traefik: # Default values for Traefik image: registry: docker.io repository: traefik # defaults to appVersion tag: "" pullPolicy: Always # # Configure integration with Traefik Hub # hub: ## Enabling Hub will: # * enable Traefik Hub integration on Traefik # * add `traefikhub-tunl` endpoint # * enable Prometheus metrics with addRoutersLabels # * enable allowExternalNameServices on KubernetesIngress provider # * enable allowCrossNamespace on KubernetesCRD provider # * add an internal (ClusterIP) Service, dedicated for Traefik Hub enabled: true ## Default port can be changed # tunnelPort: 9901 ## TLS is optional. Insecure is mutually exclusive with any other options # tls: # insecure: false # ca: "/path/to/ca.pem" # cert: "/path/to/cert.pem" # key: "/path/to/key.pem" # # Configure the deployment # deployment: enabled: true # Can be either Deployment or DaemonSet kind: Deployment # Number of pods of the deployment (only applies when kind == Deployment) replicas: 1 # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down terminationGracePeriodSeconds: 60 # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available minReadySeconds: 0 # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) annotations: {} # Additional deployment labels (e.g. for filtering deployment by custom labels) labels: {} # Additional pod annotations (e.g. for mesh injection or prometheus scraping) podAnnotations: {} # Additional Pod labels (e.g. for filtering Pod by custom labels) podLabels: {} # Additional containers (e.g. for metric offloading sidecars) additionalContainers: [] # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host # - name: socat-proxy # image: alpine/socat:1.0.5 # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] # volumeMounts: # - name: dsdsocket # mountPath: /socket # Additional volumes available for use with initContainers and additionalContainers additionalVolumes: [] # - name: dsdsocket # hostPath: # path: /var/run/statsd-exporter # Additional initContainers (e.g. for setting file permission as shown below) initContainers: [] # The "volume-permissions" init container is required if you run into permission issues. # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 # - name: volume-permissions # image: busybox:latest # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] # securityContext: # runAsNonRoot: true # runAsGroup: 65532 # runAsUser: 65532 # volumeMounts: # - name: data # mountPath: /data # Use process namespace sharing shareProcessNamespace: false # Custom pod DNS policy. Apply if `hostNetwork: true` # dnsPolicy: ClusterFirstWithHostNet # Additional imagePullSecrets imagePullSecrets: [] # - name: myRegistryKeySecretName # Pod lifecycle actions lifecycle: {} # preStop: # exec: # command: ["/bin/sh", "-c", "sleep 40"] # postStart: # httpGet: # path: /ping # port: 9000 # host: localhost # scheme: HTTP # Pod disruption budget podDisruptionBudget: enabled: false # maxUnavailable: 1 # maxUnavailable: 33% # minAvailable: 0 # minAvailable: 25% # Create a default IngressClass for Traefik ingressClass: enabled: true isDefaultClass: false # Enable experimental features experimental: v3: enabled: false plugins: jwt: moduleName: github.com/Brainwave/jwt-middleware version: v1.1.5 kubernetesGateway: enabled: false gateway: enabled: true # certificate: # group: "core" # kind: "Secret" # name: "mysecret" # By default, Gateway would be created to the Namespace you are deploying Traefik to. # You may create that Gateway in another namespace, setting its name below: # namespace: default # Additional gateway annotations (e.g. for cert-manager.io/issuer) # annotations: # cert-manager.io/issuer: letsencrypt # Create an IngressRoute for the dashboard ingressRoute: dashboard: enabled: true # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) annotations: {} # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) labels: {} # The router match rule used for the dashboard ingressRoute matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). # By default, it's using traefik entrypoint, which is not exposed. # /!\ Do not expose your dashboard without any protection over the internet /!\ entryPoints: ["traefik"] # Additional ingressRoute middlewares (e.g. for authentication) middlewares: [] # TLS options (e.g. secret containing certificate) tls: {} # Customize updateStrategy of traefik pods updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 0 maxSurge: 1 # Customize liveness and readiness probe values. readinessProbe: failureThreshold: 1 initialDelaySeconds: 2 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2 livenessProbe: failureThreshold: 3 initialDelaySeconds: 2 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2 # # Configure providers # providers: kubernetesCRD: enabled: true allowCrossNamespace: true allowExternalNameServices: false allowEmptyServices: false # ingressClass: traefik-internal # labelSelector: environment=production,method=traefik namespaces: [] # - "default" kubernetesIngress: enabled: true allowExternalNameServices: false allowEmptyServices: false # ingressClass: traefik-internal # labelSelector: environment=production,method=traefik namespaces: [] # - "default" # IP used for Kubernetes Ingress endpoints publishedService: enabled: false # Published Kubernetes Service to copy status from. Format: namespace/servicename # By default this Traefik service # pathOverride: "" # # Add volumes to the traefik pod. The volume name will be passed to tpl. # This can be used to mount a cert pair or a configmap that holds a config.toml file. # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: # additionalArguments: # - "--providers.file.filename=/config/dynamic.toml" # - "--ping" # - "--ping.entrypoint=web" volumes: [] # - name: public-cert # mountPath: "/certs" # type: secret # - name: '{{ printf "%s-configs" .Release.Name }}' # mountPath: "/config" # type: configMap # Additional volumeMounts to add to the Traefik container additionalVolumeMounts: [] # For instance when using a logshipper for access logs # - name: traefik-logs # mountPath: /var/log/traefik ## Logs ## https://docs.traefik.io/observability/logs/ logs: ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). general: # By default, the logs use a text format (common), but you can # also ask for the json format in the format option # format: json # By default, the level is set to ERROR. # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. level: ERROR access: # To enable access logs enabled: false ## By default, logs are written using the Common Log Format (CLF) on stdout. ## To write logs in JSON, use json in the format option. ## If the given format is unsupported, the default (CLF) is used instead. # format: json # filePath: "/var/log/traefik/access.log ## To write the logs in an asynchronous fashion, specify a bufferingSize option. ## This option represents the number of log lines Traefik will keep in memory before writing ## them to the selected output. In some cases, this option can greatly help performances. # bufferingSize: 100 ## Filtering https://docs.traefik.io/observability/access-logs/#filtering filters: {} # statuscodes: "200,300-302" # retryattempts: true # minduration: 10ms ## Fields ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers fields: general: defaultmode: keep names: {} ## Examples: # ClientUsername: drop headers: defaultmode: drop names: {} ## Examples: # User-Agent: redact # Authorization: drop # Content-Type: keep metrics: ## Prometheus is enabled by default. ## It can be disabled by setting "prometheus: null" prometheus: ## Entry point used to expose metrics. entryPoint: metrics ## Enable metrics on entry points. Default=true # addEntryPointsLabels: false ## Enable metrics on routers. Default=false # addRoutersLabels: true ## Enable metrics on services. Default=true # addServicesLabels: false ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" # buckets: "0.5,1.0,2.5" ## When manualRouting is true, it disables the default internal router in ## order to allow creating a custom router for prometheus@internal service. # manualRouting: true # datadog: # ## Address instructs exporter to send metrics to datadog-agent at this address. # address: "127.0.0.1:8125" # ## The interval used by the exporter to push metrics to datadog-agent. Default=10s # # pushInterval: 30s # ## The prefix to use for metrics collection. Default="traefik" # # prefix: traefik # ## Enable metrics on entry points. Default=true # # addEntryPointsLabels: false # ## Enable metrics on routers. Default=false # # addRoutersLabels: true # ## Enable metrics on services. Default=true # # addServicesLabels: false # influxdb: # ## Address instructs exporter to send metrics to influxdb at this address. # address: localhost:8089 # ## InfluxDB's address protocol (udp or http). Default="udp" # protocol: udp # ## InfluxDB database used when protocol is http. Default="" # # database: "" # ## InfluxDB retention policy used when protocol is http. Default="" # # retentionPolicy: "" # ## InfluxDB username (only with http). Default="" # # username: "" # ## InfluxDB password (only with http). Default="" # # password: "" # ## The interval used by the exporter to push metrics to influxdb. Default=10s # # pushInterval: 30s # ## Additional labels (influxdb tags) on all metrics. # # additionalLabels: # # env: production # # foo: bar # ## Enable metrics on entry points. Default=true # # addEntryPointsLabels: false # ## Enable metrics on routers. Default=false # # addRoutersLabels: true # ## Enable metrics on services. Default=true # # addServicesLabels: false # influxdb2: # ## Address instructs exporter to send metrics to influxdb v2 at this address. # address: localhost:8086 # ## Token with which to connect to InfluxDB v2. # token: xxx # ## Organisation where metrics will be stored. # org: "" # ## Bucket where metrics will be stored. # bucket: "" # ## The interval used by the exporter to push metrics to influxdb. Default=10s # # pushInterval: 30s # ## Additional labels (influxdb tags) on all metrics. # # additionalLabels: # # env: production # # foo: bar # ## Enable metrics on entry points. Default=true # # addEntryPointsLabels: false # ## Enable metrics on routers. Default=false # # addRoutersLabels: true # ## Enable metrics on services. Default=true # # addServicesLabels: false # statsd: # ## Address instructs exporter to send metrics to statsd at this address. # address: localhost:8125 # ## The interval used by the exporter to push metrics to influxdb. Default=10s # # pushInterval: 30s # ## The prefix to use for metrics collection. Default="traefik" # # prefix: traefik # ## Enable metrics on entry points. Default=true # # addEntryPointsLabels: false # ## Enable metrics on routers. Default=false # # addRoutersLabels: true # ## Enable metrics on services. Default=true # # addServicesLabels: false # openTelemetry: # ## Address of the OpenTelemetry Collector to send metrics to. # address: "localhost:4318" # ## Enable metrics on entry points. # addEntryPointsLabels: true # ## Enable metrics on routers. # addRoutersLabels: true # ## Enable metrics on services. # addServicesLabels: true # ## Explicit boundaries for Histogram data points. # explicitBoundaries: # - "0.1" # - "0.3" # - "1.2" # - "5.0" # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. # headers: # foo: bar # test: test # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. # insecure: true # ## Interval at which metrics are sent to the OpenTelemetry Collector. # pushInterval: 10s # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. # path: /foo/v1/traces # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. # tls: # ## The path to the certificate authority, it defaults to the system bundle. # ca: path/to/ca.crt # ## The path to the public certificate. When using this option, setting the key option is required. # cert: path/to/foo.cert # ## The path to the private key. When using this option, setting the cert option is required. # key: path/to/key.key # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. # insecureSkipVerify: true # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. # grpc: true ## ## enable optional CRDs for Prometheus Operator ## ## Create a dedicated metrics service for use with ServiceMonitor ## When hub.enabled is set to true, it's not needed: it will use hub service. # service: # enabled: false # labels: {} # annotations: {} ## When set to true, it won't check if Prometheus Operator CRDs are deployed # disableAPICheck: false # serviceMonitor: # metricRelabelings: [] # - sourceLabels: [__name__] # separator: ; # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ # replacement: $1 # action: drop # relabelings: [] # - sourceLabels: [__meta_kubernetes_pod_node_name] # separator: ; # regex: ^(.*)$ # targetLabel: nodename # replacement: $1 # action: replace # jobLabel: traefik # interval: 30s # honorLabels: true # # (Optional) # # scrapeTimeout: 5s # # honorTimestamps: true # # enableHttp2: true # # followRedirects: true # # additionalLabels: # # foo: bar # # namespace: "another-namespace" # # namespaceSelector: {} # prometheusRule: # additionalLabels: {} # namespace: "another-namespace" # rules: # - alert: TraefikDown # expr: up{job="traefik"} == 0 # for: 5m # labels: # context: traefik # severity: warning # annotations: # summary: "Traefik Down" # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" tracing: {} # instana: # localAgentHost: 127.0.0.1 # localAgentPort: 42699 # logLevel: info # enableAutoProfile: true # datadog: # localAgentHostPort: 127.0.0.1:8126 # debug: false # globalTag: "" # prioritySampling: false # jaeger: # samplingServerURL: http://localhost:5778/sampling # samplingType: const # samplingParam: 1.0 # localAgentHostPort: 127.0.0.1:6831 # gen128Bit: false # propagation: jaeger # traceContextHeaderName: uber-trace-id # disableAttemptReconnecting: true # collector: # endpoint: "" # user: "" # password: "" # zipkin: # httpEndpoint: http://localhost:9411/api/v2/spans # sameSpan: false # id128Bit: true # sampleRate: 1.0 # haystack: # localAgentHost: 127.0.0.1 # localAgentPort: 35000 # globalTag: "" # traceIDHeaderName: "" # parentIDHeaderName: "" # spanIDHeaderName: "" # baggagePrefixHeaderName: "" # elastic: # serverURL: http://localhost:8200 # secretToken: "" # serviceEnvironment: "" globalArguments: - "--global.checknewversion=false" - "--global.sendanonymoususage=false" # # Configure Traefik static configuration # Additional arguments to be passed at Traefik's binary # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` additionalArguments: - "--serversTransport.insecureSkipVerify=true" - "--log.level=DEBUG" # Environment variables to be passed to Traefik's binary env: [] # - name: SOME_VAR # value: some-var-value # - name: SOME_VAR_FROM_CONFIG_MAP # valueFrom: # configMapRef: # name: configmap-name # key: config-key # - name: SOME_SECRET # valueFrom: # secretKeyRef: # name: secret-name # key: secret-key envFrom: [] # - configMapRef: # name: config-map-name # - secretRef: # name: secret-name # Configure ports ports: # The name of this one can't be changed as it is used for the readiness and # liveness probes, but you can adjust its config to your liking traefik: port: 9000 # Use hostPort if set. # hostPort: 9000 # # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which # means it's listening on all your interfaces and all your IPs. You may want # to set this value if you need traefik to listen on specific interface # only. # hostIP: 192.168.100.10 # Override the liveness/readiness port. This is useful to integrate traefik # with an external Load Balancer that performs healthchecks. # Default: ports.traefik.port # healthchecksPort: 9000 # Override the liveness/readiness scheme. Useful for getting ping to # respond on websecure entryPoint. # healthchecksScheme: HTTPS # Defines whether the port is exposed if service.type is LoadBalancer or # NodePort. # # You SHOULD NOT expose the traefik port on production deployments. # If you want to access it from outside of your cluster, # use `kubectl port-forward` or create a secure ingress expose: false # The exposed port for this service exposedPort: 9000 # The port protocol (TCP/UDP) protocol: TCP web: ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. # asDefault: true port: 8000 # hostPort: 8000 expose: true exposedPort: 80 # The port protocol (TCP/UDP) protocol: TCP # Use nodeport if set. This is useful if you have configured Traefik in a # LoadBalancer. # nodePort: 32080 # Port Redirections # Added in 2.2, you can make permanent redirects via entrypoints. # https://docs.traefik.io/routing/entrypoints/#redirection redirectTo: websecure # # Trust forwarded headers information (X-Forwarded-*). # forwardedHeaders: # trustedIPs: [] # insecure: false # # Enable the Proxy Protocol header parsing for the entry point # proxyProtocol: # trustedIPs: [] # insecure: false websecure: ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. # asDefault: true port: 8443 # hostPort: 8443 expose: true exposedPort: 443 ## The port protocol (TCP/UDP) protocol: TCP # nodePort: 32443 # ## Enable HTTP/3 on the entrypoint ## Enabling it will also enable http3 experimental feature ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 ## There are known limitations when trying to listen on same ports for ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 http3: enabled: false # advertisedPort: 4443 # ## Trust forwarded headers information (X-Forwarded-*). #forwardedHeaders: # trustedIPs: [] # insecure: false # ## Enable the Proxy Protocol header parsing for the entry point #proxyProtocol: # trustedIPs: [] # insecure: false # ## Set TLS at the entrypoint ## https://doc.traefik.io/traefik/routing/entrypoints/#tls tls: enabled: true # this is the name of a TLSOption definition options: "" certResolver: "" domains: [] # - main: example.com # sans: # - foo.example.com # - bar.example.com # # One can apply Middlewares on an entrypoint # https://doc.traefik.io/traefik/middlewares/overview/ # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace # middlewares: # - namespace-name1@kubernetescrd # - namespace-name2@kubernetescrd middlewares: [] metrics: # When using hostNetwork, use another port to avoid conflict with node exporter: # https://github.com/prometheus/prometheus/wiki/Default-port-allocations port: 9100 # hostPort: 9100 # Defines whether the port is exposed if service.type is LoadBalancer or # NodePort. # # You may not want to expose the metrics port on production deployments. # If you want to access it from outside of your cluster, # use `kubectl port-forward` or create a secure ingress expose: false # The exposed port for this service exposedPort: 9100 # The port protocol (TCP/UDP) protocol: TCP # TLS Options are created as TLSOption CRDs # https://doc.traefik.io/traefik/https/tls/#tls-options # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. # Example: # tlsOptions: # default: # labels: {} # sniStrict: true # preferServerCipherSuites: true # customOptions: # labels: {} # curvePreferences: # - CurveP521 # - CurveP384 tlsOptions: {} # TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate # https://doc.traefik.io/traefik/https/tls/#default-certificate # Example: # tlsStore: # default: # defaultCertificate: # secretName: tls-cert tlsStore: {} # Options for the main traefik service, where the entrypoints traffic comes # from. service: enabled: true ## Single service is using `MixedProtocolLBService` feature gate. ## When set to false, it will create two Service, one for TCP and one for UDP. single: true type: LoadBalancer # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) annotations: {} # Additional annotations for TCP service only annotationsTCP: {} # Additional annotations for UDP service only annotationsUDP: {} # Additional service labels (e.g. for filtering Service by custom labels) labels: {} # Additional entries here will be added to the service spec. # Cannot contain type, selector or ports entries. spec: externalTrafficPolicy: Local # loadBalancerIP: "1.2.3.4" # clusterIP: "2.3.4.5" loadBalancerSourceRanges: [] # - 192.168.0.1/32 # - 172.16.0.0/16 externalIPs: [] # - 1.2.3.4 ## One of SingleStack, PreferDualStack, or RequireDualStack. # ipFamilyPolicy: SingleStack ## List of IP families (e.g. IPv4 and/or IPv6). ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services # ipFamilies: # - IPv4 # - IPv6 ## ## An additionnal and optional internal Service. ## Same parameters as external Service # internal: # type: ClusterIP # # labels: {} # # annotations: {} # # spec: {} # # loadBalancerSourceRanges: [] # # externalIPs: [] # # ipFamilies: [ "IPv4","IPv6" ] ## Create HorizontalPodAutoscaler object. ## autoscaling: enabled: false minReplicas: 1 maxReplicas: 10 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 60 - type: Resource resource: name: memory target: type: Utilization averageUtilization: 60 behavior: scaleDown: stabilizationWindowSeconds: 300 policies: - type: Pods value: 1 periodSeconds: 60 # Enable persistence using Persistent Volume Claims # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ # It can be used to store TLS certificates, see `storage` in certResolvers persistence: enabled: false name: data # existingClaim: "" accessMode: ReadWriteOnce size: 128Mi # storageClass: "" # volumeName: "" path: /data annotations: {} # subPath: "" # only mount a subpath of the Volume into the pod certResolvers: {} # letsencrypt: # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ # email: email@example.com # dnsChallenge: # # also add the provider's required configuration under env # # or expand then from secrets/configmaps with envfrom # # cf. https://doc.traefik.io/traefik/https/acme/#providers # provider: digitalocean # # add futher options for the dns challenge as needed # # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge # delayBeforeCheck: 30 # resolvers: # - 1.1.1.1 # - 8.8.8.8 # tlsChallenge: true # httpChallenge: # entryPoint: "web" # # It has to match the path with a persistent volume # storage: /data/acme.json # If hostNetwork is true, runs traefik in the host network namespace # To prevent unschedulabel pods due to port collisions, if hostNetwork=true # and replicas>1, a pod anti-affinity is recommended and will be set if the # affinity is left as default. hostNetwork: false # Whether Role Based Access Control objects like roles and rolebindings should be created rbac: enabled: true # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. namespaced: false # Enable user-facing roles # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles # aggregateTo: [ "admin" ] # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding podSecurityPolicy: enabled: false # The service account the pods will use to interact with the Kubernetes API serviceAccount: # If set, an existing service account is used # If not set, a service account is created automatically using the fullname template name: "" # Additional serviceAccount annotations (e.g. for oidc authentication) serviceAccountAnnotations: {} resources: {} # requests: # cpu: "100m" # memory: "50Mi" # limits: # cpu: "300m" # memory: "150Mi" # This example pod anti-affinity forces the scheduler to put traefik pods # on nodes where no other traefik pods are scheduled. # It should be used when hostNetwork: true to prevent port conflicts affinity: {} # podAntiAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # - labelSelector: # matchLabels: # app.kubernetes.io/name: '{{ template "traefik.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' # topologyKey: kubernetes.io/hostname nodeSelector: {} tolerations: [] topologySpreadConstraints: [] # # This example topologySpreadConstraints forces the scheduler to put traefik pods # # on nodes where no other traefik pods are scheduled. # - labelSelector: # matchLabels: # app: '{{ template "traefik.name" . }}' # maxSkew: 1 # topologyKey: kubernetes.io/hostname # whenUnsatisfiable: DoNotSchedule # Pods can have priority. # Priority indicates the importance of a Pod relative to other Pods. priorityClassName: "" # Set the container security context # To run the container with ports below 1024 this will need to be adjust to run as root securityContext: capabilities: drop: [ALL] readOnlyRootFilesystem: true podSecurityContext: # # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and # # permissions for the contents of each volume to match the fsGroup. This can # # be an issue when storing sensitive content like TLS Certificates /!\ # fsGroup: 65532 fsGroupChangePolicy: "OnRootMismatch" runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 # # Extra objects to deploy (value evaluated as a template) # # In some cases, it can avoid the need for additional, extended or adhoc deployments. # See #595 for more details and traefik/tests/values/extra.yaml for example. extraObjects: [] # This will override the default Release Namespace for Helm. # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` # namespaceOverride: traefik # ## This will override the default app.kubernetes.io/instance label for all Objects. # instanceLabelOverride: traefik