Files

 5d97a2e

/

values.yaml

Blame

Blame

Latest commit

 

History

History

463 lines (428 loc) · 14.4 KB

 5d97a2e

/

values.yaml

Top

File metadata and controls

• Code
• Blame

463 lines (428 loc) · 14.4 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

# Default values for Traefik

image:

name: traefik

# defaults to appVersion

tag: ""

pullPolicy: IfNotPresent

#

# Configure the deployment

#

deployment:

enabled: true

# Can be either Deployment or DaemonSet

kind: Deployment

# Number of pods of the deployment (only applies when kind == Deployment)

replicas: 1

# Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down

terminationGracePeriodSeconds: 60

# The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available

minReadySeconds: 0

# Additional deployment annotations (e.g. for jaeger-operator sidecar injection)

annotations: {}

# Additional deployment labels (e.g. for filtering deployment by custom labels)

labels: {}

# Additional pod annotations (e.g. for mesh injection or prometheus scraping)

podAnnotations: {}

# Additional Pod labels (e.g. for filtering Pod by custom labels)

podLabels: {}

# Additional containers (e.g. for metric offloading sidecars)

additionalContainers: []

# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host

# - name: socat-proxy

# image: alpine/socat:1.0.5

# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]

# volumeMounts:

# - name: dsdsocket

# mountPath: /socket

# Additional volumes available for use with initContainers and additionalContainers

additionalVolumes: []

# - name: dsdsocket

# hostPath:

# path: /var/run/statsd-exporter

# Additional initContainers (e.g. for setting file permission as shown below)

initContainers: []

# The "volume-permissions" init container is required if you run into permission issues.

# Related issue: https://github.com/traefik/traefik/issues/6972

# - name: volume-permissions

# image: busybox:1.31.1

# command: ["sh", "-c", "chmod -Rv 600 /data/*"]

# volumeMounts:

# - name: data

# mountPath: /data

# Custom pod DNS policy. Apply if `hostNetwork: true`

# dnsPolicy: ClusterFirstWithHostNet

# Additional imagePullSecrets

imagePullSecrets: []

# - name: myRegistryKeySecretName

# Pod disruption budget

podDisruptionBudget:

enabled: false

# maxUnavailable: 1

# maxUnavailable: 33%

# minAvailable: 0

# minAvailable: 25%

# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x

ingressClass:

# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12

enabled: false

isDefaultClass: false

# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"

fallbackApiVersion: ""

# Activate Pilot integration

pilot:

enabled: false

token: ""

# Toggle Pilot Dashboard

# dashboard: false

# Enable experimental features

experimental:

plugins:

enabled: false

kubernetesGateway:

enabled: false

appLabelSelector: "traefik"

certificates: []

# - group: "core"

# kind: "Secret"

# name: "mysecret"

# By default, Gateway would be created to the Namespace you are deploying Traefik to.

# You may create that Gateway in another namespace, setting its name below:

# namespace: default

# Create an IngressRoute for the dashboard

ingressRoute:

dashboard:

enabled: true

# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)

annotations: {}

# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)

labels: {}

rollingUpdate:

maxUnavailable: 1

maxSurge: 1

#

# Configure providers

#

providers:

kubernetesCRD:

enabled: true

allowCrossNamespace: false

allowExternalNameServices: false

# ingressClass: traefik-internal

# labelSelector: environment=production,method=traefik

namespaces: []

# - "default"

kubernetesIngress:

enabled: true

allowExternalNameServices: false

# labelSelector: environment=production,method=traefik

namespaces: []

# - "default"

# IP used for Kubernetes Ingress endpoints

publishedService:

enabled: false

# Published Kubernetes Service to copy status from. Format: namespace/servicename

# By default this Traefik service

# pathOverride: ""

#

# Add volumes to the traefik pod. The volume name will be passed to tpl.

# This can be used to mount a cert pair or a configmap that holds a config.toml file.

# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:

# additionalArguments:

# - "--providers.file.filename=/config/dynamic.toml"

# - "--ping"

# - "--ping.entrypoint=web"

volumes: []

# - name: public-cert

# mountPath: "/certs"

# type: secret

# - name: '{{ printf "%s-configs" .Release.Name }}'

# mountPath: "/config"

# type: configMap

# Additional volumeMounts to add to the Traefik container

additionalVolumeMounts: []

# For instance when using a logshipper for access logs

# - name: traefik-logs

# mountPath: /var/log/traefik

# Logs

# https://docs.traefik.io/observability/logs/

logs:

# Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).

general:

# By default, the logs use a text format (common), but you can

# also ask for the json format in the format option

# format: json

# By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.

level: ERROR

access:

# To enable access logs

enabled: false

# By default, logs are written using the Common Log Format (CLF).

# To write logs in JSON, use json in the format option.

# If the given format is unsupported, the default (CLF) is used instead.

# format: json

# To write the logs in an asynchronous fashion, specify a bufferingSize option.

# This option represents the number of log lines Traefik will keep in memory before writing

# them to the selected output. In some cases, this option can greatly help performances.

# bufferingSize: 100

# Filtering https://docs.traefik.io/observability/access-logs/#filtering

filters: {}

# statuscodes: "200,300-302"

# retryattempts: true

# minduration: 10ms

# Fields

# https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers

fields:

general:

defaultmode: keep

names: {}

# Examples:

# ClientUsername: drop

headers:

defaultmode: drop

names: {}

# Examples:

# User-Agent: redact

# Authorization: drop

# Content-Type: keep

metrics:

# datadog:

# address: 127.0.0.1:8125

# influxdb:

# address: localhost:8089

# protocol: udp

prometheus:

entryPoint: metrics

# statsd:

# address: localhost:8125

globalArguments:

- "--global.checknewversion"

- "--global.sendanonymoususage"

#

# Configure Traefik static configuration

# Additional arguments to be passed at Traefik's binary

# All available options available on https://docs.traefik.io/reference/static-configuration/cli/

## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`

additionalArguments: []

# - "--providers.kubernetesingress.ingressclass=traefik-internal"

# - "--log.level=DEBUG"

# Environment variables to be passed to Traefik's binary

env: []

# - name: SOME_VAR

# value: some-var-value

# - name: SOME_VAR_FROM_CONFIG_MAP

# valueFrom:

# configMapRef:

# name: configmap-name

# key: config-key

# - name: SOME_SECRET

# valueFrom:

# secretKeyRef:

# name: secret-name

# key: secret-key

envFrom: []

# - configMapRef:

# name: config-map-name

# - secretRef:

# name: secret-name

# Configure ports

ports:

# The name of this one can't be changed as it is used for the readiness and

# liveness probes, but you can adjust its config to your liking

traefik:

port: 9000

# Use hostPort if set.

# hostPort: 9000

#

# Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which

# means it's listening on all your interfaces and all your IPs. You may want

# to set this value if you need traefik to listen on specific interface

# only.

# hostIP: 192.168.100.10

# Override the liveness/readiness port. This is useful to integrate traefik

# with an external Load Balancer that performs healthchecks.

# healthchecksPort: 9000

# Defines whether the port is exposed if service.type is LoadBalancer or

# NodePort.

#

# You SHOULD NOT expose the traefik port on production deployments.

# If you want to access it from outside of your cluster,

# use `kubectl port-forward` or create a secure ingress

expose: false

# The exposed port for this service

exposedPort: 9000

# The port protocol (TCP/UDP)

protocol: TCP

web:

port: 8000

# hostPort: 8000

expose: true

exposedPort: 80

# The port protocol (TCP/UDP)

protocol: TCP

# Use nodeport if set. This is useful if you have configured Traefik in a

# LoadBalancer

# nodePort: 32080

# Port Redirections

# Added in 2.2, you can make permanent redirects via entrypoints.

# https://docs.traefik.io/routing/entrypoints/#redirection

# redirectTo: websecure

websecure:

port: 8443

# hostPort: 8443

expose: true

exposedPort: 443

# The port protocol (TCP/UDP)

protocol: TCP

# nodePort: 32443

# Set TLS at the entrypoint

# https://doc.traefik.io/traefik/routing/entrypoints/#tls

tls:

enabled: false

# this is the name of a TLSOption definition

options: ""

certResolver: ""

domains: []

# - main: example.com

# sans:

# - foo.example.com

# - bar.example.com

metrics:

port: 9100

# hostPort: 9100

# Defines whether the port is exposed if service.type is LoadBalancer or

# NodePort.

#

# You may not want to expose the metrics port on production deployments.

# If you want to access it from outside of your cluster,

# use `kubectl port-forward` or create a secure ingress

expose: false

# The exposed port for this service

exposedPort: 9100

# The port protocol (TCP/UDP)

protocol: TCP

# TLS Options are created as TLSOption CRDs

# https://doc.traefik.io/traefik/https/tls/#tls-options

# Example:

# tlsOptions:

# default:

# sniStrict: true

# preferServerCipherSuites: true

# foobar:

# curvePreferences:

# - CurveP521

# - CurveP384

tlsOptions: {}

# Options for the main traefik service, where the entrypoints traffic comes

# from.

service:

enabled: true

type: LoadBalancer

# Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)

annotations: {}

# Additional annotations for TCP service only

annotationsTCP: {}

# Additional annotations for UDP service only

annotationsUDP: {}

# Additional service labels (e.g. for filtering Service by custom labels)

labels: {}

# Additional entries here will be added to the service spec.

# Cannot contain type, selector or ports entries.

spec: {}

# externalTrafficPolicy: Cluster

# loadBalancerIP: "1.2.3.4"

# clusterIP: "2.3.4.5"

loadBalancerSourceRanges: []

# - 192.168.0.1/32

# - 172.16.0.0/16

externalIPs: []

# - 1.2.3.4

# One of SingleStack, PreferDualStack, or RequireDualStack.

# ipFamilyPolicy: SingleStack

## Create HorizontalPodAutoscaler object.

##

autoscaling:

enabled: false

# minReplicas: 1

# maxReplicas: 10

# metrics:

# - type: Resource

# resource:

# name: cpu

# targetAverageUtilization: 60

# - type: Resource

# resource:

# name: memory

# targetAverageUtilization: 60

# Enable persistence using Persistent Volume Claims

# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/

# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:

# additionalArguments:

# - "--certificatesresolvers.le.acme.storage=/data/acme.json"

# It will persist TLS certificates.

persistence:

enabled: false

name: data

# existingClaim: ""

accessMode: ReadWriteOnce

size: 128Mi

# storageClass: ""

path: /data

annotations: {}

# subPath: "" # only mount a subpath of the Volume into the pod

# If hostNetwork is true, runs traefik in the host network namespace

# To prevent unschedulabel pods due to port collisions, if hostNetwork=true

# and replicas>1, a pod anti-affinity is recommended and will be set if the

# affinity is left as default.

hostNetwork: false

# Whether Role Based Access Control objects like roles and rolebindings should be created

rbac:

enabled: true

# If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.

# If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace

namespaced: false

# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding

podSecurityPolicy:

enabled: false

# The service account the pods will use to interact with the Kubernetes API

serviceAccount:

# If set, an existing service account is used

# If not set, a service account is created automatically using the fullname template

name: ""

# Additional serviceAccount annotations (e.g. for oidc authentication)

serviceAccountAnnotations: {}

resources: {}

# requests:

# cpu: "100m"

# memory: "50Mi"

# limits:

# cpu: "300m"

# memory: "150Mi"

affinity: {}

# # This example pod anti-affinity forces the scheduler to put traefik pods

# # on nodes where no other traefik pods are scheduled.

# # It should be used when hostNetwork: true to prevent port conflicts

# podAntiAffinity:

# requiredDuringSchedulingIgnoredDuringExecution:

# - labelSelector:

# matchExpressions:

# - key: app

# operator: In

# values:

# - {{ template "traefik.name" . }}

# topologyKey: failure-domain.beta.kubernetes.io/zone

nodeSelector: {}

tolerations: []

# Pods can have priority.

# Priority indicates the importance of a Pod relative to other Pods.

priorityClassName: ""

# Set the container security context

# To run the container with ports below 1024 this will need to be adjust to run as root

securityContext:

capabilities:

drop: [ALL]

readOnlyRootFilesystem: true

runAsGroup: 65532

runAsNonRoot: true

runAsUser: 65532

podSecurityContext:

fsGroup: 65532