traefik
This commit is contained in:
parent
e946f171c1
commit
92ee6eb920
@ -1,418 +0,0 @@
|
|||||||
# Default values for Traefik
|
|
||||||
image:
|
|
||||||
name: traefik
|
|
||||||
# defaults to appVersion
|
|
||||||
tag: ""
|
|
||||||
pullPolicy: IfNotPresent
|
|
||||||
|
|
||||||
#
|
|
||||||
# Configure the deployment
|
|
||||||
#
|
|
||||||
deployment:
|
|
||||||
enabled: true
|
|
||||||
# Can be either Deployment or DaemonSet
|
|
||||||
kind: Deployment
|
|
||||||
# Number of pods of the deployment (only applies when kind == Deployment)
|
|
||||||
replicas: 1
|
|
||||||
# Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
|
|
||||||
annotations: {}
|
|
||||||
# Additional deployment labels (e.g. for filtering deployment by custom labels)
|
|
||||||
labels: {}
|
|
||||||
# Additional pod annotations (e.g. for mesh injection or prometheus scraping)
|
|
||||||
podAnnotations: {}
|
|
||||||
# Additional Pod labels (e.g. for filtering Pod by custom labels)
|
|
||||||
podLabels: {}
|
|
||||||
# Additional containers (e.g. for metric offloading sidecars)
|
|
||||||
additionalContainers: []
|
|
||||||
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
|
|
||||||
# - name: socat-proxy
|
|
||||||
# image: alpine/socat:1.0.5
|
|
||||||
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
|
|
||||||
# volumeMounts:
|
|
||||||
# - name: dsdsocket
|
|
||||||
# mountPath: /socket
|
|
||||||
# Additional volumes available for use with initContainers and additionalContainers
|
|
||||||
additionalVolumes: []
|
|
||||||
# - name: dsdsocket
|
|
||||||
# hostPath:
|
|
||||||
# path: /var/run/statsd-exporter
|
|
||||||
# Additional initContainers (e.g. for setting file permission as shown below)
|
|
||||||
initContainers: []
|
|
||||||
# The "volume-permissions" init container is required if you run into permission issues.
|
|
||||||
# Related issue: https://github.com/traefik/traefik/issues/6972
|
|
||||||
# - name: volume-permissions
|
|
||||||
# image: busybox:1.31.1
|
|
||||||
# command: ["sh", "-c", "chmod -Rv 600 /data/*"]
|
|
||||||
# volumeMounts:
|
|
||||||
# - name: data
|
|
||||||
# mountPath: /data
|
|
||||||
# Custom pod DNS policy. Apply if `hostNetwork: true`
|
|
||||||
# dnsPolicy: ClusterFirstWithHostNet
|
|
||||||
# Additional imagePullSecrets
|
|
||||||
imagePullSecrets: []
|
|
||||||
# - name: myRegistryKeySecretName
|
|
||||||
|
|
||||||
# Pod disruption budget
|
|
||||||
podDisruptionBudget:
|
|
||||||
enabled: false
|
|
||||||
# maxUnavailable: 1
|
|
||||||
# minAvailable: 0
|
|
||||||
|
|
||||||
# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
|
|
||||||
ingressClass:
|
|
||||||
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
|
|
||||||
enabled: true
|
|
||||||
isDefaultClass: true
|
|
||||||
|
|
||||||
# Activate Pilot integration
|
|
||||||
pilot:
|
|
||||||
enabled: false
|
|
||||||
token: ""
|
|
||||||
dashboard: true
|
|
||||||
|
|
||||||
# Enable experimental features
|
|
||||||
experimental:
|
|
||||||
plugins:
|
|
||||||
enabled: false
|
|
||||||
kubernetesGateway:
|
|
||||||
enabled: false
|
|
||||||
appLabelSelector: "traefik"
|
|
||||||
certificates: []
|
|
||||||
# - group: "core"
|
|
||||||
# kind: "Secret"
|
|
||||||
# name: "mysecret"
|
|
||||||
|
|
||||||
# Create an IngressRoute for the dashboard
|
|
||||||
ingressRoute:
|
|
||||||
dashboard:
|
|
||||||
enabled: true
|
|
||||||
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
|
|
||||||
annotations: {}
|
|
||||||
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
|
|
||||||
labels: {}
|
|
||||||
|
|
||||||
rollingUpdate:
|
|
||||||
maxUnavailable: 1
|
|
||||||
maxSurge: 1
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Configure providers
|
|
||||||
#
|
|
||||||
providers:
|
|
||||||
kubernetesCRD:
|
|
||||||
enabled: true
|
|
||||||
namespaces: []
|
|
||||||
# - "default"
|
|
||||||
kubernetesIngress:
|
|
||||||
enabled: true
|
|
||||||
# labelSelector: environment=production,method=traefik
|
|
||||||
namespaces: []
|
|
||||||
# - "default"
|
|
||||||
# IP used for Kubernetes Ingress endpoints
|
|
||||||
publishedService:
|
|
||||||
enabled: false
|
|
||||||
# Published Kubernetes Service to copy status from. Format: namespace/servicename
|
|
||||||
# By default this Traefik service
|
|
||||||
# pathOverride: ""
|
|
||||||
|
|
||||||
#
|
|
||||||
# Add volumes to the traefik pod. The volume name will be passed to tpl.
|
|
||||||
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
|
|
||||||
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
|
|
||||||
# additionalArguments:
|
|
||||||
# - "--providers.file.filename=/config/dynamic.toml"
|
|
||||||
# - "--ping"
|
|
||||||
# - "--ping.entrypoint=web"
|
|
||||||
volumes: []
|
|
||||||
# - name: public-cert
|
|
||||||
# mountPath: "/certs"
|
|
||||||
# type: secret
|
|
||||||
# - name: '{{ printf "%s-configs" .Release.Name }}'
|
|
||||||
# mountPath: "/config"
|
|
||||||
# type: configMap
|
|
||||||
|
|
||||||
# Additional volumeMounts to add to the Traefik container
|
|
||||||
additionalVolumeMounts: []
|
|
||||||
# For instance when using a logshipper for access logs
|
|
||||||
# - name: traefik-logs
|
|
||||||
# mountPath: /var/log/traefik
|
|
||||||
|
|
||||||
# Logs
|
|
||||||
# https://docs.traefik.io/observability/logs/
|
|
||||||
logs:
|
|
||||||
# Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
|
|
||||||
general:
|
|
||||||
# By default, the logs use a text format (common), but you can
|
|
||||||
# also ask for the json format in the format option
|
|
||||||
# format: json
|
|
||||||
# By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
|
|
||||||
level: ERROR
|
|
||||||
access:
|
|
||||||
# To enable access logs
|
|
||||||
enabled: false
|
|
||||||
# By default, logs are written using the Common Log Format (CLF).
|
|
||||||
# To write logs in JSON, use json in the format option.
|
|
||||||
# If the given format is unsupported, the default (CLF) is used instead.
|
|
||||||
# format: json
|
|
||||||
# To write the logs in an asynchronous fashion, specify a bufferingSize option.
|
|
||||||
# This option represents the number of log lines Traefik will keep in memory before writing
|
|
||||||
# them to the selected output. In some cases, this option can greatly help performances.
|
|
||||||
# bufferingSize: 100
|
|
||||||
# Filtering https://docs.traefik.io/observability/access-logs/#filtering
|
|
||||||
filters: {}
|
|
||||||
# statuscodes: "200,300-302"
|
|
||||||
# retryattempts: true
|
|
||||||
# minduration: 10ms
|
|
||||||
# Fields
|
|
||||||
# https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
|
|
||||||
fields:
|
|
||||||
general:
|
|
||||||
defaultmode: keep
|
|
||||||
names: {}
|
|
||||||
# Examples:
|
|
||||||
# ClientUsername: drop
|
|
||||||
headers:
|
|
||||||
defaultmode: drop
|
|
||||||
names: {}
|
|
||||||
# Examples:
|
|
||||||
# User-Agent: redact
|
|
||||||
# Authorization: drop
|
|
||||||
# Content-Type: keep
|
|
||||||
|
|
||||||
globalArguments:
|
|
||||||
- "--global.checknewversion"
|
|
||||||
- "--global.sendanonymoususage"
|
|
||||||
|
|
||||||
# Configure Traefik static configuration
|
|
||||||
# Additional arguments to be passed at Traefik's binary
|
|
||||||
# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
|
|
||||||
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
|
|
||||||
additionalArguments:
|
|
||||||
- "--providers.kubernetesingress.ingressclass=traefik"
|
|
||||||
- "--log.level=DEBUG"
|
|
||||||
- "--log.format=json"
|
|
||||||
- "--certificatesresolvers.le.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
|
|
||||||
- "--certificatesresolvers.le.acme.tlschallenge=true"
|
|
||||||
- "--certificatesresolvers.le.acme.email=adelorenzo@oe74.net"
|
|
||||||
- "--certificatesresolvers.le.acme.storage=/data/acme.json"
|
|
||||||
|
|
||||||
# Environment variables to be passed to Traefik's binary
|
|
||||||
env: []
|
|
||||||
# - name: SOME_VAR
|
|
||||||
# value: some-var-value
|
|
||||||
# - name: SOME_VAR_FROM_CONFIG_MAP
|
|
||||||
# valueFrom:
|
|
||||||
# configMapRef:
|
|
||||||
# name: configmap-name
|
|
||||||
# key: config-key
|
|
||||||
# - name: SOME_SECRET
|
|
||||||
# valueFrom:
|
|
||||||
# secretKeyRef:
|
|
||||||
# name: secret-name
|
|
||||||
# key: secret-key
|
|
||||||
|
|
||||||
envFrom: []
|
|
||||||
# - configMapRef:
|
|
||||||
# name: config-map-name
|
|
||||||
# - secretRef:
|
|
||||||
# name: secret-name
|
|
||||||
|
|
||||||
# Configure ports
|
|
||||||
ports:
|
|
||||||
# The name of this one can't be changed as it is used for the readiness and
|
|
||||||
# liveness probes, but you can adjust its config to your liking
|
|
||||||
traefik:
|
|
||||||
port: 9000
|
|
||||||
# Use hostPort if set.
|
|
||||||
# hostPort: 9000
|
|
||||||
#
|
|
||||||
# Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
|
|
||||||
# means it's listening on all your interfaces and all your IPs. You may want
|
|
||||||
# to set this value if you need traefik to listen on specific interface
|
|
||||||
# only.
|
|
||||||
# hostIP: 192.168.100.10
|
|
||||||
|
|
||||||
# Override the liveness/readiness port. This is useful to integrate traefik
|
|
||||||
# with an external Load Balancer that performs healthchecks.
|
|
||||||
# healthchecksPort: 9000
|
|
||||||
|
|
||||||
# Defines whether the port is exposed if service.type is LoadBalancer or
|
|
||||||
# NodePort.
|
|
||||||
#
|
|
||||||
# You SHOULD NOT expose the traefik port on production deployments.
|
|
||||||
# If you want to access it from outside of your cluster,
|
|
||||||
# use `kubectl port-forward` or create a secure ingress
|
|
||||||
expose: false
|
|
||||||
# The exposed port for this service
|
|
||||||
exposedPort: 9000
|
|
||||||
# The port protocol (TCP/UDP)
|
|
||||||
protocol: TCP
|
|
||||||
web:
|
|
||||||
port: 8000
|
|
||||||
hostPort: 80
|
|
||||||
expose: true
|
|
||||||
exposedPort: 80
|
|
||||||
# The port protocol (TCP/UDP)
|
|
||||||
protocol: TCP
|
|
||||||
# Use nodeport if set. This is useful if you have configured Traefik in a
|
|
||||||
# LoadBalancer
|
|
||||||
# nodePort: 32080
|
|
||||||
# Port Redirections
|
|
||||||
# Added in 2.2, you can make permanent redirects via entrypoints.
|
|
||||||
# https://docs.traefik.io/routing/entrypoints/#redirection
|
|
||||||
redirectTo: websecure
|
|
||||||
websecure:
|
|
||||||
port: 8443
|
|
||||||
hostPort: 443
|
|
||||||
expose: true
|
|
||||||
exposedPort: 443
|
|
||||||
# The port protocol (TCP/UDP)
|
|
||||||
protocol: TCP
|
|
||||||
# nodePort: 32443
|
|
||||||
# Set TLS at the entrypoint
|
|
||||||
# https://doc.traefik.io/traefik/routing/entrypoints/#tls
|
|
||||||
tls:
|
|
||||||
enabled: true
|
|
||||||
# this is the name of a TLSOption definition
|
|
||||||
options: ""
|
|
||||||
certResolver: "le"
|
|
||||||
domains:
|
|
||||||
- main: zz11.net
|
|
||||||
# sans:
|
|
||||||
# - foo.example.com
|
|
||||||
# - bar.example.com
|
|
||||||
|
|
||||||
# TLS Options are created as TLSOption CRDs
|
|
||||||
# https://doc.traefik.io/traefik/https/tls/#tls-options
|
|
||||||
# Example:
|
|
||||||
# tlsOptions:
|
|
||||||
# default:
|
|
||||||
# sniStrict: true
|
|
||||||
# preferServerCipherSuites: true
|
|
||||||
# foobar:
|
|
||||||
# curvePreferences:
|
|
||||||
# - CurveP521
|
|
||||||
# - CurveP384
|
|
||||||
tlsOptions: {}
|
|
||||||
|
|
||||||
# Options for the main traefik service, where the entrypoints traffic comes
|
|
||||||
# from.
|
|
||||||
service:
|
|
||||||
enabled: true
|
|
||||||
type: LoadBalancer
|
|
||||||
# Additional annotations (e.g. for cloud provider specific config)
|
|
||||||
annotations: {}
|
|
||||||
# Additional service labels (e.g. for filtering Service by custom labels)
|
|
||||||
labels: {}
|
|
||||||
# Additional entries here will be added to the service spec. Cannot contains
|
|
||||||
# type, selector or ports entries.
|
|
||||||
spec: {}
|
|
||||||
# externalTrafficPolicy: Cluster
|
|
||||||
# loadBalancerIP: "1.2.3.4"
|
|
||||||
# clusterIP: "2.3.4.5"
|
|
||||||
loadBalancerSourceRanges: []
|
|
||||||
# - 192.168.0.1/32
|
|
||||||
# - 172.16.0.0/16
|
|
||||||
externalIPs: []
|
|
||||||
# - 1.2.3.4
|
|
||||||
|
|
||||||
## Create HorizontalPodAutoscaler object.
|
|
||||||
##
|
|
||||||
autoscaling:
|
|
||||||
enabled: false
|
|
||||||
# minReplicas: 1
|
|
||||||
# maxReplicas: 10
|
|
||||||
# metrics:
|
|
||||||
# - type: Resource
|
|
||||||
# resource:
|
|
||||||
# name: cpu
|
|
||||||
# targetAverageUtilization: 60
|
|
||||||
# - type: Resource
|
|
||||||
# resource:
|
|
||||||
# name: memory
|
|
||||||
# targetAverageUtilization: 60
|
|
||||||
|
|
||||||
# Enable persistence using Persistent Volume Claims
|
|
||||||
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
|
|
||||||
# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
|
|
||||||
# additionalArguments:
|
|
||||||
# - "--certificatesresolvers.le.acme.storage=/data/acme.json"
|
|
||||||
# It will persist TLS certificates.
|
|
||||||
persistence:
|
|
||||||
enabled: true
|
|
||||||
name: data
|
|
||||||
# existingClaim: ""
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 128Mi
|
|
||||||
# storageClass: ""
|
|
||||||
path: /data
|
|
||||||
annotations: {}
|
|
||||||
# subPath: "" # only mount a subpath of the Volume into the pod
|
|
||||||
|
|
||||||
# If hostNetwork is true, runs traefik in the host network namespace
|
|
||||||
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
|
|
||||||
# and replicas>1, a pod anti-affinity is recommended and will be set if the
|
|
||||||
# affinity is left as default.
|
|
||||||
hostNetwork: false
|
|
||||||
|
|
||||||
# Whether Role Based Access Control objects like roles and rolebindings should be created
|
|
||||||
rbac:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
# If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
|
|
||||||
# If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace
|
|
||||||
namespaced: false
|
|
||||||
|
|
||||||
# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding
|
|
||||||
podSecurityPolicy:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
# The service account the pods will use to interact with the Kubernetes API
|
|
||||||
serviceAccount:
|
|
||||||
# If set, an existing service account is used
|
|
||||||
# If not set, a service account is created automatically using the fullname template
|
|
||||||
name: ""
|
|
||||||
|
|
||||||
# Additional serviceAccount annotations (e.g. for oidc authentication)
|
|
||||||
serviceAccountAnnotations: {}
|
|
||||||
|
|
||||||
resources: {}
|
|
||||||
# requests:
|
|
||||||
# cpu: "100m"
|
|
||||||
# memory: "50Mi"
|
|
||||||
# limits:
|
|
||||||
# cpu: "300m"
|
|
||||||
# memory: "150Mi"
|
|
||||||
affinity: {}
|
|
||||||
# # This example pod anti-affinity forces the scheduler to put traefik pods
|
|
||||||
# # on nodes where no other traefik pods are scheduled.
|
|
||||||
# # It should be used when hostNetwork: true to prevent port conflicts
|
|
||||||
# podAntiAffinity:
|
|
||||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
# - labelSelector:
|
|
||||||
# matchExpressions:
|
|
||||||
# - key: app
|
|
||||||
# operator: In
|
|
||||||
# values:
|
|
||||||
# - {{ template "traefik.name" . }}
|
|
||||||
# topologyKey: failure-domain.beta.kubernetes.io/zone
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
# Pods can have priority.
|
|
||||||
# Priority indicates the importance of a Pod relative to other Pods.
|
|
||||||
priorityClassName: ""
|
|
||||||
|
|
||||||
# Set the container security context
|
|
||||||
# To run the container with ports below 1024 this will need to be adjust to run as root
|
|
||||||
securityContext:
|
|
||||||
capabilities:
|
|
||||||
drop: [ALL]
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
runAsGroup: 65532
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 65532
|
|
||||||
|
|
||||||
podSecurityContext:
|
|
||||||
fsGroup: 65532
|
|
Loading…
Reference in New Issue
Block a user