407 lines
12 KiB
YAML
407 lines
12 KiB
YAML
image:
|
|
repository: tccr.io/truecharts/traefik
|
|
# defaults to appVersion
|
|
tag: 2.9.4@sha256:7c5f07ef67ec092b66dd8bdb56279ed876965553ee5ec59b5aa7456def5ed1f3
|
|
pullPolicy: IfNotPresent
|
|
|
|
# -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
|
|
ingressClass:
|
|
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
|
|
enabled: false
|
|
isDefaultClass: false
|
|
# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
|
|
fallbackApiVersion: ""
|
|
|
|
# -- Create an IngressRoute for the dashboard
|
|
ingressRoute:
|
|
dashboard:
|
|
enabled: true
|
|
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
|
|
annotations: {}
|
|
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
|
|
labels: {}
|
|
|
|
podAnnotations:
|
|
prometheus.io/scrape: "true"
|
|
prometheus.io/path: "/metrics"
|
|
prometheus.io/port: "9180"
|
|
|
|
#
|
|
# -- Configure providers
|
|
providers:
|
|
kubernetesCRD:
|
|
enabled: true
|
|
namespaces:
|
|
[]
|
|
# - "default"
|
|
kubernetesIngress:
|
|
enabled: true
|
|
# labelSelector: environment=production,method=traefik
|
|
namespaces:
|
|
[]
|
|
# - "default"
|
|
# IP used for Kubernetes Ingress endpoints
|
|
publishedService:
|
|
enabled: true
|
|
# Published Kubernetes Service to copy status from. Format: namespace/servicename
|
|
# By default this Traefik service
|
|
# pathOverride: ""
|
|
|
|
# -- Logs
|
|
# https://docs.traefik.io/observability/logs/
|
|
logs:
|
|
# Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
|
|
general:
|
|
# By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
|
|
level: ERROR
|
|
# -- Set the format of General Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/logs/#format
|
|
format: common
|
|
access:
|
|
# To enable access logs
|
|
enabled: false
|
|
# To write the logs in an asynchronous fashion, specify a bufferingSize option.
|
|
# This option represents the number of log lines Traefik will keep in memory before writing
|
|
# them to the selected output. In some cases, this option can greatly help performances.
|
|
# bufferingSize: 100
|
|
# Filtering https://docs.traefik.io/observability/access-logs/#filtering
|
|
filters:
|
|
{}
|
|
# statuscodes: "200,300-302"
|
|
# retryattempts: true
|
|
# minduration: 10ms
|
|
# Fields
|
|
# https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
|
|
fields:
|
|
general:
|
|
defaultmode: keep
|
|
names:
|
|
{}
|
|
# Examples:
|
|
# ClientUsername: drop
|
|
headers:
|
|
defaultmode: drop
|
|
names:
|
|
{}
|
|
# Examples:
|
|
# User-Agent: redact
|
|
# Authorization: drop
|
|
# Content-Type: keep
|
|
# -- Set the format of Access Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/access-logs/#format
|
|
format: common
|
|
|
|
metrics:
|
|
# datadog:
|
|
# address: 127.0.0.1:8125
|
|
# influxdb:
|
|
# address: localhost:8089
|
|
# protocol: udp
|
|
prometheus:
|
|
entryPoint: metrics
|
|
# statsd:
|
|
# address: localhost:8125
|
|
|
|
globalArguments:
|
|
- "--global.checknewversion"
|
|
|
|
##
|
|
# -- Additional arguments to be passed at Traefik's binary
|
|
# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
|
|
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
|
|
additionalArguments:
|
|
- "--metrics.prometheus"
|
|
- "--ping"
|
|
- "--serverstransport.insecureskipverify=true"
|
|
- "--providers.kubernetesingress.allowexternalnameservices=true"
|
|
|
|
# -- TLS Options to be created as TLSOption CRDs
|
|
# https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options
|
|
# Example:
|
|
tlsOptions:
|
|
default:
|
|
sniStrict: false
|
|
minVersion: VersionTLS12
|
|
curvePreferences:
|
|
- CurveP521
|
|
- CurveP384
|
|
cipherSuites:
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
- TLS_AES_128_GCM_SHA256
|
|
- TLS_AES_256_GCM_SHA384
|
|
- TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
# -- Options for the main traefik service, where the entrypoints traffic comes from
|
|
# from.
|
|
service:
|
|
main:
|
|
type: LoadBalancer
|
|
ports:
|
|
main:
|
|
port: 9000
|
|
targetPort: 9000
|
|
protocol: HTTP
|
|
# -- Forwarded Headers should never be enabled on Main entrypoint
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- Proxy Protocol should never be enabled on Main entrypoint
|
|
proxyProtocol:
|
|
enabled: false
|
|
tcp:
|
|
enabled: true
|
|
type: LoadBalancer
|
|
ports:
|
|
web:
|
|
enabled: true
|
|
port: 9080
|
|
protocol: HTTP
|
|
redirectTo: websecure
|
|
# Options: Empty, 0 (ingore), or positive int
|
|
# redirectPort:
|
|
# -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- List of trusted IP and CIDR references
|
|
trustedIPs: []
|
|
# -- Trust all forwarded headers
|
|
insecureMode: false
|
|
# -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support
|
|
proxyProtocol:
|
|
enabled: false
|
|
# -- Only IPs in trustedIPs will lead to remote client address replacement
|
|
trustedIPs: []
|
|
# -- Trust every incoming connection
|
|
insecureMode: false
|
|
websecure:
|
|
enabled: true
|
|
port: 9443
|
|
protocol: HTTPS
|
|
# -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- List of trusted IP and CIDR references
|
|
trustedIPs: []
|
|
# -- Trust all forwarded headers
|
|
insecureMode: false
|
|
# -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support
|
|
proxyProtocol:
|
|
enabled: false
|
|
# -- Only IPs in trustedIPs will lead to remote client address replacement
|
|
trustedIPs: []
|
|
# -- Trust every incoming connection
|
|
insecureMode: false
|
|
# tcpexample:
|
|
# enabled: true
|
|
# targetPort: 9443
|
|
# protocol: TCP
|
|
# tls:
|
|
# enabled: false
|
|
# # this is the name of a TLSOption definition
|
|
# options: ""
|
|
# certResolver: ""
|
|
# domains: []
|
|
# # - main: example.com
|
|
# # sans:
|
|
# # - foo.example.com
|
|
# # - bar.example.com
|
|
metrics:
|
|
enabled: true
|
|
type: ClusterIP
|
|
ports:
|
|
metrics:
|
|
enabled: true
|
|
port: 9180
|
|
targetPort: 9180
|
|
protocol: HTTP
|
|
# -- Forwarded Headers should never be enabled on Metrics entrypoint
|
|
forwardedHeaders:
|
|
enabled: false
|
|
# -- Proxy Protocol should never be enabled on Metrics entrypoint
|
|
proxyProtocol:
|
|
enabled: false
|
|
udp:
|
|
enabled: false
|
|
|
|
# probes:
|
|
# # -- Liveness probe configuration
|
|
# # @default -- See below
|
|
# liveness:
|
|
# # -- sets the probe type when not using a custom probe
|
|
# # @default -- "TCP"
|
|
# type: HTTP
|
|
# # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
|
|
# # @default -- "/"
|
|
# path: "/ping"
|
|
|
|
# # -- Redainess probe configuration
|
|
# # @default -- See below
|
|
# readiness:
|
|
# # -- sets the probe type when not using a custom probe
|
|
# # @default -- "TCP"
|
|
# type: HTTP
|
|
# # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
|
|
# # @default -- "/"
|
|
# path: "/ping"
|
|
|
|
# # -- Startup probe configuration
|
|
# # @default -- See below
|
|
# startup:
|
|
# # -- sets the probe type when not using a custom probe
|
|
# # @default -- "TCP"
|
|
# type: HTTP
|
|
# # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used
|
|
# # @default -- "/"
|
|
# path: "/ping"
|
|
|
|
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
|
|
rbac:
|
|
main:
|
|
enabled: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
- endpoints
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
- ingressclasses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses/status
|
|
verbs:
|
|
- update
|
|
- apiGroups:
|
|
- traefik.containo.us
|
|
resources:
|
|
- ingressroutes
|
|
- ingressroutetcps
|
|
- ingressrouteudps
|
|
- middlewares
|
|
- middlewaretcps
|
|
- tlsoptions
|
|
- tlsstores
|
|
- traefikservices
|
|
- serverstransports
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
|
|
# -- The service account the pods will use to interact with the Kubernetes API
|
|
serviceAccount:
|
|
main:
|
|
enabled: true
|
|
|
|
# -- SCALE Middleware Handlers
|
|
middlewares:
|
|
basicAuth: []
|
|
# - name: basicauthexample
|
|
# users:
|
|
# - username: testuser
|
|
# password: testpassword
|
|
forwardAuth: []
|
|
# - name: forwardAuthexample
|
|
# address: https://auth.example.com/
|
|
# authResponseHeaders:
|
|
# - X-Secret
|
|
# - X-Auth-User
|
|
# authRequestHeaders:
|
|
# - "Accept"
|
|
# - "X-CustomHeader"
|
|
# authResponseHeadersRegex: "^X-"
|
|
# trustForwardHeader: true
|
|
chain: []
|
|
# - name: chainname
|
|
# middlewares:
|
|
# - name: compress
|
|
redirectScheme: []
|
|
# - name: redirectSchemeName
|
|
# scheme: https
|
|
# permanent: true
|
|
rateLimit: []
|
|
# - name: rateLimitName
|
|
# average: 300
|
|
# burst: 200
|
|
redirectRegex: []
|
|
# - name: redirectRegexName
|
|
# regex: putregexhere
|
|
# replacement: replacementurlhere
|
|
# permanent: false
|
|
stripPrefixRegex: []
|
|
# - name: stripPrefixRegexName
|
|
# regex: []
|
|
ipWhiteList: []
|
|
# - name: ipWhiteListName
|
|
# sourceRange: []
|
|
# ipStrategy:
|
|
# depth: 2
|
|
# excludedIPs: []
|
|
themeParkVersion: v1.2.2
|
|
themePark: []
|
|
# - name: themeParkName
|
|
# -- Supported apps, lower case name
|
|
# -- https://docs.theme-park.dev/themes
|
|
# app: appnamehere
|
|
# -- Supported themes, lower case name
|
|
# -- https://docs.theme-park.dev/themes/APPNAMEHERE
|
|
# -- https://docs.theme-park.dev/community-themes
|
|
# theme: themenamehere
|
|
# -- https://theme-park.dev or a self hosted url
|
|
# baseUrl: https://theme-park.dev
|
|
realIPVersion: v1.0.3
|
|
# Sets X-Real-Ip with an IP from the X-Forwarded-For or
|
|
# Cf-Connecting-Ip (If from Cloudflare)
|
|
# Evaluation of those headers will go from last to first
|
|
realIP: []
|
|
# - name: realIPName
|
|
# -- The real IP will be the first one that is
|
|
# -- not included in any of the CIDRs passed here
|
|
# excludedNetworks:
|
|
# - 1.1.1.1/24
|
|
addPrefix: []
|
|
# - name: addPrefixName
|
|
# prefix: "/foo"
|
|
geoBlockVersion: v0.2.3
|
|
geoBlock: []
|
|
# -- https://github.com/PascalMinder/geoblock
|
|
# - name: geoBlockName
|
|
# allowLocalRequests: true
|
|
# logLocalRequests: false
|
|
# logAllowedRequests: false
|
|
# logApiRequests: false
|
|
# api: https://get.geojs.io/v1/ip/country/{ip}
|
|
# apiTimeoutMs: 500
|
|
# cacheSize: 25
|
|
# forceMonthlyUpdate: true
|
|
# allowUnknownCountries: false
|
|
# unknownCountryApiResponse: nil
|
|
# countries:
|
|
# - RU
|
|
|
|
portalhook:
|
|
enabled: true
|
|
|
|
persistence:
|
|
plugins:
|
|
enabled: true
|
|
mountPath: "/plugins-storage"
|
|
type: emptyDir
|
|
|
|
portal:
|
|
enabled: true
|