2024-03-16 11:26:31 +00:00
image :
repository : tccr.io/tccr/traefik
2024-03-17 06:44:18 +00:00
tag : v2.11.0@sha256:543615fc27b7fb2605cf799aa627b368f4d9fe5f1a87c6b7ff6879b075694c44
2024-03-16 11:26:31 +00:00
pullPolicy : IfNotPresent
manifestManager :
enabled : true
workload :
main :
replicas : 2
strategy : RollingUpdate
podSpec :
containers :
main :
args : [ ]
probes :
# -- Liveness probe configuration
# @default -- See below
liveness :
# -- sets the probe type when not using a custom probe
# @default -- "TCP"
type : tcp
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
# @default -- "/"
# path: "/ping"
# -- Readiness probe configuration
# @default -- See below
readiness :
# -- sets the probe type when not using a custom probe
# @default -- "TCP"
type : tcp
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
# @default -- "/"
# path: "/ping"
# -- Startup probe configuration
# @default -- See below
startup :
# -- sets the probe type when not using a custom probe
# @default -- "TCP"
type : tcp
# -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
# @default -- "/"
# path: "/ping"
# -- Options for all pods
# Can be overruled per pod
podOptions :
automountServiceAccountToken : true
operator :
register : true
# -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
ingressClass :
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
enabled : false
isDefaultClass : false
# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
fallbackApiVersion : ""
# -- Create an IngressRoute for the dashboard
ingressRoute :
dashboard :
enabled : true
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations : {}
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels : {}
#
# -- Configure providers
providers :
kubernetesCRD :
enabled : true
namespaces : [ ]
# - "default"
kubernetesIngress :
enabled : true
# labelSelector: environment=production,method=traefik
namespaces : [ ]
# - "default"
# IP used for Kubernetes Ingress endpoints
publishedService :
enabled : true
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: ""
# -- Logs
# https://docs.traefik.io/observability/logs/
logs :
# Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
general :
# By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
level : ERROR
# -- Set the format of General Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/logs/#format
format : common
access :
# To enable access logs
enabled : false
# To write the logs in an asynchronous fashion, specify a bufferingSize option.
# This option represents the number of log lines Traefik will keep in memory before writing
# them to the selected output. In some cases, this option can greatly help performances.
# bufferingSize: 100
# Filtering https://docs.traefik.io/observability/access-logs/#filtering
filters : {}
# statuscodes: "200,300-302"
# retryattempts: true
# minduration: 10ms
# Fields
# https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
fields :
general :
defaultmode : keep
names : {}
# Examples:
# ClientUsername: drop
headers :
defaultmode : drop
names : {}
# Examples:
# User-Agent: redact
# Authorization: drop
# Content-Type: keep
# -- Set the format of Access Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/access-logs/#format
format : common
metrics :
main :
enabled : true
type : servicemonitor
endpoints :
- port : metrics
path : /metrics
targetSelector : metrics
globalArguments :
- "--global.checknewversion"
configmap :
dashboard :
enabled : true
labels :
grafana_dashboard : "1"
data :
traefik.json : >-
{{ .Files.Get "dashboard.json" | indent 8 }}
##
# -- Additional arguments to be passed at Traefik's binary
# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
additionalArguments :
- "--serverstransport.insecureskipverify=true"
- "--providers.kubernetesingress.allowexternalnameservices=true"
# -- Default clusterCertificate generated by clusterissuer
defaultCertificate : ""
# -- Add custom DNSStore objects
tlsStore : {}
# -- TLS Options to be created as TLSOption CRDs
# https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options
# Example:
tlsOptions :
default :
sniStrict : false
minVersion : VersionTLS12
curvePreferences :
- CurveP521
- CurveP384
2024-03-17 06:44:18 +00:00
- X25519
2024-03-16 11:26:31 +00:00
cipherSuites :
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2024-03-17 06:44:18 +00:00
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
2024-03-16 11:26:31 +00:00
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2024-03-17 06:44:18 +00:00
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
2024-03-16 11:26:31 +00:00
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
# -- Options for the main traefik service, where the entrypoints traffic comes from
# from.
service :
main :
type : LoadBalancer
ports :
main :
port : 9000
targetPort : 9000
protocol : http
# -- Forwarded Headers should never be enabled on Main entrypoint
forwardedHeaders :
enabled : false
# -- Proxy Protocol should never be enabled on Main entrypoint
proxyProtocol :
enabled : false
tcp :
enabled : true
type : LoadBalancer
## In most cases, you want this changed to `Local`
externalTrafficPolicy : Cluster
ports :
web :
enabled : true
port : 80
protocol : http
redirectTo : websecure
# Options: Empty, 0 (ingore), or positive int
# redirectPort:
# -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support
forwardedHeaders :
enabled : false
# -- List of trusted IP and CIDR references
trustedIPs : [ ]
# -- Trust all forwarded headers
insecureMode : false
# -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support
proxyProtocol :
enabled : false
# -- Only IPs in trustedIPs will lead to remote client address replacement
trustedIPs : [ ]
# -- Trust every incoming connection
insecureMode : false
websecure :
enabled : true
port : 443
protocol : https
# -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support
forwardedHeaders :
enabled : false
# -- List of trusted IP and CIDR references
trustedIPs : [ ]
# -- Trust all forwarded headers
insecureMode : false
# -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support
proxyProtocol :
enabled : false
# -- Only IPs in trustedIPs will lead to remote client address replacement
trustedIPs : [ ]
# -- Trust every incoming connection
insecureMode : false
# tcpexample:
# enabled: true
# targetPort: 9443
# protocol: tcp
# tls:
# enabled: false
# # this is the name of a TLSOption definition
# options: ""
# certResolver: ""
# domains: []
# # - main: example.com
# # sans:
# # - foo.example.com
# # - bar.example.com
metrics :
enabled : true
type : ClusterIP
ports :
metrics :
enabled : true
port : 9180
targetPort : 9180
protocol : http
# -- Forwarded Headers should never be enabled on Metrics entrypoint
forwardedHeaders :
enabled : false
# -- Proxy Protocol should never be enabled on Metrics entrypoint
proxyProtocol :
enabled : false
# udp:
# enabled: false
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
rbac :
main :
enabled : true
primary : true
clusterWide : true
rules :
- apiGroups :
- ""
resources :
- services
- endpoints
- secrets
verbs :
- get
- list
- watch
- apiGroups :
- extensions
- networking.k8s.io
resources :
- ingresses
- ingressclasses
verbs :
- get
- list
- watch
- apiGroups :
- extensions
- networking.k8s.io
resources :
- ingresses/status
verbs :
- update
- apiGroups :
- traefik.containo.us
- traefik.io
resources :
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
verbs :
- get
- list
- watch
# -- The service account the pods will use to interact with the Kubernetes API
serviceAccount :
main :
enabled : true
primary : true
# -- SCALE Middleware Handlers
middlewares :
basicAuth : [ ]
# - name: basicauthexample
# users:
# - username: testuser
# password: testpassword
forwardAuth : [ ]
# - name: forwardAuthexample
# address: https://auth.example.com/
# authResponseHeaders:
# - X-Secret
# - X-Auth-User
# authRequestHeaders:
# - "Accept"
# - "X-CustomHeader"
# authResponseHeadersRegex: "^X-"
# trustForwardHeader: true
customRequestHeaders : [ ]
# - name: customRequestHeaderExample
# headers:
# - name: X-Custom-Header
# value: "foobar"
# - name: X-Header-To-Remove
# value: ""
customResponseHeaders : [ ]
# - name: customResponseHeaderExample
# headers:
# - name: X-Custom-Header
# value: "foobar"
# - name: X-Header-To-Remove
# value: ""
rewriteResponseHeaders : [ ]
# - name: rewriteResponseHeadersName
# headers:
# - name: "Location"
# regex: "^http://(.+)$"
# replacement: "https://$1"
# - name: "Date"
# regex: "^[^,]+,\\s*(.+)$"
# replacement: "$1"
customFrameOptionsValue : [ ]
# - name: customFrameOptionsValueExample
# value: "SAMEORIGIN"
buffering : [ ]
# - name: bufferingExample
# maxRequestBodyBytes: 1000000
# memRequestBodyBytes: 1000000
# maxResponseBodyBytes: 1000000
# memResponseBodyBytes: 1000000
# retryExpression: "IsNetworkError() && Attempts() < 2"
chain : [ ]
# - name: chainname
# middlewares:
# - name: compress
redirectScheme : [ ]
# - name: redirectSchemeName
# scheme: https
# permanent: true
rateLimit : [ ]
# - name: rateLimitName
# average: 300
# burst: 200
redirectRegex : [ ]
# - name: redirectRegexName
# regex: putregexhere
# replacement: replacementurlhere
# permanent: false
stripPrefixRegex : [ ]
# - name: stripPrefixRegexName
# regex: []
ipWhiteList : [ ]
# - name: ipWhiteListName
# sourceRange: []
# ipStrategy:
# depth: 2
# excludedIPs: []
themePark : [ ]
# - name: themeParkName
# -- Supported apps, lower case name
# -- https://docs.theme-park.dev/themes
# app: appnamehere
# -- Supported themes, lower case name
# -- https://docs.theme-park.dev/themes/APPNAMEHERE
# -- https://docs.theme-park.dev/community-themes
# theme: themenamehere
# -- https://theme-park.dev or a self hosted url
# baseUrl: https://theme-park.dev
# Sets X-Real-Ip with an IP from the X-Forwarded-For or
# Cf-Connecting-Ip (If from Cloudflare)
# Evaluation of those headers will go from last to first
realIP : [ ]
# - name: realIPName
# -- The real IP will be the first one that is
# -- not included in any of the CIDRs passed here
# excludedNetworks:
# - 1.1.1.1/24
addPrefix : [ ]
# - name: addPrefixName
# prefix: "/foo"
geoBlock : [ ]
# -- https://github.com/PascalMinder/geoblock
# - name: geoBlockName
# allowLocalRequests: true
# logLocalRequests: false
# logAllowedRequests: false
# logApiRequests: false
# api: https://get.geojs.io/v1/ip/country/{ip}
# apiTimeoutMs: 500
# cacheSize: 25
# forceMonthlyUpdate: true
# allowUnknownCountries: false
# unknownCountryApiResponse: nil
# blackListMode: false
# countries:
# - RU
modsecurity : [ ]
# - name: modsecurityName
# modSecurityUrl: modSecurity container URL
# timeoutMillis: Configurated timeout
# maxBodySize: maxBodySize
bouncer : [ ]
# - name: bouncer
# enabled: false
# logLevel: DEBUG
# updateIntervalSeconds: 60
# defaultDecisionSeconds: 60
# httpTimeoutSeconds: 10
# crowdsecMode: live
# crowdsecAppsecEnabled: false
# crowdsecAppsecHost: crowdsec:7422
# crowdsecAppsecFailureBlock: true
# crowdsecLapiKey: privateKey-foo
# crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
# crowdsecLapiHost: crowdsec:8080
# crowdsecLapiScheme: http
# crowdsecLapiTLSInsecureVerify: false
# crowdsecCapiMachineId: login
# crowdsecCapiPassword: password
# crowdsecCapiScenarios:
# - crowdsecurity/http-path-traversal-probing
# - crowdsecurity/http-xss-probing
# - crowdsecurity/http-generic-bf
# forwardedHeadersTrustedIPs:
# - 10.0.10.23/32
# - 10.0.20.0/24
# clientTrustedIPs:
# - 192.168.1.0/24
# forwardedHeadersCustomName: X-Custom-Header
# redisCacheEnabled: false
# redisCacheHost: "redis:6379"
# redisCachePassword: password
# redisCacheDatabase: "5"
# crowdsecLapiTLSCertificateAuthority: |-
# crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/ca.pem
# crowdsecLapiTLSCertificateBouncer: |-
# crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/bouncer.pem
# crowdsecLapiTLSCertificateBouncerKey: |-
# crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/bouncer-key.pem
## Note: body of every request will be buffered in memory while the request is in-flight
## (i.e.: during the security check and during the request processing by traefik and the backend),
## so you may want to tune maxBodySize depending on how much RAM you have.
portalhook :
enabled : true
persistence :
plugins :
enabled : true
mountPath : "/plugins-storage"
type : emptyDir
crowdsec-bouncer-tls :
enabled : "{{ if .Values.middlewares.bouncer }}true{{ else }}false{{ end }}"
mountPath : "/etc/traefik/crowdsec-certs"
type : secret
expandObjectName : false
objectName : crowdsec-bouncer-tls
portal :
open :
enabled : true
path : /dashboard/