image: repository: tccr.io/truecharts/traefik # defaults to appVersion tag: 2.9.5@sha256:bafc97337a166a41f45444071f38706b2248eed6a6cb9953134221c2fb842646 pullPolicy: IfNotPresent # -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ingressClass: # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 enabled: false isDefaultClass: false # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" fallbackApiVersion: "" # -- Create an IngressRoute for the dashboard ingressRoute: dashboard: enabled: true # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) annotations: {} # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) labels: {} podAnnotations: prometheus.io/scrape: "true" prometheus.io/path: "/metrics" prometheus.io/port: "9180" # # -- Configure providers providers: kubernetesCRD: enabled: true namespaces: [] # - "default" kubernetesIngress: enabled: true # labelSelector: environment=production,method=traefik namespaces: [] # - "default" # IP used for Kubernetes Ingress endpoints publishedService: enabled: true # Published Kubernetes Service to copy status from. Format: namespace/servicename # By default this Traefik service # pathOverride: "" # -- Logs # https://docs.traefik.io/observability/logs/ logs: # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). general: # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. level: ERROR # -- Set the format of General Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/logs/#format format: common access: # To enable access logs enabled: false # To write the logs in an asynchronous fashion, specify a bufferingSize option. # This option represents the number of log lines Traefik will keep in memory before writing # them to the selected output. In some cases, this option can greatly help performances. # bufferingSize: 100 # Filtering https://docs.traefik.io/observability/access-logs/#filtering filters: {} # statuscodes: "200,300-302" # retryattempts: true # minduration: 10ms # Fields # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers fields: general: defaultmode: keep names: {} # Examples: # ClientUsername: drop headers: defaultmode: drop names: {} # Examples: # User-Agent: redact # Authorization: drop # Content-Type: keep # -- Set the format of Access Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/access-logs/#format format: common metrics: # datadog: # address: 127.0.0.1:8125 # influxdb: # address: localhost:8089 # protocol: udp prometheus: entryPoint: metrics # statsd: # address: localhost:8125 globalArguments: - "--global.checknewversion" ## # -- Additional arguments to be passed at Traefik's binary # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` additionalArguments: - "--metrics.prometheus" - "--ping" - "--serverstransport.insecureskipverify=true" - "--providers.kubernetesingress.allowexternalnameservices=true" # -- TLS Options to be created as TLSOption CRDs # https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options # Example: tlsOptions: default: sniStrict: false minVersion: VersionTLS12 curvePreferences: - CurveP521 - CurveP384 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 # -- Options for the main traefik service, where the entrypoints traffic comes from # from. service: main: type: LoadBalancer ports: main: port: 9000 targetPort: 9000 protocol: HTTP # -- Forwarded Headers should never be enabled on Main entrypoint forwardedHeaders: enabled: false # -- Proxy Protocol should never be enabled on Main entrypoint proxyProtocol: enabled: false tcp: enabled: true type: LoadBalancer ports: web: enabled: true port: 9080 protocol: HTTP redirectTo: websecure # Options: Empty, 0 (ingore), or positive int # redirectPort: # -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support forwardedHeaders: enabled: false # -- List of trusted IP and CIDR references trustedIPs: [] # -- Trust all forwarded headers insecureMode: false # -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support proxyProtocol: enabled: false # -- Only IPs in trustedIPs will lead to remote client address replacement trustedIPs: [] # -- Trust every incoming connection insecureMode: false websecure: enabled: true port: 9443 protocol: HTTPS # -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support forwardedHeaders: enabled: false # -- List of trusted IP and CIDR references trustedIPs: [] # -- Trust all forwarded headers insecureMode: false # -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support proxyProtocol: enabled: false # -- Only IPs in trustedIPs will lead to remote client address replacement trustedIPs: [] # -- Trust every incoming connection insecureMode: false # tcpexample: # enabled: true # targetPort: 9443 # protocol: TCP # tls: # enabled: false # # this is the name of a TLSOption definition # options: "" # certResolver: "" # domains: [] # # - main: example.com # # sans: # # - foo.example.com # # - bar.example.com metrics: enabled: true type: ClusterIP ports: metrics: enabled: true port: 9180 targetPort: 9180 protocol: HTTP # -- Forwarded Headers should never be enabled on Metrics entrypoint forwardedHeaders: enabled: false # -- Proxy Protocol should never be enabled on Metrics entrypoint proxyProtocol: enabled: false udp: enabled: false # probes: # # -- Liveness probe configuration # # @default -- See below # liveness: # # -- sets the probe type when not using a custom probe # # @default -- "TCP" # type: HTTP # # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used # # @default -- "/" # path: "/ping" # # -- Redainess probe configuration # # @default -- See below # readiness: # # -- sets the probe type when not using a custom probe # # @default -- "TCP" # type: HTTP # # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used # # @default -- "/" # path: "/ping" # # -- Startup probe configuration # # @default -- See below # startup: # # -- sets the probe type when not using a custom probe # # @default -- "TCP" # type: HTTP # # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used # # @default -- "/" # path: "/ping" # -- Whether Role Based Access Control objects like roles and rolebindings should be created rbac: main: enabled: true rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - ingressroutes - ingressroutetcps - ingressrouteudps - middlewares - middlewaretcps - tlsoptions - tlsstores - traefikservices - serverstransports verbs: - get - list - watch # -- The service account the pods will use to interact with the Kubernetes API serviceAccount: main: enabled: true # -- SCALE Middleware Handlers middlewares: basicAuth: [] # - name: basicauthexample # users: # - username: testuser # password: testpassword forwardAuth: [] # - name: forwardAuthexample # address: https://auth.example.com/ # authResponseHeaders: # - X-Secret # - X-Auth-User # authRequestHeaders: # - "Accept" # - "X-CustomHeader" # authResponseHeadersRegex: "^X-" # trustForwardHeader: true chain: [] # - name: chainname # middlewares: # - name: compress redirectScheme: [] # - name: redirectSchemeName # scheme: https # permanent: true rateLimit: [] # - name: rateLimitName # average: 300 # burst: 200 redirectRegex: [] # - name: redirectRegexName # regex: putregexhere # replacement: replacementurlhere # permanent: false stripPrefixRegex: [] # - name: stripPrefixRegexName # regex: [] ipWhiteList: [] # - name: ipWhiteListName # sourceRange: [] # ipStrategy: # depth: 2 # excludedIPs: [] themeParkVersion: v1.2.2 themePark: [] # - name: themeParkName # -- Supported apps, lower case name # -- https://docs.theme-park.dev/themes # app: appnamehere # -- Supported themes, lower case name # -- https://docs.theme-park.dev/themes/APPNAMEHERE # -- https://docs.theme-park.dev/community-themes # theme: themenamehere # -- https://theme-park.dev or a self hosted url # baseUrl: https://theme-park.dev realIPVersion: v1.0.3 # Sets X-Real-Ip with an IP from the X-Forwarded-For or # Cf-Connecting-Ip (If from Cloudflare) # Evaluation of those headers will go from last to first realIP: [] # - name: realIPName # -- The real IP will be the first one that is # -- not included in any of the CIDRs passed here # excludedNetworks: # - 1.1.1.1/24 addPrefix: [] # - name: addPrefixName # prefix: "/foo" geoBlockVersion: v0.2.3 geoBlock: [] # -- https://github.com/PascalMinder/geoblock # - name: geoBlockName # allowLocalRequests: true # logLocalRequests: false # logAllowedRequests: false # logApiRequests: false # api: https://get.geojs.io/v1/ip/country/{ip} # apiTimeoutMs: 500 # cacheSize: 25 # forceMonthlyUpdate: true # allowUnknownCountries: false # unknownCountryApiResponse: nil # countries: # - RU portalhook: enabled: true persistence: plugins: enabled: true mountPath: "/plugins-storage" type: emptyDir portal: enabled: true