"
|
|
# -- Readiness probe configuration
|
|
# @default -- See below
|
|
readiness:
|
|
# -- sets the probe type when not using a custom probe
|
|
# @default -- "TCP"
|
|
type: tcp
|
|
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
|
|
# @default -- "/"
|
|
# path: "/ping"
|
|
# -- Startup probe configuration
|
|
# @default -- See below
|
|
startup:
|
|
# -- sets the probe type when not using a custom probe
|
|
# @default -- "TCP"
|
|
type: tcp
|
|
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
|
|
# @default -- "/"
|
|
# path: "/ping"
|
|
# -- Options for all pods
|
|
# Can be overruled per pod
|
|
podOptions:
|
|
automountServiceAccountToken: true
|
|
operator:
|
|
register: true
|
|
# -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
|
|
ingressClass:
|
|
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
|
|
enabled: false
|
|
isDefaultClass: false
|
|
# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
|
|
fallbackApiVersion: ""
|
|
# -- Create an IngressRoute for the dashboard
|
|
ingressRoute:
|
|
dashboard:
|
|
enabled: true
|
|
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
|
|
annotations: {}
|
|
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
|
|
labels: {}
|
|
#
|
|
# -- Configure providers
|
|
providers:
|
|
kubernetesCRD:
|
|
enabled: true
|
|
namespaces: []
|
|
# - "default"
|
|
kubernetesIngress:
|
|
enabled: true
|
|
# labelSelector: environment=production,method=traefik
|
|
namespaces: []
|
|
# - "default"
|
|
# IP used for Kubernetes Ingress endpoints
|
|
publishedService:
|
|
enabled: true
|
|
# Published Kubernetes Service to copy status from. Format: namespace/servicename
|
|
# By default this Traefik service
|
|
# pathOverride: ""
|
|
# -- Logs
|
|
# https://docs.traefik.io/observability/logs/
|
|
logs:
|
|
# Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
|
|
general:
|
|
# By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
|
|
level: ERROR
|
|
# -- Set the format of General Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/logs/#format
|
|
format: common
|
|
access:
|
|
# To enable access logs
|
|
enabled: false
|
|
# To write the logs in an asynchronous fashion, specify a bufferingSize option.
|
|
# This option represents the number of log lines Traefik will keep in memory before writing
|
|
# them to the selected output. In some cases, this option can greatly help performances.
|
|
# bufferingSize: 100
|
|
# Filtering https://docs.traefik.io/observability/access-logs/#filtering
|
|
filters: {}
|
|
# statuscodes: "200,300-302"
|
|
# retryattempts: true
|
|
# minduration: 10ms
|
|
# Fields
|
|
# https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
|
|
fields:
|
|
general:
|
|
defaultmode: keep
|
|
names: {}
|
|
# Examples:
|
|
# ClientUsername: drop
|
|
headers:
|
|
defaultmode: drop
|
|
names: {}
|
|
# Examples:
|
|
# User-Agent: redact
|
|
# Authorization: drop
|
|
# Content-Type: keep
|
|
# -- Set the format of Access Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/access-logs/#format
|
|
format: common
|
|
metrics:
|
|
main:
|
|
enabled: true
|
|
type: servicemonitor
|
|
endpoints:
|
|
- port: metrics
|
|
path: /metrics
|
|
targetSelector: metrics
|
|
|
|
globalArguments:
|
|
- "--global.checknewversion"
|
|
|
|
configmap:
|
|
dashboard:
|
|
enabled: true
|
|
labels:
|
|
grafana_dashboard: "1"
|
|
data:
|
|
traefik.json: >-
|
|
{{ .Files.Get "dashboard.json" | indent 8 }}
|
|
|
|
##
|
|
# -- Additional arguments to be passed at Traefik's binary
|
|
# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
|
|
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
|
|
additionalArguments:
|
|
- "--serverstransport.insecureskipverify=true"
|
|
- "--providers.kubernetesingress.allowexternalnameservices=true"
|
|
|
|
# -- Default clusterCertificate generated by clusterissuer
|
|
defaultCertificate: ""
|
|
|
|
# -- Add custom DNSStore objects
|
|
tlsStore: {}
|
|
|
|
# -- TLS Options to be created as TLSOption CRDs
|
|
# https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options
|
|
# Example:
|
|
tlsOptions:
|
|
default:
|
|
sniStrict: false
|
|
minVersion: VersionTLS12
|
|
curvePreferences:
|
|
- CurveP521
|
|
- CurveP384
|
|
- X25519
|
|
cipherSuites:
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
|
- TLS_AES_128_GCM_SHA256
|
|
- TLS_AES_256_GCM_SHA384
|
|
- TLS_CHACHA20_POLY1305_SHA256
|
|
# -- Options for the main traefik service, where the entrypoints traffic comes from
|
|
# from.
|
|
service:
|
|
main:
|
|
type: LoadBalancer
|
|
ports:
|
|
main:
|
|
port: 9000
|
|
targetPort: 9000
|
|
protocol: http
|
|
# -- Forwarded Headers should never be enabled on Main entrypoint
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- Proxy Protocol should never be enabled on Main entrypoint
|
|
proxyProtocol:
|
|
enabled: false
|
|
tcp:
|
|
enabled: true
|
|
type: LoadBalancer
|
|
## In most cases, you want this changed to `Local`
|
|
externalTrafficPolicy: Cluster
|
|
ports:
|
|
web:
|
|
enabled: true
|
|
port: 80
|
|
protocol: http
|
|
redirectTo: websecure
|
|
# Options: Empty, 0 (ingore), or positive int
|
|
# redirectPort:
|
|
# -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- List of trusted IP and CIDR references
|
|
trustedIPs: []
|
|
# -- Trust all forwarded headers
|
|
insecureMode: false
|
|
# -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support
|
|
proxyProtocol:
|
|
enabled: false
|
|
# -- Only IPs in trustedIPs will lead to remote client address replacement
|
|
trustedIPs: []
|
|
# -- Trust every incoming connection
|
|
insecureMode: false
|
|
websecure:
|
|
enabled: true
|
|
port: 443
|
|
protocol: https
|
|
# -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- List of trusted IP and CIDR references
|
|
trustedIPs: []
|
|
# -- Trust all forwarded headers
|
|
insecureMode: false
|
|
# -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support
|
|
proxyProtocol:
|
|
enabled: false
|
|
# -- Only IPs in trustedIPs will lead to remote client address replacement
|
|
trustedIPs: []
|
|
# -- Trust every incoming connection
|
|
insecureMode: false
|
|
# tcpexample:
|
|
# enabled: true
|
|
# targetPort: 9443
|
|
# protocol: tcp
|
|
# tls:
|
|
# enabled: false
|
|
# # this is the name of a TLSOption definition
|
|
# options: ""
|
|
# certResolver: ""
|
|
# domains: []
|
|
# # - main: example.com
|
|
# # sans:
|
|
# # - foo.example.com
|
|
# # - bar.example.com
|
|
metrics:
|
|
enabled: true
|
|
type: ClusterIP
|
|
ports:
|
|
metrics:
|
|
enabled: true
|
|
port: 9180
|
|
targetPort: 9180
|
|
protocol: http
|
|
# -- Forwarded Headers should never be enabled on Metrics entrypoint
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- Proxy Protocol should never be enabled on Metrics entrypoint
|
|
proxyProtocol:
|
|
enabled: false
|
|
# udp:
|
|
# enabled: false
|
|
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
|
|
rbac:
|
|
main:
|
|
enabled: true
|
|
primary: true
|
|
clusterWide: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
- endpoints
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
- ingressclasses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses/status
|
|
verbs:
|
|
- update
|
|
- apiGroups:
|
|
- traefik.containo.us
|
|
- traefik.io
|
|
resources:
|
|
- middlewares
|
|
- middlewaretcps
|
|
- ingressroutes
|
|
- traefikservices
|
|
- ingressroutetcps
|
|
- ingressrouteudps
|
|
- tlsoptions
|
|
- tlsstores
|
|
- serverstransports
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
# -- The service account the pods will use to interact with the Kubernetes API
|
|
serviceAccount:
|
|
main:
|
|
enabled: true
|
|
primary: true
|
|
# -- SCALE Middleware Handlers
|
|
middlewares:
|
|
basicAuth: []
|
|
# - name: basicauthexample
|
|
# users:
|
|
# - username: testuser
|
|
# password: testpassword
|
|
forwardAuth: []
|
|
# - name: forwardAuthexample
|
|
# address: https://auth.example.com/
|
|
# authResponseHeaders:
|
|
# - X-Secret
|
|
# - X-Auth-User
|
|
# authRequestHeaders:
|
|
# - "Accept"
|
|
# - "X-CustomHeader"
|
|
# authResponseHeadersRegex: "^X-"
|
|
# trustForwardHeader: true
|
|
customRequestHeaders: []
|
|
# - name: customRequestHeaderExample
|
|
# headers:
|
|
# - name: X-Custom-Header
|
|
# value: "foobar"
|
|
# - name: X-Header-To-Remove
|
|
# value: ""
|
|
customResponseHeaders: []
|
|
# - name: customResponseHeaderExample
|
|
# headers:
|
|
# - name: X-Custom-Header
|
|
# value: "foobar"
|
|
# - name: X-Header-To-Remove
|
|
# value: ""
|
|
rewriteResponseHeaders: []
|
|
# - name: rewriteResponseHeadersName
|
|
# headers:
|
|
# - name: "Location"
|
|
# regex: "^http://(.+)$"
|
|
# replacement: "https://$1"
|
|
# - name: "Date"
|
|
# regex: "^[^,]+,\\s*(.+)$"
|
|
# replacement: "$1"
|
|
customFrameOptionsValue: []
|
|
# - name: customFrameOptionsValueExample
|
|
# value: "SAMEORIGIN"
|
|
buffering: []
|
|
# - name: bufferingExample
|
|
# maxRequestBodyBytes: 1000000
|
|
# memRequestBodyBytes: 1000000
|
|
# maxResponseBodyBytes: 1000000
|
|
# memResponseBodyBytes: 1000000
|
|
# retryExpression: "IsNetworkError() && Attempts() < 2"
|
|
chain: []
|
|
# - name: chainname
|
|
# middlewares:
|
|
# - name: compress
|
|
redirectScheme: []
|
|
# - name: redirectSchemeName
|
|
# scheme: https
|
|
# permanent: true
|
|
rateLimit: []
|
|
# - name: rateLimitName
|
|
# average: 300
|
|
# burst: 200
|
|
redirectRegex: []
|
|
# - name: redirectRegexName
|
|
# regex: putregexhere
|
|
# replacement: replacementurlhere
|
|
# permanent: false
|
|
stripPrefixRegex: []
|
|
# - name: stripPrefixRegexName
|
|
# regex: []
|
|
ipWhiteList: []
|
|
# - name: ipWhiteListName
|
|
# sourceRange: []
|
|
# ipStrategy:
|
|
# depth: 2
|
|
# excludedIPs: []
|
|
themePark: []
|
|
# - name: themeParkName
|
|
# -- Supported apps, lower case name
|
|
# -- https://docs.theme-park.dev/themes
|
|
# app: appnamehere
|
|
# -- Supported themes, lower case name
|
|
# -- https://docs.theme-park.dev/themes/APPNAMEHERE
|
|
# -- https://docs.theme-park.dev/community-themes
|
|
# theme: themenamehere
|
|
# -- https://theme-park.dev or a self hosted url
|
|
# baseUrl: https://theme-park.dev
|
|
# Sets X-Real-Ip with an IP from the X-Forwarded-For or
|
|
# Cf-Connecting-Ip (If from Cloudflare)
|
|
# Evaluation of those headers will go from last to first
|
|
realIP: []
|
|
# - name: realIPName
|
|
# -- The real IP will be the first one that is
|
|
# -- not included in any of the CIDRs passed here
|
|
# excludedNetworks:
|
|
# - 1.1.1.1/24
|
|
addPrefix: []
|
|
# - name: addPrefixName
|
|
# prefix: "/foo"
|
|
geoBlock: []
|
|
# -- https://github.com/PascalMinder/geoblock
|
|
# - name: geoBlockName
|
|
# allowLocalRequests: true
|
|
# logLocalRequests: false
|
|
# logAllowedRequests: false
|
|
# logApiRequests: false
|
|
# api: https://get.geojs.io/v1/ip/country/{ip}
|
|
# apiTimeoutMs: 500
|
|
# cacheSize: 25
|
|
# forceMonthlyUpdate: true
|
|
# allowUnknownCountries: false
|
|
# unknownCountryApiResponse: nil
|
|
# blackListMode: false
|
|
# countries:
|
|
# - RU
|
|
modsecurity: []
|
|
# - name: modsecurityName
|
|
# modSecurityUrl: modSecurity container URL
|
|
# timeoutMillis: Configurated timeout
|
|
# maxBodySize: maxBodySize
|
|
bouncer: []
|
|
# - name: bouncer
|
|
# enabled: false
|
|
# logLevel: DEBUG
|
|
# updateIntervalSeconds: 60
|
|
# defaultDecisionSeconds: 60
|
|
# httpTimeoutSeconds: 10
|
|
# crowdsecMode: live
|
|
# crowdsecAppsecEnabled: false
|
|
# crowdsecAppsecHost: crowdsec:7422
|
|
# crowdsecAppsecFailureBlock: true
|
|
# crowdsecLapiKey: privateKey-foo
|
|
# crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
|
|
# crowdsecLapiHost: crowdsec:8080
|
|
# crowdsecLapiScheme: http
|
|
# crowdsecLapiTLSInsecureVerify: false
|
|
# crowdsecCapiMachineId: login
|
|
# crowdsecCapiPassword: password
|
|
# crowdsecCapiScenarios:
|
|
# - crowdsecurity/http-path-traversal-probing
|
|
# - crowdsecurity/http-xss-probing
|
|
# - crowdsecurity/http-generic-bf
|
|
# forwardedHeadersTrustedIPs:
|
|
# - 10.0.10.23/32
|
|
# - 10.0.20.0/24
|
|
# clientTrustedIPs:
|
|
# - 192.168.1.0/24
|
|
# forwardedHeadersCustomName: X-Custom-Header
|
|
# redisCacheEnabled: false
|
|
# redisCacheHost: "redis:6379"
|
|
# redisCachePassword: password
|
|
# redisCacheDatabase: "5"
|
|
# crowdsecLapiTLSCertificateAuthority: |-
|
|
# crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/ca.pem
|
|
# crowdsecLapiTLSCertificateBouncer: |-
|
|
# crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/bouncer.pem
|
|
# crowdsecLapiTLSCertificateBouncerKey: |-
|
|
# crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/bouncer-key.pem
|
|
## Note: body of every request will be buffered in memory while the request is in-flight
|
|
## (i.e.: during the security check and during the request processing by traefik and the backend),
|
|
## so you may want to tune maxBodySize depending on how much RAM you have.
|
|
portalhook:
|
|
enabled: true
|
|
persistence:
|
|
plugins:
|
|
enabled: true
|
|
mountPath: "/plugins-storage"
|
|
type: emptyDir
|
|
crowdsec-bouncer-tls:
|
|
enabled: "{{ if .Values.middlewares.bouncer }}true{{ else }}false{{ end }}"
|
|
mountPath: "/etc/traefik/crowdsec-certs"
|
|
type: secret
|
|
expandObjectName: false
|
|
objectName: crowdsec-bouncer-tls
|
|
portal:
|
|
open:
|
|
enabled: true
|
|
path: /dashboard/
|