image: repository: tccr.io/tccr/traefik tag: v3.1.3@sha256:9b8459d30ddadb4061bf9f1b378679b509542ae685d3744f5f64c69e3bc2024b pullPolicy: IfNotPresent workload: main: replicas: 2 strategy: RollingUpdate podSpec: containers: main: args: [] probes: # -- Liveness probe configuration # @default -- See below liveness: # -- sets the probe type when not using a custom probe # @default -- "TCP" type: tcp # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used # @default -- "/" # path: "/ping" # -- Readiness probe configuration # @default -- See below readiness: # -- sets the probe type when not using a custom probe # @default -- "TCP" type: tcp # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used # @default -- "/" # path: "/ping" # -- Startup probe configuration # @default -- See below startup: # -- sets the probe type when not using a custom probe # @default -- "TCP" type: tcp # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used # @default -- "/" # path: "/ping" # -- Options for all pods # Can be overruled per pod podOptions: automountServiceAccountToken: true operator: register: true # -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ingressClass: # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 enabled: false isDefaultClass: false # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" fallbackApiVersion: "" # -- Create an IngressRoute for the dashboard ingressRoute: dashboard: enabled: true # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) annotations: {} # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) labels: {} # # -- Configure providers providers: kubernetesCRD: enabled: true namespaces: [] # - "default" kubernetesIngress: enabled: true # labelSelector: environment=production,method=traefik namespaces: [] # - "default" # IP used for Kubernetes Ingress endpoints publishedService: enabled: true # Published Kubernetes Service to copy status from. Format: namespace/servicename # By default this Traefik service # pathOverride: "" # -- Logs # https://docs.traefik.io/observability/logs/ logs: # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). general: # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. level: ERROR # -- Set the format of General Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/logs/#format format: common access: # To enable access logs enabled: false # To write the logs in an asynchronous fashion, specify a bufferingSize option. # This option represents the number of log lines Traefik will keep in memory before writing # them to the selected output. In some cases, this option can greatly help performances. # bufferingSize: 100 # Filtering https://docs.traefik.io/observability/access-logs/#filtering filters: {} # statuscodes: "200,300-302" # retryattempts: true # minduration: 10ms # Fields # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers fields: general: defaultmode: keep names: {} # Examples: # ClientUsername: drop headers: defaultmode: drop names: {} # Examples: # User-Agent: redact # Authorization: drop # Content-Type: keep # -- Set the format of Access Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/access-logs/#format format: common metrics: main: enabled: true type: servicemonitor endpoints: - port: metrics path: /metrics targetSelector: metrics globalArguments: - "--global.checknewversion" configmap: dashboard: enabled: true labels: grafana_dashboard: "1" data: traefik.json: >- {{ .Files.Get "dashboard.json" | indent 8 }} ## # -- Additional arguments to be passed at Traefik's binary # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` additionalArguments: - "--serverstransport.insecureskipverify=true" - "--providers.kubernetesingress.allowexternalnameservices=true" # -- Default clusterCertificate generated by clusterissuer defaultCertificate: "" # -- Add custom DNSStore objects tlsStore: {} # -- TLS Options to be created as TLSOption CRDs # https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options # Example: tlsOptions: default: sniStrict: false minVersion: VersionTLS12 curvePreferences: - CurveP521 - CurveP384 - X25519 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 # -- Options for the main traefik service, where the entrypoints traffic comes from # from. service: main: type: LoadBalancer ports: main: port: 9000 targetPort: 9000 protocol: http # -- Forwarded Headers should never be enabled on Main entrypoint forwardedHeaders: enabled: false # -- Proxy Protocol should never be enabled on Main entrypoint proxyProtocol: enabled: false tcp: enabled: true type: LoadBalancer ## In most cases, you want this changed to `Local` externalTrafficPolicy: Cluster ports: web: enabled: true port: 80 protocol: http redirectTo: websecure # Options: Empty, 0 (ingore), or positive int # redirectPort: # -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support forwardedHeaders: enabled: false # -- List of trusted IP and CIDR references trustedIPs: [] # -- Trust all forwarded headers insecureMode: false # -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support proxyProtocol: enabled: false # -- Only IPs in trustedIPs will lead to remote client address replacement trustedIPs: [] # -- Trust every incoming connection insecureMode: false websecure: enabled: true port: 443 protocol: https # -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support forwardedHeaders: enabled: false # -- List of trusted IP and CIDR references trustedIPs: [] # -- Trust all forwarded headers insecureMode: false # -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support proxyProtocol: enabled: false # -- Only IPs in trustedIPs will lead to remote client address replacement trustedIPs: [] # -- Trust every incoming connection insecureMode: false # tcpexample: # enabled: true # targetPort: 9443 # protocol: tcp # tls: # enabled: false # # this is the name of a TLSOption definition # options: "" # certResolver: "" # domains: [] # # - main: example.com # # sans: # # - foo.example.com # # - bar.example.com metrics: enabled: true type: ClusterIP ports: metrics: enabled: true port: 9180 targetPort: 9180 protocol: http # -- Forwarded Headers should never be enabled on Metrics entrypoint forwardedHeaders: enabled: false # -- Proxy Protocol should never be enabled on Metrics entrypoint proxyProtocol: enabled: false # udp: # enabled: false # -- Whether Role Based Access Control objects like roles and rolebindings should be created rbac: main: enabled: true primary: true clusterWide: true rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us - traefik.io resources: - middlewares - middlewaretcps - ingressroutes - traefikservices - ingressroutetcps - ingressrouteudps - tlsoptions - tlsstores - serverstransports - serverstransporttcps verbs: - get - list - watch - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch # -- The service account the pods will use to interact with the Kubernetes API serviceAccount: main: enabled: true primary: true # -- SCALE Middleware Handlers middlewares: basicAuth: [] # - name: basicauthexample # users: # - username: testuser # password: testpassword forwardAuth: [] # - name: forwardAuthexample # address: https://auth.example.com/ # authResponseHeaders: # - X-Secret # - X-Auth-User # authRequestHeaders: # - "Accept" # - "X-CustomHeader" # authResponseHeadersRegex: "^X-" # trustForwardHeader: true customRequestHeaders: [] # - name: customRequestHeaderExample # headers: # - name: X-Custom-Header # value: "foobar" # - name: X-Header-To-Remove # value: "" customResponseHeaders: [] # - name: customResponseHeaderExample # headers: # - name: X-Custom-Header # value: "foobar" # - name: X-Header-To-Remove # value: "" rewriteResponseHeaders: [] # - name: rewriteResponseHeadersName # headers: # - name: "Location" # regex: "^http://(.+)$" # replacement: "https://$1" # - name: "Date" # regex: "^[^,]+,\\s*(.+)$" # replacement: "$1" customFrameOptionsValue: [] # - name: customFrameOptionsValueExample # value: "SAMEORIGIN" buffering: [] # - name: bufferingExample # maxRequestBodyBytes: 1000000 # memRequestBodyBytes: 1000000 # maxResponseBodyBytes: 1000000 # memResponseBodyBytes: 1000000 # retryExpression: "IsNetworkError() && Attempts() < 2" chain: [] # - name: chainname # middlewares: # - name: compress redirectScheme: [] # - name: redirectSchemeName # scheme: https # permanent: true rateLimit: [] # - name: rateLimitName # average: 300 # burst: 200 redirectRegex: [] # - name: redirectRegexName # regex: putregexhere # replacement: replacementurlhere # permanent: false stripPrefixRegex: [] # - name: stripPrefixRegexName # regex: [] ipWhiteList: [] # - name: ipWhiteListName # sourceRange: [] # ipStrategy: # depth: 2 # excludedIPs: [] themePark: [] # - name: themeParkName # -- Supported apps, lower case name # -- https://docs.theme-park.dev/themes # app: appnamehere # -- Supported themes, lower case name # -- https://docs.theme-park.dev/themes/APPNAMEHERE # -- https://docs.theme-park.dev/community-themes # theme: themenamehere # -- https://theme-park.dev or a self hosted url # baseUrl: https://theme-park.dev # Sets X-Real-Ip with an IP from the X-Forwarded-For or # Cf-Connecting-Ip (If from Cloudflare) # Evaluation of those headers will go from last to first realIP: [] # - name: realIPName # -- The real IP will be the first one that is # -- not included in any of the CIDRs passed here # excludedNetworks: # - 1.1.1.1/24 addPrefix: [] # - name: addPrefixName # prefix: "/foo" geoBlock: [] # -- https://github.com/PascalMinder/geoblock # - name: geoBlockName # allowLocalRequests: true # logLocalRequests: false # logAllowedRequests: false # logApiRequests: false # api: https://get.geojs.io/v1/ip/country/{ip} # apiTimeoutMs: 500 # cacheSize: 25 # forceMonthlyUpdate: true # allowUnknownCountries: false # unknownCountryApiResponse: nil # blackListMode: false # countries: # - RU modsecurity: [] # - name: modsecurityName # modSecurityUrl: modSecurity container URL # timeoutMillis: Configurated timeout # maxBodySize: maxBodySize bouncer: [] # - name: bouncer # enabled: false # logLevel: DEBUG # updateIntervalSeconds: 60 # defaultDecisionSeconds: 60 # httpTimeoutSeconds: 10 # crowdsecMode: live # crowdsecAppsecEnabled: false # crowdsecAppsecHost: crowdsec:7422 # crowdsecAppsecFailureBlock: true # crowdsecLapiKey: privateKey-foo # crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo # crowdsecLapiHost: crowdsec:8080 # crowdsecLapiScheme: http # crowdsecLapiTLSInsecureVerify: false # crowdsecCapiMachineId: login # crowdsecCapiPassword: password # crowdsecCapiScenarios: # - crowdsecurity/http-path-traversal-probing # - crowdsecurity/http-xss-probing # - crowdsecurity/http-generic-bf # forwardedHeadersTrustedIPs: # - 10.0.10.23/32 # - 10.0.20.0/24 # clientTrustedIPs: # - 192.168.1.0/24 # forwardedHeadersCustomName: X-Custom-Header # redisCacheEnabled: false # redisCacheHost: "redis:6379" # redisCachePassword: password # redisCacheDatabase: "5" # crowdsecLapiTLSCertificateAuthority: |- # crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/ca.pem # crowdsecLapiTLSCertificateBouncer: |- # crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/bouncer.pem # crowdsecLapiTLSCertificateBouncerKey: |- # crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/bouncer-key.pem ## Note: body of every request will be buffered in memory while the request is in-flight ## (i.e.: during the security check and during the request processing by traefik and the backend), ## so you may want to tune maxBodySize depending on how much RAM you have. portalhook: enabled: true persistence: plugins: enabled: true mountPath: "/plugins-storage" type: emptyDir crowdsec-bouncer-tls: enabled: "{{ if .Values.middlewares.bouncer }}true{{ else }}false{{ end }}" mountPath: "/etc/traefik/crowdsec-certs" type: secret expandObjectName: false objectName: crowdsec-bouncer-tls portal: open: enabled: true path: /dashboard/ ingress: main: integrations: homepage: href: https://{{ ( index .Values.ingress.main.hosts 0 ).host }}/dashboard/