diff --git a/traefik/configmap-traefik-helm-chart-value-overrides.yaml b/traefik/configmap-traefik-helm-chart-value-overrides.yaml index d4121bc..f0854f2 100644 --- a/traefik/configmap-traefik-helm-chart-value-overrides.yaml +++ b/traefik/configmap-traefik-helm-chart-value-overrides.yaml @@ -22,7 +22,9 @@ data: kind: Deployment # Number of pods of the deployment (only applies when kind == Deployment) replicas: 3 - # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down terminationGracePeriodSeconds: 60 # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/ Deployment controller considers it available minReadySeconds: 0 @@ -50,7 +52,7 @@ data: # path: /var/run/statsd-exporter # Additional initContainers (e.g. for setting file permission as shown below) initContainers: [] - # The "volume-permissions" init container is required if you run into permission issues. + # The "volume-permissions" init container is required if you run into permission issues. # Related issue: https://github.com/traefik/traefik/issues/6972 # - name: volume-permissions # image: busybox:1.31.1 @@ -58,6 +60,8 @@ data: # volumeMounts: # - name: data # mountPath: /data + # Use process namespace sharing + shareProcessNamespace: false # Custom pod DNS policy. Apply if `hostNetwork: true` # dnsPolicy: ClusterFirstWithHostNet # Additional imagePullSecrets @@ -77,7 +81,7 @@ data: # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 enabled: false isDefaultClass: false - # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" fallbackApiVersion: "" # Activate Pilot integration @@ -89,13 +93,14 @@ data: # Enable experimental features experimental: + http3: + enabled: false plugins: enabled: false kubernetesGateway: enabled: false - appLabelSelector: "traefik" - certificates: [] - # - group: "core" + # certificate: + # group: "core" # kind: "Secret" # name: "mysecret" # By default, Gateway would be created to the Namespace you are deploying Traefik to. @@ -105,7 +110,7 @@ data: # Create an IngressRoute for the dashboard ingressRoute: dashboard: - enabled: false + enabled: true # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) annotations: {} # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) @@ -115,6 +120,20 @@ data: maxUnavailable: 1 maxSurge: 1 + # Customize liveness and readiness probe values. + readinessProbe: + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 # # Configure providers @@ -122,16 +141,19 @@ data: providers: kubernetesCRD: enabled: true - # allowCrossNamespace: false - # allowExternalNameServices: false + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false ingressClass: traefik-internal # labelSelector: environment=production,method=traefik - namespaces: - - "default" + namespaces: [] + # - "default" kubernetesIngress: enabled: true allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal # labelSelector: environment=production,method=traefik namespaces: [] # - "default" @@ -150,10 +172,7 @@ data: # - "--providers.file.filename=/config/dynamic.toml" # - "--ping" # - "--ping.entrypoint=web" - volumes: - # - name: ssl - # secret: - # secretName: wildcard-k3s.securait.local + volumes: [] # - name: public-cert # mountPath: "/certs" # type: secret @@ -162,9 +181,7 @@ data: # type: configMap # Additional volumeMounts to add to the Traefik container - additionalVolumeMounts: - # - name: ssl - # mountPath: /ssl + additionalVolumeMounts: [] # For instance when using a logshipper for access logs # - name: traefik-logs # mountPath: /var/log/traefik @@ -172,12 +189,12 @@ data: # Logs # https://docs.traefik.io/observability/logs/ logs: - # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). general: # By default, the logs use a text format (common), but you can # also ask for the json format in the format option # format: json - # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. level: ERROR access: # To enable access logs @@ -187,8 +204,8 @@ data: # If the given format is unsupported, the default (CLF) is used instead. # format: json # To write the logs in an asynchronous fashion, specify a bufferingSize option. - # This option represents the number of log lines Traefik will keep in memory before writing - # them to the selected output. In some cases, this option can greatly help performances. + # This option represents the number of log lines Traefik will keep in memory before writing + # them to the selected output. In some cases, this option can greatly help performances. # bufferingSize: 100 # Filtering https://docs.traefik.io/observability/access-logs/#filtering filters: {} @@ -196,7 +213,7 @@ data: # retryattempts: true # minduration: 10ms # Fields - # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + # https://docs.traefik.io/observability/access-logs/ #limiting-the-fieldsincluding-headers fields: general: defaultmode: keep @@ -219,9 +236,19 @@ data: # protocol: udp prometheus: entryPoint: metrics + # addRoutersLabels: true # statsd: # address: localhost:8125 + tracing: {} + # instana: + # enabled: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false + globalArguments: - "--global.checknewversion=false" - "--global.sendanonymoususage=false" @@ -229,7 +256,7 @@ data: # # Configure Traefik static configuration # Additional arguments to be passed at Traefik's binary - # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + # All available options available on https://docs.traefik.io/reference/ static-configuration/cli/ ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers. kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` additionalArguments: - "--serversTransport.insecureSkipVerify=true" @@ -301,7 +328,7 @@ data: # Port Redirections # Added in 2.2, you can make permanent redirects via entrypoints. # https://docs.traefik.io/routing/entrypoints/#redirection - # redirectTo: websecure + redirectTo: websecure websecure: port: 8443 # hostPort: 8443 @@ -310,6 +337,10 @@ data: # The port protocol (TCP/UDP) protocol: TCP # nodePort: 32443 + # Enable HTTP/3. + # Requires enabling experimental http3 feature and tls. + # Note that you cannot have a UDP entrypoint with the same port. + # http3: true # Set TLS at the entrypoint # https://doc.traefik.io/traefik/routing/entrypoints/#tls tls: @@ -355,7 +386,7 @@ data: service: enabled: true type: LoadBalancer - # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) annotations: {} # Additional annotations for TCP service only annotationsTCP: {} @@ -376,6 +407,11 @@ data: # - 1.2.3.4 # One of SingleStack, PreferDualStack, or RequireDualStack. # ipFamilyPolicy: SingleStack + # List of IP families (e.g. IPv4 and/or IPv6). + # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 ## Create HorizontalPodAutoscaler object. ## @@ -395,7 +431,7 @@ data: # Enable persistence using Persistent Volume Claims # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: # additionalArguments: # - "--certificatesresolvers.le.acme.storage=/data/acme.json" # It will persist TLS certificates. @@ -410,21 +446,42 @@ data: annotations: {} # subPath: "" # only mount a subpath of the Volume into the pod + certResolvers: {} + # letsencrypt: + # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ + # email: email@example.com + # dnsChallenge: + # # also add the provider's required configuration under env + # # or expand then from secrets/configmaps with envfrom + # # cf. https://doc.traefik.io/traefik/https/acme/#providers + # provider: digitalocean + # # add futher options for the dns challenge as needed + # # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge + # delayBeforeCheck: 30 + # resolvers: + # - 1.1.1.1 + # - 8.8.8.8 + # tlsChallenge: true + # httpChallenge: + # entryPoint: "web" + # # match the path to persistence + # storage: /data/acme.json + # If hostNetwork is true, runs traefik in the host network namespace # To prevent unschedulabel pods due to port collisions, if hostNetwork=true # and replicas>1, a pod anti-affinity is recommended and will be set if the # affinity is left as default. - hostNetwork: true + hostNetwork: false # Whether Role Based Access Control objects like roles and rolebindings should be created rbac: enabled: true - # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace namespaced: false - # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding podSecurityPolicy: enabled: false @@ -450,24 +507,15 @@ data: # # It should be used when hostNetwork: true to prevent port conflicts # podAntiAffinity: # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app - # operator: In - # values: - # - {{ template "traefik.name" . }} - # topologyKey: failure-domain.beta.kubernetes.io/zone + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - {{ template "traefik.name" . }} + # topologyKey: kubernetes.io/hostname nodeSelector: {} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - + tolerations: [] # Pods can have priority. # Priority indicates the importance of a Pod relative to other Pods. @@ -484,4 +532,4 @@ data: runAsUser: 65532 podSecurityContext: - fsGroup: 65532 + fsGroup: 65532 \ No newline at end of file