flux/traefik/configmap-traefik-helm-char...

535 lines
18 KiB
YAML
Raw Normal View History

2022-08-30 14:38:09 -04:00
apiVersion: v1
kind: ConfigMap
metadata:
creationTimestamp: null
name: traefik-helm-chart-value-overrides
namespace: traefik
data:
values.yaml: |-
2022-08-30 15:01:00 -04:00
# Default values for Traefik
image:
2022-08-31 11:56:57 -04:00
name: traefik
2022-08-30 15:01:00 -04:00
# defaults to appVersion
tag: ""
pullPolicy: IfNotPresent
2022-08-30 14:38:09 -04:00
2022-08-30 15:01:00 -04:00
#
# Configure the deployment
#
2022-08-30 14:38:09 -04:00
deployment:
enabled: true
2022-08-30 15:01:00 -04:00
# Can be either Deployment or DaemonSet
kind: Deployment
# Number of pods of the deployment (only applies when kind == Deployment)
2022-08-30 14:38:09 -04:00
replicas: 3
2022-08-31 12:06:41 -04:00
# Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
# revisionHistoryLimit: 1
# Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
2022-08-30 15:01:00 -04:00
terminationGracePeriodSeconds: 60
# The minimum number of seconds Traefik needs to be up and running before the DaemonSet/ Deployment controller considers it available
minReadySeconds: 0
# Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
2022-08-30 14:38:09 -04:00
annotations: {}
2022-08-30 15:01:00 -04:00
# Additional deployment labels (e.g. for filtering deployment by custom labels)
labels: {}
# Additional pod annotations (e.g. for mesh injection or prometheus scraping)
2022-08-30 14:38:09 -04:00
podAnnotations: {}
2022-08-30 15:01:00 -04:00
# Additional Pod labels (e.g. for filtering Pod by custom labels)
podLabels: {}
# Additional containers (e.g. for metric offloading sidecars)
2022-08-30 14:38:09 -04:00
additionalContainers: []
2022-08-30 15:01:00 -04:00
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
# - name: socat-proxy
# image: alpine/socat:1.0.5
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
# volumeMounts:
# - name: dsdsocket
# mountPath: /socket
# Additional volumes available for use with initContainers and additionalContainers
additionalVolumes: []
# - name: dsdsocket
# hostPath:
# path: /var/run/statsd-exporter
# Additional initContainers (e.g. for setting file permission as shown below)
2022-08-30 14:38:09 -04:00
initContainers: []
2022-08-31 12:06:41 -04:00
# The "volume-permissions" init container is required if you run into permission issues.
2022-08-30 15:01:00 -04:00
# Related issue: https://github.com/traefik/traefik/issues/6972
# - name: volume-permissions
# image: busybox:1.31.1
# command: ["sh", "-c", "chmod -Rv 600 /data/*"]
# volumeMounts:
# - name: data
# mountPath: /data
2022-08-31 12:06:41 -04:00
# Use process namespace sharing
shareProcessNamespace: false
2022-08-30 15:01:00 -04:00
# Custom pod DNS policy. Apply if `hostNetwork: true`
# dnsPolicy: ClusterFirstWithHostNet
# Additional imagePullSecrets
imagePullSecrets: []
# - name: myRegistryKeySecretName
2022-08-30 14:38:09 -04:00
2022-08-30 15:01:00 -04:00
# Pod disruption budget
podDisruptionBudget:
enabled: false
# maxUnavailable: 1
# maxUnavailable: 33%
# minAvailable: 0
# minAvailable: 25%
# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
ingressClass:
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
enabled: false
isDefaultClass: false
2022-08-31 12:06:41 -04:00
# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
2022-08-30 15:01:00 -04:00
fallbackApiVersion: ""
# Activate Pilot integration
pilot:
enabled: false
token: ""
# Toggle Pilot Dashboard
# dashboard: false
# Enable experimental features
experimental:
2022-08-31 12:06:41 -04:00
http3:
enabled: false
2022-08-30 15:01:00 -04:00
plugins:
enabled: false
kubernetesGateway:
enabled: false
2022-08-31 12:06:41 -04:00
# certificate:
# group: "core"
2022-08-30 15:01:00 -04:00
# kind: "Secret"
# name: "mysecret"
# By default, Gateway would be created to the Namespace you are deploying Traefik to.
# You may create that Gateway in another namespace, setting its name below:
# namespace: default
2022-08-30 14:38:09 -04:00
2022-08-30 15:01:00 -04:00
# Create an IngressRoute for the dashboard
2022-08-30 14:38:09 -04:00
ingressRoute:
dashboard:
2022-08-31 14:00:41 -04:00
enabled: disable
2022-08-30 15:01:00 -04:00
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
2022-08-31 12:06:41 -04:00
# Customize liveness and readiness probe values.
readinessProbe:
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
2022-08-30 14:38:09 -04:00
2022-08-30 15:01:00 -04:00
#
# Configure providers
#
2022-08-30 14:38:09 -04:00
providers:
kubernetesCRD:
enabled: true
2022-08-31 12:06:41 -04:00
allowCrossNamespace: false
allowExternalNameServices: false
allowEmptyServices: false
2022-08-30 15:01:00 -04:00
ingressClass: traefik-internal
# labelSelector: environment=production,method=traefik
2022-08-31 12:06:41 -04:00
namespaces: []
# - "default"
2022-08-30 15:01:00 -04:00
2022-08-30 14:38:09 -04:00
kubernetesIngress:
enabled: true
2022-08-30 15:01:00 -04:00
allowExternalNameServices: false
2022-08-31 12:06:41 -04:00
allowEmptyServices: false
# ingressClass: traefik-internal
2022-08-30 15:01:00 -04:00
# labelSelector: environment=production,method=traefik
namespaces: []
# - "default"
# IP used for Kubernetes Ingress endpoints
2022-08-30 14:38:09 -04:00
publishedService:
enabled: false
2022-08-30 15:01:00 -04:00
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: ""
2022-08-30 14:38:09 -04:00
2022-08-30 15:01:00 -04:00
#
# Add volumes to the traefik pod. The volume name will be passed to tpl.
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
# additionalArguments:
# - "--providers.file.filename=/config/dynamic.toml"
# - "--ping"
# - "--ping.entrypoint=web"
2022-08-31 12:06:41 -04:00
volumes: []
2022-08-30 15:01:00 -04:00
# - name: public-cert
# mountPath: "/certs"
# type: secret
# - name: '{{ printf "%s-configs" .Release.Name }}'
# mountPath: "/config"
# type: configMap
# Additional volumeMounts to add to the Traefik container
2022-08-31 12:06:41 -04:00
additionalVolumeMounts: []
2022-08-30 15:01:00 -04:00
# For instance when using a logshipper for access logs
# - name: traefik-logs
# mountPath: /var/log/traefik
# Logs
# https://docs.traefik.io/observability/logs/
logs:
2022-08-31 12:06:41 -04:00
# Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
2022-08-30 15:01:00 -04:00
general:
# By default, the logs use a text format (common), but you can
# also ask for the json format in the format option
# format: json
2022-08-31 12:06:41 -04:00
# By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
2022-08-30 15:01:00 -04:00
level: ERROR
access:
# To enable access logs
enabled: false
# By default, logs are written using the Common Log Format (CLF).
# To write logs in JSON, use json in the format option.
# If the given format is unsupported, the default (CLF) is used instead.
# format: json
# To write the logs in an asynchronous fashion, specify a bufferingSize option.
2022-08-31 12:06:41 -04:00
# This option represents the number of log lines Traefik will keep in memory before writing
# them to the selected output. In some cases, this option can greatly help performances.
2022-08-30 15:01:00 -04:00
# bufferingSize: 100
# Filtering https://docs.traefik.io/observability/access-logs/#filtering
filters: {}
# statuscodes: "200,300-302"
# retryattempts: true
# minduration: 10ms
# Fields
2022-08-31 12:06:41 -04:00
# https://docs.traefik.io/observability/access-logs/ #limiting-the-fieldsincluding-headers
2022-08-30 15:01:00 -04:00
fields:
general:
defaultmode: keep
names: {}
# Examples:
# ClientUsername: drop
headers:
defaultmode: drop
names: {}
# Examples:
# User-Agent: redact
# Authorization: drop
# Content-Type: keep
metrics:
# datadog:
# address: 127.0.0.1:8125
# influxdb:
# address: localhost:8089
# protocol: udp
prometheus:
entryPoint: metrics
2022-08-31 12:06:41 -04:00
# addRoutersLabels: true
2022-08-30 15:01:00 -04:00
# statsd:
# address: localhost:8125
2022-08-31 12:06:41 -04:00
tracing: {}
# instana:
# enabled: true
# datadog:
# localAgentHostPort: 127.0.0.1:8126
# debug: false
# globalTag: ""
# prioritySampling: false
2022-08-30 15:01:00 -04:00
globalArguments:
- "--global.checknewversion=false"
- "--global.sendanonymoususage=false"
2022-08-30 14:38:09 -04:00
2022-08-30 15:01:00 -04:00
#
# Configure Traefik static configuration
# Additional arguments to be passed at Traefik's binary
2022-08-31 12:06:41 -04:00
# All available options available on https://docs.traefik.io/reference/ static-configuration/cli/
2022-08-30 15:01:00 -04:00
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers. kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
2022-08-31 11:54:36 -04:00
additionalArguments:
2022-08-30 15:01:00 -04:00
- "--serversTransport.insecureSkipVerify=true"
- "--log.level=INFO"
# - "--providers.kubernetesingress.ingressclass=traefik-internal"
# - "--log.level=DEBUG"
# Environment variables to be passed to Traefik's binary
env: []
# - name: SOME_VAR
# value: some-var-value
# - name: SOME_VAR_FROM_CONFIG_MAP
# valueFrom:
# configMapRef:
# name: configmap-name
# key: config-key
# - name: SOME_SECRET
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
# Configure ports
ports:
# The name of this one can't be changed as it is used for the readiness and
# liveness probes, but you can adjust its config to your liking
traefik:
port: 9000
# Use hostPort if set.
# hostPort: 9000
#
# Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
# means it's listening on all your interfaces and all your IPs. You may want
# to set this value if you need traefik to listen on specific interface
# only.
# hostIP: 192.168.100.10
# Override the liveness/readiness port. This is useful to integrate traefik
# with an external Load Balancer that performs healthchecks.
# healthchecksPort: 9000
# Defines whether the port is exposed if service.type is LoadBalancer or
# NodePort.
#
# You SHOULD NOT expose the traefik port on production deployments.
# If you want to access it from outside of your cluster,
# use `kubectl port-forward` or create a secure ingress
expose: false
# The exposed port for this service
exposedPort: 9000
# The port protocol (TCP/UDP)
protocol: TCP
web:
port: 8000
# hostPort: 8000
expose: true
exposedPort: 80
# The port protocol (TCP/UDP)
protocol: TCP
# Use nodeport if set. This is useful if you have configured Traefik in a
# LoadBalancer
# nodePort: 32080
# Port Redirections
# Added in 2.2, you can make permanent redirects via entrypoints.
# https://docs.traefik.io/routing/entrypoints/#redirection
2022-08-31 12:06:41 -04:00
redirectTo: websecure
2022-08-30 15:01:00 -04:00
websecure:
port: 8443
# hostPort: 8443
expose: true
exposedPort: 443
# The port protocol (TCP/UDP)
protocol: TCP
# nodePort: 32443
2022-08-31 12:06:41 -04:00
# Enable HTTP/3.
# Requires enabling experimental http3 feature and tls.
# Note that you cannot have a UDP entrypoint with the same port.
# http3: true
2022-08-30 15:01:00 -04:00
# Set TLS at the entrypoint
# https://doc.traefik.io/traefik/routing/entrypoints/#tls
tls:
enabled: true
# this is the name of a TLSOption definition
options: ""
certResolver: ""
domains: []
# - main: example.com
# sans:
# - foo.example.com
# - bar.example.com
metrics:
port: 9100
# hostPort: 9100
# Defines whether the port is exposed if service.type is LoadBalancer or
# NodePort.
#
# You may not want to expose the metrics port on production deployments.
# If you want to access it from outside of your cluster,
# use `kubectl port-forward` or create a secure ingress
expose: false
# The exposed port for this service
exposedPort: 9100
# The port protocol (TCP/UDP)
protocol: TCP
# TLS Options are created as TLSOption CRDs
# https://doc.traefik.io/traefik/https/tls/#tls-options
# Example:
# tlsOptions:
# default:
# sniStrict: true
# preferServerCipherSuites: true
# foobar:
# curvePreferences:
# - CurveP521
# - CurveP384
tlsOptions: {}
# Options for the main traefik service, where the entrypoints traffic comes
# from.
2022-08-30 14:38:09 -04:00
service:
enabled: true
type: LoadBalancer
2022-08-31 12:06:41 -04:00
# Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
2022-08-30 14:38:09 -04:00
annotations: {}
2022-08-30 15:01:00 -04:00
# Additional annotations for TCP service only
annotationsTCP: {}
# Additional annotations for UDP service only
annotationsUDP: {}
# Additional service labels (e.g. for filtering Service by custom labels)
2022-08-30 14:38:09 -04:00
labels: {}
2022-08-30 15:01:00 -04:00
# Additional entries here will be added to the service spec.
# Cannot contain type, selector or ports entries.
2022-08-30 14:38:09 -04:00
spec:
2022-08-30 15:01:00 -04:00
# externalTrafficPolicy: Cluster
loadBalancerIP: "172.16.10.31"
# clusterIP: "2.3.4.5"
2022-08-30 14:38:09 -04:00
loadBalancerSourceRanges: []
2022-08-30 15:01:00 -04:00
# - 192.168.0.1/32
# - 172.16.0.0/16
externalIPs: []
# - 1.2.3.4
# One of SingleStack, PreferDualStack, or RequireDualStack.
# ipFamilyPolicy: SingleStack
2022-08-31 12:06:41 -04:00
# List of IP families (e.g. IPv4 and/or IPv6).
# ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
# ipFamilies:
# - IPv4
# - IPv6
2022-08-30 15:01:00 -04:00
## Create HorizontalPodAutoscaler object.
##
autoscaling:
enabled: false
# minReplicas: 1
# maxReplicas: 10
# metrics:
# - type: Resource
# resource:
# name: cpu
# targetAverageUtilization: 60
# - type: Resource
# resource:
# name: memory
# targetAverageUtilization: 60
# Enable persistence using Persistent Volume Claims
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
2022-08-31 12:06:41 -04:00
# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
2022-08-30 15:01:00 -04:00
# additionalArguments:
# - "--certificatesresolvers.le.acme.storage=/data/acme.json"
# It will persist TLS certificates.
persistence:
enabled: false
name: data
# existingClaim: ""
accessMode: ReadWriteOnce
size: 128Mi
# storageClass: ""
path: /data
annotations: {}
# subPath: "" # only mount a subpath of the Volume into the pod
2022-08-31 12:06:41 -04:00
certResolvers: {}
# letsencrypt:
# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
# email: email@example.com
# dnsChallenge:
# # also add the provider's required configuration under env
# # or expand then from secrets/configmaps with envfrom
# # cf. https://doc.traefik.io/traefik/https/acme/#providers
# provider: digitalocean
# # add futher options for the dns challenge as needed
# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
# delayBeforeCheck: 30
# resolvers:
# - 1.1.1.1
# - 8.8.8.8
# tlsChallenge: true
# httpChallenge:
# entryPoint: "web"
# # match the path to persistence
# storage: /data/acme.json
2022-08-30 15:01:00 -04:00
# If hostNetwork is true, runs traefik in the host network namespace
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
# and replicas>1, a pod anti-affinity is recommended and will be set if the
# affinity is left as default.
2022-08-31 12:06:41 -04:00
hostNetwork: false
2022-08-30 15:01:00 -04:00
# Whether Role Based Access Control objects like roles and rolebindings should be created
rbac:
enabled: true
2022-08-31 12:06:41 -04:00
# If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
2022-08-30 15:01:00 -04:00
# If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace
namespaced: false
2022-08-31 12:06:41 -04:00
# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
2022-08-30 15:01:00 -04:00
podSecurityPolicy:
enabled: false
# The service account the pods will use to interact with the Kubernetes API
serviceAccount:
# If set, an existing service account is used
# If not set, a service account is created automatically using the fullname template
name: ""
# Additional serviceAccount annotations (e.g. for oidc authentication)
serviceAccountAnnotations: {}
resources: {}
# requests:
# cpu: "100m"
# memory: "50Mi"
# limits:
# cpu: "300m"
# memory: "150Mi"
affinity: {}
# # This example pod anti-affinity forces the scheduler to put traefik pods
# # on nodes where no other traefik pods are scheduled.
# # It should be used when hostNetwork: true to prevent port conflicts
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
2022-08-31 12:06:41 -04:00
# - labelSelector:
# matchExpressions:
# - key: app.kubernetes.io/name
# operator: In
# values:
# - {{ template "traefik.name" . }}
# topologyKey: kubernetes.io/hostname
2022-08-30 15:01:00 -04:00
nodeSelector: {}
2022-08-31 12:06:41 -04:00
tolerations: []
2022-08-30 15:01:00 -04:00
# Pods can have priority.
# Priority indicates the importance of a Pod relative to other Pods.
priorityClassName: ""
# Set the container security context
# To run the container with ports below 1024 this will need to be adjust to run as root
securityContext:
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
podSecurityContext:
2022-08-31 12:06:41 -04:00
fsGroup: 65532