plm/oc-k8s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Integrating traefik

Browse Source
This commit is contained in:
plm 2024-11-28 11:09:51 +01:00
parent 086161d0ad
commit e86898eb44
69 changed files with 32483 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -0,0 +1,33 @@
This package defines an Helm chart for kubernetes based opencloud services deployment.
It can be used to fully deploy opencloud in a development/lighweight kubernetes deployment, for quick testing
or to ease opencloud dependencies (dex, mongo, mongo-express, ...) deployment.
Kind (https://kind.sigs.k8s.io/) is used here as a lightweight kubernetes deployment. Obviously, any kubenetes compliant
environment is a legitimate target.
HOW TO:
1. Install kind
Follow instructions here https://kind.sigs.k8s.io/
2. Install helm
Download suitable helm client here https://helm.sh/docs/intro/install/
3. Fire up a kind cluster
Execute following script
```
create_kind_cluster.sh
```
It will create a *opencloud* docker container running kubernetes services.
4. Deploy the opencloud chart
```
install_development.sh
```

30
create_kind_cluster.sh Executable file
View File

@ -0,0 +1,30 @@
cat <<EOF | kind create cluster --name opencloud --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 30950
hostPort: 80
protocol: TCP
- containerPort: 30951
hostPort: 443
protocol: TCP
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."locahost:5000"]
endpoint = ["http://dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
endpoint = ["http://dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000".tls]
insecure_skip_verify = true
cert_file = ""
key_file = ""
ca_file = ""
EOF

5
install_development.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
RELEASE_NAME=dev
RELEASE_NAMESPACE=dev
helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace --install -f opencloud/dev-values.yaml

23
opencloud/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
opencloud/Chart.lock Normal file
View File

@ -0,0 +1,9 @@
dependencies:
- name: openldap
repository: https://jp-gouin.github.io/helm-openldap/
version: 2.0.4
- name: traefik
repository: https://helm.traefik.io/traefik
version: 33.0.0
digest: sha256:5562ae89207a555f8f4afaf100b255083c27c8f98b990345a4523bd283c7a4c7
generated: "2024-11-28T10:18:30.724260729+01:00"

17
opencloud/Chart.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v2
name: opencloud
description: Helm chart for opencloud services deployment
type: application
version: 0.0.1
appVersion: "0.0.1"
# TODO: ldap, mongo, mongo-express, nats, ory hydra, keto, traefik
dependencies:
- name: openldap
version: "2.0.4"
repository: "https://jp-gouin.github.io/helm-openldap/"
condition: openldap.enabled
- name: traefik
version: "33.0.0"
repository: "https://helm.traefik.io/traefik"
condition: traefik.enabled

2
opencloud/charts/traefik/.helmignore Normal file
View File

@ -0,0 +1,2 @@
tests/
crds/kustomization.yaml

10505
opencloud/charts/traefik/Changelog.md Normal file
View File

File diff suppressed because it is too large Load Diff

39
opencloud/charts/traefik/Chart.yaml Normal file
View File

@ -0,0 +1,39 @@
annotations:
artifacthub.io/changes: "- \"fix: \U0001F41B http3 with internal service\"\n- \"fix:
use correct children indentation for logs.access.filters\"\n- \"fix(schema): :bug:
targetPort can also be a string\"\n- \"fix(certificateResolvers)!: :boom: :bug:
use same syntax in Chart and in Traefik\"\n- \"fix(Traefik)!: :boom: set 8080
as default port for `traefik` entrypoint\"\n- \"fix(Traefik Hub): RBAC for distributedAcme\"\n-
\"fix(Kubernetes Ingress)!: :boom: :sparkles: enable publishedService by default\"\n-
\"fix(Gateway API): :bug: add missing required RBAC for v3.2 with experimental
Channel\"\n- \"fix(Env Variables)!: allow extending env without overwrite\"\n-
\"feat(deps): update traefik docker tag to v3.2.0\"\n- \"feat(deps): update traefik
docker tag to v3.1.6\"\n- \"feat(Traefik): ✨ support Gateway API statusAddress\"\n-
\"feat(Traefik Proxy): CRDs for v3.2+\"\n- \"feat(Gateway API): :sparkles: standard
install CRD v1.2.0\"\n- \"feat(Gateway API): :sparkles: add infrastructure in
the values\"\n- \"chore: allow TRACE log level\"\n- \"chore(release): \U0001F680
publish v33.0.0\"\n- \"Update topology spread constraints comments\"\n"
apiVersion: v2
appVersion: v3.2.0
description: A Traefik based Kubernetes ingress controller
home: https://traefik.io/
icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
keywords:
- traefik
- ingress
- networking
kubeVersion: '>=1.22.0-0'
maintainers:
- email: michel.loiseleur@traefik.io
name: mloiseleur
- email: charlie.haley@traefik.io
name: charlie-haley
- email: remi.buisson@traefik.io
name: darkweaver87
- name: jnoordsij
name: traefik
sources:
- https://github.com/traefik/traefik
- https://github.com/traefik/traefik-helm-chart
type: application
version: 33.0.0

1014
opencloud/charts/traefik/EXAMPLES.md Normal file
View File

File diff suppressed because it is too large Load Diff

34
opencloud/charts/traefik/Guidelines.md Normal file
View File

@ -0,0 +1,34 @@
# Traefik Helm Chart Guidelines
This document outlines the guidelines for developing, managing and extending the Traefik helm chart.
This Helm Chart is documented using field description from comments with [helm-docs](https://github.com/norwoodj/helm-docs).
It comes with a JSON schema generated from values with [helm schema](https://github.com/losisin/helm-values-schema-json) plugin.
## Feature Example
```yaml
logs:
general:
# -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
```
Documention is on the first comment, starting with `# --`
Specific instructions for schema, when needed, are done with the inline comment starting with `# @schema`.
## Whitespace
Extra whitespace is to be avoided in templating. Conditionals should chomp whitespace:
```yaml
{{- if .Values }}
{{- end }}
```
There should be an empty commented line between each primary key in the values.yaml file to separate features from each other.
## Values YAML Design
The values.yaml file is designed to be user-friendly. It does not have to resemble the templated configuration if it is not conducive. Similarly, value names to not have to correspond to fields in the template if it is not conducive.

202
opencloud/charts/traefik/LICENSE Normal file
View File

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2020 Containous
Copyright 2020 Traefik Labs
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

158
opencloud/charts/traefik/README.md Normal file
View File

@ -0,0 +1,158 @@
# Traefik
[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy
microservices with ease.
## Introduction
Starting with v28.x, this chart now bootstraps Traefik Proxy version 3 as a Kubernetes ingress controller,
using Custom Resources `IngressRoute`: <https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/>.
It's possible to use this chart with Traefik Proxy v2 using v27.x
This chart support policy is aligned with [upstream support policy](https://doc.traefik.io/traefik/deprecation/releases/) of Traefik Proxy.
See [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) and upgrading section of this chart on CRDs.
### Philosophy
The Traefik HelmChart is focused on Traefik deployment configuration.
To keep this HelmChart as generic as possible we tend
to avoid integrating any third party solutions nor any specific use cases.
Accordingly, the encouraged approach to fulfill your needs:
1. Override the default Traefik configuration values ([yaml file or cli](https://helm.sh/docs/chart_template_guide/values_files/))
2. Append your own configurations (`kubectl apply -f myconf.yaml`)
[Examples](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md) of common usage are provided.
If needed, one may use [extraObjects](./traefik/tests/values/extra.yaml) or extend this HelmChart [as a Subchart](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/).
## Installing
### Prerequisites
1. [x] Helm **v3 > 3.9.0** [installed](https://helm.sh/docs/using_helm/#installing-helm): `helm version`
2. [x] Traefik's chart repository: `helm repo add traefik https://traefik.github.io/charts`
### Kubernetes Version Support
Due to changes in CRD version support, the following versions of the chart are usable and supported on the following Kubernetes versions:
| | Kubernetes v1.15 and below | Kubernetes v1.16-v1.21 | Kubernetes v1.22 and above |
|-------------------------|-----------------------------|------------------------|----------------------------|
| Chart v9.20.2 and below | [x] | [x] | |
| Chart v10.0.0 and above | | [x] | [x] |
| Chart v22.0.0 and above | | | [x] |
### CRDs Support of Traefik Proxy
Due to changes in API Group of Traefik CRDs from `containo.us` to `traefik.io`, this Chart install CRDs needed by default Traefik Proxy version, following this table:
| | `containo.us` | `traefik.io` |
|-------------------------|-----------------------------|------------------------|
| Chart v22.0.0 and below | [x] | |
| Chart v23.0.0 and above | [x] | [x] |
| Chart v28.0.0 and above | | [x] |
### Deploying Traefik
```bash
helm install traefik traefik/traefik
```
or:
```bash
helm install traefik oci://ghcr.io/traefik/helm/traefik
```
You can customize the install with a `values` file. There are some [EXAMPLES](./EXAMPLES.md) provided.
Complete documentation on all available parameters is in the [default file](./traefik/values.yaml).
```bash
helm install -f myvalues.yaml traefik traefik/traefik
```
🛂 **Warning**: Helm v2 support was removed in the chart version 10.0.0.
## Upgrading
One can check what has changed in the [Changelog](./traefik/Changelog.md).
:information_source: With Helm v3, CRDs created by this chart can not be updated, cf. the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
:warning: Please read carefully release notes of this chart before upgrading CRDs.
```bash
# Update repository
helm repo update
# See current Chart & Traefik version
helm search repo traefik/traefik
# Update CRDs (Traefik Proxy v3 CRDs)
kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/
# Upgrade Traefik
helm upgrade traefik traefik/traefik
```
New major version indicates that there is an incompatible breaking change.
#### Upgrade up to 27.X
When upgrading on Traefik Proxy v2 version, one need to stay at Traefik Helm Chart v27.x. The command to upgrade to the latest Traefik Proxy v2 CRD is:
```bash
kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/?ref=v27
```
### Upgrading after 18.X+
It's detailed in [release notes](https://github.com/traefik/traefik-helm-chart/releases).
### Upgrading from 17.x to 18.x
Since v18.x, this chart by default merges TCP and UDP ports into a single (LoadBalancer) `Service`.
Load balancers with mixed protocols are available since v1.20 and in
[beta as of Kubernetes v1.24](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types).
Availability may depend on your Kubernetes provider.
To retain the old default behavior, set `service.single` to `false` in your values.
When using TCP and UDP with a single service, you may encounter
[this issue](https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741)
from Kubernetes.
On HTTP/3, if you want to avoid this issue, you can set
`ports.websecure.http3.advertisedPort` to an other value than `443`
If you were previously using HTTP/3, you should update your values as follows:
- Replace the old value (`true`) of `ports.websecure.http3` with a key `enabled: true`
- Remove `experimental.http3.enabled=true` entry
### Upgrading from 16.x to 17.x
Since v17.x, this chart provides unified labels following
[Kubernetes recommendation](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/).
This version needs to change an immutable field, which is not supported by
Kubernetes and Helm, see [this issue](https://github.com/helm/helm/issues/7350)
for more details.
So you will have to delete your `Service`, `Deployment` or `DaemonSet` in
order to be able to upgrade.
You may also upgrade by deploying another Traefik to a different namespace and
removing after your first Traefik.
Alternatively, since version 20.3.0 of this chart, you may set `instanceLabelOverride` to the previous value of that label.
This will override the new `Release.Name-Release.Namespace` pattern to avoid any (longer) downtime.
## Contributing
If you want to contribute to this chart, please read the [Contributing Guide](./CONTRIBUTING.md).
Thanks to all the people who have already contributed!
<a href="https://github.com/traefik/traefik-helm-chart/graphs/contributors">
<img src="https://contributors-img.web.app/image?repo=traefik/traefik-helm-chart" />
</a>

321
opencloud/charts/traefik/VALUES.md Normal file
View File

@ -0,0 +1,321 @@
# traefik
![Version: 33.0.0](https://img.shields.io/badge/Version-33.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.2.0](https://img.shields.io/badge/AppVersion-v3.2.0-informational?style=flat-square)
A Traefik based Kubernetes ingress controller
**Homepage:** <https://traefik.io/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| mloiseleur | <michel.loiseleur@traefik.io> | |
| charlie-haley | <charlie.haley@traefik.io> | |
| darkweaver87 | <remi.buisson@traefik.io> | |
| jnoordsij | | |
## Source Code
* <https://github.com/traefik/traefik>
* <https://github.com/traefik/traefik-helm-chart>
## Requirements
Kubernetes: `>=1.22.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalArguments | list | `[]` | Additional arguments to be passed at Traefik's binary See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` |
| additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container |
| affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts |
| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. |
| certificatesResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
| commonLabels | object | `{}` | Add additional label to all resources |
| core.defaultRuleSyntax | string | `""` | Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes |
| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) |
| deployment.additionalVolumes | list | `[]` | Additional volumes available for use with initContainers and additionalContainers |
| deployment.annotations | object | `{}` | Additional deployment annotations (e.g. for jaeger-operator sidecar injection) |
| deployment.dnsConfig | object | `{}` | Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) |
| deployment.dnsPolicy | string | `""` | Custom pod DNS policy. Apply if `hostNetwork: true` |
| deployment.enabled | bool | `true` | Enable deployment |
| deployment.healthchecksHost | string | `""` | |
| deployment.healthchecksPort | string | `nil` | |
| deployment.healthchecksScheme | string | `nil` | |
| deployment.hostAliases | list | `[]` | Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) |
| deployment.imagePullSecrets | list | `[]` | Pull secret for fetching traefik container image |
| deployment.initContainers | list | `[]` | Additional initContainers (e.g. for setting file permission as shown below) |
| deployment.kind | string | `"Deployment"` | Deployment or DaemonSet |
| deployment.labels | object | `{}` | Additional deployment labels (e.g. for filtering deployment by custom labels) |
| deployment.lifecycle | object | `{}` | Pod lifecycle actions |
| deployment.livenessPath | string | `""` | Override the liveness path. Default: /ping |
| deployment.minReadySeconds | int | `0` | The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available |
| deployment.podAnnotations | object | `{}` | Additional pod annotations (e.g. for mesh injection or prometheus scraping) It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' |
| deployment.podLabels | object | `{}` | Additional Pod labels (e.g. for filtering Pod by custom labels) |
| deployment.readinessPath | string | `""` | |
| deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) |
| deployment.revisionHistoryLimit | string | `nil` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) |
| deployment.runtimeClassName | string | `""` | Set a runtimeClassName on pod |
| deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing |
| deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down |
| env | list | See _values.yaml_ | Additional Environment variables to be passed to Traefik's binary |
| envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets |
| experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD |
| experimental.plugins | object | `{}` | Enable traefik experimental plugins |
| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. |
| gateway.annotations | object | `{}` | Additional gateway annotations (e.g. for cert-manager.io/issuer) |
| gateway.enabled | bool | `true` | When providers.kubernetesGateway.enabled, deploy a default gateway |
| gateway.infrastructure | object | `{}` | [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels) |
| gateway.listeners | object | `{"web":{"hostname":"","namespacePolicy":null,"port":8000,"protocol":"HTTP"}}` | Define listeners |
| gateway.listeners.web.hostname | string | `""` | Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) |
| gateway.listeners.web.namespacePolicy | string | `nil` | Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces |
| gateway.listeners.web.port | int | `8000` | Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. The port must match a port declared in ports section. |
| gateway.name | string | `""` | Set a custom name to gateway |
| gateway.namespace | string | `""` | By default, Gateway is created in the same `Namespace` than Traefik. |
| gatewayClass.enabled | bool | `true` | When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass |
| gatewayClass.labels | object | `{}` | Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) |
| gatewayClass.name | string | `""` | Set a custom name to GatewayClass |
| globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods |
| hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulabel pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. |
| hub.apimanagement.admission.listenAddr | string | `""` | WebHook admission server listen address. Default: "0.0.0.0:9943". |
| hub.apimanagement.admission.secretName | string | `""` | Certificate of the WebHook admission server. Default: "hub-agent-cert". |
| hub.apimanagement.enabled | bool | `false` | Set to true in order to enable API Management. Requires a valid license token. |
| hub.redis.cluster | string | `nil` | Enable Redis Cluster. Default: true. |
| hub.redis.database | string | `nil` | Database used to store information. Default: "0". |
| hub.redis.endpoints | string | `""` | Endpoints of the Redis instances to connect to. Default: "". |
| hub.redis.password | string | `""` | The password to use when connecting to Redis endpoints. Default: "". |
| hub.redis.sentinel.masterset | string | `""` | Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". |
| hub.redis.sentinel.password | string | `""` | Password to use for sentinel authentication (can be different from endpoint password). Default: "". |
| hub.redis.sentinel.username | string | `""` | Username to use for sentinel authentication (can be different from endpoint username). Default: "". |
| hub.redis.timeout | string | `""` | Timeout applied on connection with redis. Default: "0s". |
| hub.redis.tls.ca | string | `""` | Path to the certificate authority used for the secured connection. |
| hub.redis.tls.cert | string | `""` | Path to the public certificate used for the secure connection. |
| hub.redis.tls.insecureSkipVerify | bool | `false` | When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. |
| hub.redis.tls.key | string | `""` | Path to the private key used for the secure connection. |
| hub.redis.username | string | `""` | The username to use when connecting to Redis endpoints. Default: "". |
| hub.sendlogs | string | `nil` | |
| hub.token | string | `""` | Name of `Secret` with key 'token' set to a valid license token. It enables API Gateway. |
| image.pullPolicy | string | `"IfNotPresent"` | Traefik image pull policy |
| image.registry | string | `"docker.io"` | Traefik image host registry |
| image.repository | string | `"traefik"` | Traefik image repository |
| image.tag | string | `nil` | defaults to appVersion |
| ingressClass | object | `{"enabled":true,"isDefaultClass":true,"name":""}` | Create a default IngressClass for Traefik |
| ingressRoute.dashboard.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) |
| ingressRoute.dashboard.enabled | bool | `false` | Create an IngressRoute for the dashboard |
| ingressRoute.dashboard.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. /!\ Do not expose your dashboard without any protection over the internet /!\ |
| ingressRoute.dashboard.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) |
| ingressRoute.dashboard.matchRule | string | `"PathPrefix(`/dashboard`) || PathPrefix(`/api`)"` | The router match rule used for the dashboard ingressRoute |
| ingressRoute.dashboard.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) |
| ingressRoute.dashboard.services | list | `[{"kind":"TraefikService","name":"api@internal"}]` | The internal service used for the dashboard ingressRoute |
| ingressRoute.dashboard.tls | object | `{}` | TLS options (e.g. secret containing certificate) |
| ingressRoute.healthcheck.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) |
| ingressRoute.healthcheck.enabled | bool | `false` | Create an IngressRoute for the healthcheck probe |
| ingressRoute.healthcheck.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. |
| ingressRoute.healthcheck.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) |
| ingressRoute.healthcheck.matchRule | string | `"PathPrefix(`/ping`)"` | The router match rule used for the healthcheck ingressRoute |
| ingressRoute.healthcheck.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) |
| ingressRoute.healthcheck.services | list | `[{"kind":"TraefikService","name":"ping@internal"}]` | The internal service used for the healthcheck ingressRoute |
| ingressRoute.healthcheck.tls | object | `{}` | TLS options (e.g. secret containing certificate) |
| instanceLabelOverride | string | `""` | |
| livenessProbe.failureThreshold | int | `3` | The number of consecutive failures allowed before considering the probe as failed. |
| livenessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
| livenessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
| livenessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
| livenessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
| logs.access.addInternals | bool | `false` | Enables accessLogs for internal resources. Default: false. |
| logs.access.bufferingSize | string | `nil` | Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) |
| logs.access.enabled | bool | `false` | To enable access logs |
| logs.access.fields.general.defaultmode | string | `"keep"` | Set default mode for fields.names |
| logs.access.fields.general.names | object | `{}` | Names of the fields to limit. |
| logs.access.fields.headers | object | `{"defaultmode":"drop","names":{}}` | [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) |
| logs.access.fields.headers.defaultmode | string | `"drop"` | Set default mode for fields.headers |
| logs.access.filters | object | `{"minduration":"","retryattempts":false,"statuscodes":""}` | Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) |
| logs.access.filters.minduration | string | `""` | Set minDuration, to keep access logs when requests take longer than the specified duration |
| logs.access.filters.retryattempts | bool | `false` | Set retryAttempts, to keep the access logs when at least one retry has happened |
| logs.access.filters.statuscodes | string | `""` | Set statusCodes, to limit the access logs to requests with a status codes in the specified range |
| logs.access.format | string | `nil` | Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) |
| logs.general.filePath | string | `""` | To write the logs into a log file, use the filePath option. |
| logs.general.format | string | `nil` | Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) |
| logs.general.level | string | `"INFO"` | Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC. |
| logs.general.noColor | bool | `false` | When set to true and format is common, it disables the colorized output. |
| metrics.addInternals | bool | `false` | |
| metrics.otlp.addEntryPointsLabels | string | `nil` | Enable metrics on entry points. Default: true |
| metrics.otlp.addRoutersLabels | string | `nil` | Enable metrics on routers. Default: false |
| metrics.otlp.addServicesLabels | string | `nil` | Enable metrics on services. Default: true |
| metrics.otlp.enabled | bool | `false` | Set to true in order to enable the OpenTelemetry metrics |
| metrics.otlp.explicitBoundaries | list | `[]` | Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] |
| metrics.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC |
| metrics.otlp.grpc.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
| metrics.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. |
| metrics.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| metrics.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| metrics.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| metrics.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| metrics.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. |
| metrics.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
| metrics.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. |
| metrics.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| metrics.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| metrics.otlp.http.tls.insecureSkipVerify | string | `nil` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| metrics.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| metrics.otlp.pushInterval | string | `""` | Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s |
| metrics.prometheus.addEntryPointsLabels | string | `nil` | |
| metrics.prometheus.addRoutersLabels | string | `nil` | |
| metrics.prometheus.addServicesLabels | string | `nil` | |
| metrics.prometheus.buckets | string | `""` | |
| metrics.prometheus.disableAPICheck | string | `nil` | When set to true, it won't check if Prometheus Operator CRDs are deployed |
| metrics.prometheus.entryPoint | string | `"metrics"` | Entry point used to expose metrics. |
| metrics.prometheus.manualRouting | bool | `false` | |
| metrics.prometheus.prometheusRule.additionalLabels | object | `{}` | |
| metrics.prometheus.prometheusRule.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. |
| metrics.prometheus.prometheusRule.namespace | string | `""` | |
| metrics.prometheus.service.annotations | object | `{}` | |
| metrics.prometheus.service.enabled | bool | `false` | Create a dedicated metrics service to use with ServiceMonitor |
| metrics.prometheus.service.labels | object | `{}` | |
| metrics.prometheus.serviceMonitor.additionalLabels | object | `{}` | |
| metrics.prometheus.serviceMonitor.enableHttp2 | bool | `false` | |
| metrics.prometheus.serviceMonitor.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. |
| metrics.prometheus.serviceMonitor.followRedirects | bool | `false` | |
| metrics.prometheus.serviceMonitor.honorLabels | bool | `false` | |
| metrics.prometheus.serviceMonitor.honorTimestamps | bool | `false` | |
| metrics.prometheus.serviceMonitor.interval | string | `""` | |
| metrics.prometheus.serviceMonitor.jobLabel | string | `""` | |
| metrics.prometheus.serviceMonitor.metricRelabelings | list | `[]` | |
| metrics.prometheus.serviceMonitor.namespace | string | `""` | |
| metrics.prometheus.serviceMonitor.namespaceSelector | object | `{}` | |
| metrics.prometheus.serviceMonitor.relabelings | list | `[]` | |
| metrics.prometheus.serviceMonitor.scrapeTimeout | string | `""` | |
| namespaceOverride | string | `""` | This field override the default Release Namespace for Helm. It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` |
| nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. |
| persistence.accessMode | string | `"ReadWriteOnce"` | |
| persistence.annotations | object | `{}` | |
| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/. It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option |
| persistence.existingClaim | string | `""` | |
| persistence.name | string | `"data"` | |
| persistence.path | string | `"/data"` | |
| persistence.size | string | `"128Mi"` | |
| persistence.storageClass | string | `""` | |
| persistence.subPath | string | `""` | Only mount a subpath of the Volume into the pod |
| persistence.volumeName | string | `""` | |
| podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) |
| podSecurityContext | object | See _values.yaml_ | [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) |
| podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding |
| ports.metrics.expose | object | `{"default":false}` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
| ports.metrics.exposedPort | int | `9100` | The exposed port for this service |
| ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
| ports.traefik.expose | object | `{"default":false}` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
| ports.traefik.exposedPort | int | `8080` | The exposed port for this service |
| ports.traefik.hostIP | string | `nil` | Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which means it's listening on all your interfaces and all your IPs. You may want to set this value if you need traefik to listen on specific interface only. |
| ports.traefik.hostPort | string | `nil` | Use hostPort if set. |
| ports.traefik.port | int | `8080` | |
| ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
| ports.web.expose.default | bool | `true` | |
| ports.web.exposedPort | int | `80` | |
| ports.web.forwardedHeaders.insecure | bool | `false` | |
| ports.web.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
| ports.web.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
| ports.web.port | int | `8000` | |
| ports.web.protocol | string | `"TCP"` | |
| ports.web.proxyProtocol.insecure | bool | `false` | |
| ports.web.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
| ports.web.redirectTo | object | `{}` | |
| ports.web.targetPort | string | `nil` | |
| ports.web.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport |
| ports.websecure.allowACMEByPass | bool | `false` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) |
| ports.websecure.appProtocol | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) |
| ports.websecure.containerPort | string | `nil` | |
| ports.websecure.expose.default | bool | `true` | |
| ports.websecure.exposedPort | int | `443` | |
| ports.websecure.forwardedHeaders.insecure | bool | `false` | |
| ports.websecure.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
| ports.websecure.hostPort | string | `nil` | |
| ports.websecure.http3.advertisedPort | string | `nil` | |
| ports.websecure.http3.enabled | bool | `false` | |
| ports.websecure.middlewares | list | `[]` | /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace - namespace-name1@kubernetescrd - namespace-name2@kubernetescrd |
| ports.websecure.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
| ports.websecure.port | int | `8443` | |
| ports.websecure.protocol | string | `"TCP"` | |
| ports.websecure.proxyProtocol.insecure | bool | `false` | |
| ports.websecure.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
| ports.websecure.targetPort | string | `nil` | |
| ports.websecure.tls | object | `{"certResolver":"","domains":[],"enabled":true,"options":""}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) |
| ports.websecure.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) |
| priorityClassName | string | `""` | [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) |
| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) |
| providers.file.enabled | bool | `false` | Create a file provider |
| providers.file.watch | bool | `true` | Allows Traefik to automatically watch for file changes |
| providers.kubernetesCRD.allowCrossNamespace | bool | `false` | Allows IngressRoute to reference resources in namespace other than theirs |
| providers.kubernetesCRD.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available |
| providers.kubernetesCRD.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in IngressRoute |
| providers.kubernetesCRD.enabled | bool | `true` | Load Kubernetes IngressRoute provider |
| providers.kubernetesCRD.ingressClass | string | `""` | When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. |
| providers.kubernetesCRD.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
| providers.kubernetesCRD.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
| providers.kubernetesGateway.enabled | bool | `false` | Enable Traefik Gateway provider for Gateway API |
| providers.kubernetesGateway.experimentalChannel | bool | `false` | Toggles support for the Experimental Channel resources (Gateway API release channels documentation). This option currently enables support for TCPRoute and TLSRoute. |
| providers.kubernetesGateway.labelselector | string | `""` | A label selector can be defined to filter on specific GatewayClass objects only. |
| providers.kubernetesGateway.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
| providers.kubernetesGateway.statusAddress.hostname | string | `""` | This Hostname will get copied to the Gateway status.addresses. |
| providers.kubernetesGateway.statusAddress.ip | string | `""` | This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6). |
| providers.kubernetesGateway.statusAddress.service | object | `{"name":"{{ (include \"traefik.fullname\" .) }}","namespace":"{{ .Release.Namespace }}"}` | The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart. |
| providers.kubernetesIngress.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available |
| providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress |
| providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider |
| providers.kubernetesIngress.ingressClass | string | `nil` | When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. |
| providers.kubernetesIngress.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
| providers.kubernetesIngress.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
| providers.kubernetesIngress.publishedService.enabled | bool | `true` | Enable [publishedService](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#publishedservice) |
| providers.kubernetesIngress.publishedService.pathOverride | string | `""` | Override path of Kubernetes Service used to copy status from. Format: namespace/servicename. Default to Service deployed with this Chart. |
| rbac | object | `{"aggregateTo":[],"enabled":true,"namespaced":false,"secretResourceNames":[]}` | Whether Role Based Access Control objects like roles and rolebindings should be created |
| readinessProbe.failureThreshold | int | `1` | The number of consecutive failures allowed before considering the probe as failed. |
| readinessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
| readinessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
| readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
| readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. |
| securityContext | object | See _values.yaml_ | [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) |
| service.additionalServices | object | `{}` | |
| service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) |
| service.annotationsTCP | object | `{}` | Additional annotations for TCP service only |
| service.annotationsUDP | object | `{}` | Additional annotations for UDP service only |
| service.enabled | bool | `true` | |
| service.externalIPs | list | `[]` | |
| service.labels | object | `{}` | Additional service labels (e.g. for filtering Service by custom labels) |
| service.loadBalancerSourceRanges | list | `[]` | |
| service.single | bool | `true` | |
| service.spec | object | `{}` | Cannot contain type, selector or ports entries. |
| service.type | string | `"LoadBalancer"` | |
| serviceAccount | object | `{"name":""}` | The service account the pods will use to interact with the Kubernetes API |
| serviceAccountAnnotations | object | `{}` | Additional serviceAccount annotations (e.g. for oidc authentication) |
| startupProbe | object | `{}` | Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) |
| tlsOptions | object | `{}` | TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) When using `labelSelector`, you'll need to set labels on tlsOption accordingly. See EXAMPLE.md for details. |
| tlsStore | object | `{}` | TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. |
| tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. |
| topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains. |
| tracing | object | `{"addInternals":false,"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":"","insecure":false,"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}},"http":{"enabled":false,"endpoint":"","headers":{},"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}}}}` | https://doc.traefik.io/traefik/observability/tracing/overview/ |
| tracing.addInternals | bool | `false` | Enables tracing for internal resources. Default: false. |
| tracing.otlp.enabled | bool | `false` | See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ |
| tracing.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC |
| tracing.otlp.grpc.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
| tracing.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. |
| tracing.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| tracing.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| tracing.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| tracing.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| tracing.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. |
| tracing.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
| tracing.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. |
| tracing.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| tracing.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| tracing.otlp.http.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| tracing.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| updateStrategy.rollingUpdate.maxSurge | int | `1` | |
| updateStrategy.rollingUpdate.maxUnavailable | int | `0` | |
| updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy of Deployment or DaemonSet |
| volumes | list | `[]` | Add volumes to the traefik pod. The volume name will be passed to tpl. This can be used to mount a cert pair or a configmap that holds a config.toml file. After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: `additionalArguments: - "--providers.file.filename=/config/dynamic.toml" - "--ping" - "--ping.entrypoint=web"` |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

10345
opencloud/charts/traefik/crds/gateway-standard-install-v1.2.0.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

368
opencloud/charts/traefik/crds/hub.traefik.io_accesscontrolpolicies.yaml Normal file
View File

@ -0,0 +1,368 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: accesscontrolpolicies.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: AccessControlPolicy
listKind: AccessControlPolicyList
plural: accesscontrolpolicies
singular: accesscontrolpolicy
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AccessControlPolicy defines an access control policy.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AccessControlPolicySpec configures an access control policy.
properties:
apiKey:
description: AccessControlPolicyAPIKey configure an APIKey control
policy.
properties:
forwardHeaders:
additionalProperties:
type: string
description: ForwardHeaders instructs the middleware to forward
key metadata as header values upon successful authentication.
type: object
keySource:
description: KeySource defines how to extract API keys from requests.
properties:
cookie:
description: Cookie is the name of a cookie.
type: string
header:
description: Header is the name of a header.
type: string
headerAuthScheme:
description: |-
HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
If set, this scheme is removed from the token, and all requests not including it are dropped.
type: string
query:
description: Query is the name of a query parameter.
type: string
type: object
keys:
description: Keys define the set of authorized keys to access
a protected resource.
items:
description: AccessControlPolicyAPIKeyKey defines an API key.
properties:
id:
description: ID is the unique identifier of the key.
type: string
metadata:
additionalProperties:
type: string
description: Metadata holds arbitrary metadata for this
key, can be used by ForwardHeaders.
type: object
value:
description: Value is the SHAKE-256 hash (using 64 bytes)
of the API key.
type: string
required:
- id
- value
type: object
type: array
required:
- keySource
type: object
basicAuth:
description: AccessControlPolicyBasicAuth holds the HTTP basic authentication
configuration.
properties:
forwardUsernameHeader:
type: string
realm:
type: string
stripAuthorizationHeader:
type: boolean
users:
items:
type: string
type: array
type: object
jwt:
description: AccessControlPolicyJWT configures a JWT access control
policy.
properties:
claims:
type: string
forwardHeaders:
additionalProperties:
type: string
type: object
jwksFile:
type: string
jwksUrl:
type: string
publicKey:
type: string
signingSecret:
type: string
signingSecretBase64Encoded:
type: boolean
stripAuthorizationHeader:
type: boolean
tokenQueryKey:
type: string
type: object
oAuthIntro:
description: AccessControlOAuthIntro configures an OAuth 2.0 Token
Introspection access control policy.
properties:
claims:
type: string
clientConfig:
description: AccessControlOAuthIntroClientConfig configures the
OAuth 2.0 client for issuing token introspection requests.
properties:
headers:
additionalProperties:
type: string
description: Headers to set when sending requests to the Authorization
Server.
type: object
maxRetries:
default: 3
description: MaxRetries defines the number of retries for
introspection requests.
type: integer
timeoutSeconds:
default: 5
description: TimeoutSeconds configures the maximum amount
of seconds to wait before giving up on requests.
type: integer
tls:
description: TLS configures TLS communication with the Authorization
Server.
properties:
ca:
description: CA sets the CA bundle used to sign the Authorization
Server certificate.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify skips the Authorization Server certificate validation.
For testing purposes only, do not use in production.
type: boolean
type: object
tokenTypeHint:
description: |-
TokenTypeHint is a hint to pass to the Authorization Server.
See https://tools.ietf.org/html/rfc7662#section-2.1 for more information.
type: string
url:
description: URL of the Authorization Server.
type: string
required:
- url
type: object
forwardHeaders:
additionalProperties:
type: string
type: object
tokenSource:
description: |-
TokenSource describes how to extract tokens from HTTP requests.
If multiple sources are set, the order is the following: header > query > cookie.
properties:
cookie:
description: Cookie is the name of a cookie.
type: string
header:
description: Header is the name of a header.
type: string
headerAuthScheme:
description: |-
HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
If set, this scheme is removed from the token, and all requests not including it are dropped.
type: string
query:
description: Query is the name of a query parameter.
type: string
type: object
required:
- clientConfig
- tokenSource
type: object
oidc:
description: AccessControlPolicyOIDC holds the OIDC authentication
configuration.
properties:
authParams:
additionalProperties:
type: string
type: object
claims:
type: string
clientId:
type: string
disableAuthRedirectionPaths:
items:
type: string
type: array
forwardHeaders:
additionalProperties:
type: string
type: object
issuer:
type: string
logoutUrl:
type: string
redirectUrl:
type: string
scopes:
items:
type: string
type: array
secret:
description: |-
SecretReference represents a Secret Reference. It has enough information to retrieve secret
in any namespace
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which the
secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
session:
description: Session holds session configuration.
properties:
domain:
type: string
path:
type: string
refresh:
type: boolean
sameSite:
type: string
secure:
type: boolean
type: object
stateCookie:
description: StateCookie holds state cookie configuration.
properties:
domain:
type: string
path:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
oidcGoogle:
description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication
configuration.
properties:
authParams:
additionalProperties:
type: string
type: object
clientId:
type: string
emails:
description: Emails are the allowed emails to connect.
items:
type: string
minItems: 1
type: array
forwardHeaders:
additionalProperties:
type: string
type: object
logoutUrl:
type: string
redirectUrl:
type: string
secret:
description: |-
SecretReference represents a Secret Reference. It has enough information to retrieve secret
in any namespace
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which the
secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
session:
description: Session holds session configuration.
properties:
domain:
type: string
path:
type: string
refresh:
type: boolean
sameSite:
type: string
secure:
type: boolean
type: object
stateCookie:
description: StateCookie holds state cookie configuration.
properties:
domain:
type: string
path:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
type: object
status:
description: The current status of this access control policy.
properties:
specHash:
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true

188
opencloud/charts/traefik/crds/hub.traefik.io_apiaccesses.yaml Normal file
View File

@ -0,0 +1,188 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: apiaccesses.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIAccess
listKind: APIAccessList
plural: apiaccesses
singular: apiaccess
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIAccess defines who can access to a set of APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIAccess.
properties:
apiBundles:
description: |-
APIBundles defines a set of APIBundle that will be accessible to the configured audience.
Multiple APIAccesses can select the same APIBundles.
items:
description: APIBundleReference references an APIBundle.
properties:
name:
description: Name of the APIBundle.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apiBundles
rule: self.all(x, self.exists_one(y, x.name == y.name))
apiPlan:
description: APIPlan defines which APIPlan will be used.
properties:
name:
description: Name of the APIPlan.
maxLength: 253
type: string
required:
- name
type: object
apiSelector:
description: |-
APISelector selects the APIs that will be accessible to the configured audience.
Multiple APIAccesses can select the same set of APIs.
This field is optional and follows standard label selector semantics.
An empty APISelector matches any API.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
apis:
description: |-
APIs defines a set of APIs that will be accessible to the configured audience.
Multiple APIAccesses can select the same APIs.
When combined with APISelector, this set of APIs is appended to the matching APIs.
items:
description: APIReference references an API.
properties:
name:
description: Name of the API.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apis
rule: self.all(x, self.exists_one(y, x.name == y.name))
everyone:
description: Everyone indicates that all users will have access to
the selected APIs.
type: boolean
groups:
description: Groups are the consumer groups that will gain access
to the selected APIs.
items:
type: string
type: array
operationFilter:
description: |-
OperationFilter specifies the allowed operations on APIs and APIVersions.
If not set, all operations are available.
An empty OperationFilter prohibits all operations.
properties:
include:
description: Include defines the names of OperationSets that will
be accessible.
items:
type: string
maxItems: 100
type: array
type: object
weight:
description: Weight specifies the evaluation order of the plan.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
type: object
x-kubernetes-validations:
- message: groups and everyone are mutually exclusive
rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
self.groups.size() > 0) : true'
status:
description: The current status of this APIAccess.
properties:
hash:
description: Hash is a hash representing the APIAccess.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true

125
opencloud/charts/traefik/crds/hub.traefik.io_apibundles.yaml Normal file
View File

@ -0,0 +1,125 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: apibundles.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIBundle
listKind: APIBundleList
plural: apibundles
singular: apibundle
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIBundle defines a set of APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIBundle.
properties:
apiSelector:
description: |-
APISelector selects the APIs that will be accessible to the configured audience.
Multiple APIBundles can select the same set of APIs.
This field is optional and follows standard label selector semantics.
An empty APISelector matches any API.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
apis:
description: |-
APIs defines a set of APIs that will be accessible to the configured audience.
Multiple APIBundles can select the same APIs.
When combined with APISelector, this set of APIs is appended to the matching APIs.
items:
description: APIReference references an API.
properties:
name:
description: Name of the API.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apis
rule: self.all(x, self.exists_one(y, x.name == y.name))
type: object
status:
description: The current status of this APIBundle.
properties:
hash:
description: Hash is a hash representing the APIBundle.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true

103
opencloud/charts/traefik/crds/hub.traefik.io_apiplans.yaml Normal file
View File

@ -0,0 +1,103 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: apiplans.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIPlan
listKind: APIPlanList
plural: apiplans
singular: apiplan
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIPlan defines API Plan policy.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIPlan.
properties:
description:
description: Description describes the plan.
type: string
quota:
description: Quota defines the quota policy.
properties:
limit:
description: Limit is the maximum number of token in the bucket.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
period:
description: Period is the unit of time for the Limit.
format: duration
type: string
x-kubernetes-validations:
- message: must be between 1s and 9999h
rule: self >= duration('1s') && self <= duration('9999h')
required:
- limit
type: object
rateLimit:
description: RateLimit defines the rate limit policy.
properties:
limit:
description: Limit is the maximum number of token in the bucket.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
period:
description: Period is the unit of time for the Limit.
format: duration
type: string
x-kubernetes-validations:
- message: must be between 1s and 1h
rule: self >= duration('1s') && self <= duration('1h')
required:
- limit
type: object
title:
description: Title is the human-readable name of the plan.
type: string
required:
- title
type: object
status:
description: The current status of this APIPlan.
properties:
hash:
description: Hash is a hash representing the APIPlan.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true

139
opencloud/charts/traefik/crds/hub.traefik.io_apiportals.yaml Normal file
View File

@ -0,0 +1,139 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: apiportals.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIPortal
listKind: APIPortalList
plural: apiportals
singular: apiportal
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIPortal defines a developer portal for accessing the documentation
of APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIPortal.
properties:
description:
description: Description of the APIPortal.
type: string
title:
description: Title is the public facing name of the APIPortal.
type: string
trustedUrls:
description: TrustedURLs are the urls that are trusted by the OAuth
2.0 authorization server.
items:
type: string
maxItems: 1
minItems: 1
type: array
x-kubernetes-validations:
- message: must be a valid URLs
rule: self.all(x, isURL(x))
ui:
description: UI holds the UI customization options.
properties:
logoUrl:
description: LogoURL is the public URL of the logo.
type: string
type: object
required:
- trustedUrls
type: object
status:
description: The current status of this APIPortal.
properties:
hash:
description: Hash is a hash representing the APIPortal.
type: string
oidc:
description: OIDC is the OIDC configuration for accessing the exposed
APIPortal WebUI.
properties:
clientId:
description: ClientID is the OIDC ClientID for accessing the exposed
APIPortal WebUI.
type: string
companyClaim:
description: CompanyClaim is the name of the JWT claim containing
the user company.
type: string
emailClaim:
description: EmailClaim is the name of the JWT claim containing
the user email.
type: string
firstnameClaim:
description: FirstnameClaim is the name of the JWT claim containing
the user firstname.
type: string
generic:
description: Generic indicates whether or not the APIPortal authentication
relies on Generic OIDC.
type: boolean
groupsClaim:
description: GroupsClaim is the name of the JWT claim containing
the user groups.
type: string
issuer:
description: Issuer is the OIDC issuer for accessing the exposed
APIPortal WebUI.
type: string
lastnameClaim:
description: LastnameClaim is the name of the JWT claim containing
the user lastname.
type: string
scopes:
description: Scopes is the OIDC scopes for getting user attributes
during the authentication to the exposed APIPortal WebUI.
type: string
secretName:
description: SecretName is the name of the secret containing the
OIDC ClientSecret for accessing the exposed APIPortal WebUI.
type: string
syncedAttributes:
description: SyncedAttributes configure the user attributes to
sync.
items:
type: string
type: array
userIdClaim:
description: UserIDClaim is the name of the JWT claim containing
the user ID.
type: string
type: object
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true

166
opencloud/charts/traefik/crds/hub.traefik.io_apiratelimits.yaml Normal file
View File

@ -0,0 +1,166 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: apiratelimits.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIRateLimit
listKind: APIRateLimitList
plural: apiratelimits
singular: apiratelimit
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIRateLimit defines how group of consumers are rate limited
on a set of APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIRateLimit.
properties:
apiSelector:
description: |-
APISelector selects the APIs that will be rate limited.
Multiple APIRateLimits can select the same set of APIs.
This field is optional and follows standard label selector semantics.
An empty APISelector matches any API.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
apis:
description: |-
APIs defines a set of APIs that will be rate limited.
Multiple APIRateLimits can select the same APIs.
When combined with APISelector, this set of APIs is appended to the matching APIs.
items:
description: APIReference references an API.
properties:
name:
description: Name of the API.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apis
rule: self.all(x, self.exists_one(y, x.name == y.name))
everyone:
description: |-
Everyone indicates that all users will, by default, be rate limited with this configuration.
If an APIRateLimit explicitly target a group, the default rate limit will be ignored.
type: boolean
groups:
description: |-
Groups are the consumer groups that will be rate limited.
Multiple APIRateLimits can target the same set of consumer groups, the most restrictive one applies.
When a consumer belongs to multiple groups, the least restrictive APIRateLimit applies.
items:
type: string
type: array
limit:
description: Limit is the maximum number of token in the bucket.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
period:
description: Period is the unit of time for the Limit.
format: duration
type: string
x-kubernetes-validations:
- message: must be between 1s and 1h
rule: self >= duration('1s') && self <= duration('1h')
strategy:
description: |-
Strategy defines how the bucket state will be synchronized between the different Traefik Hub instances.
It can be, either "local" or "distributed".
enum:
- local
- distributed
type: string
required:
- limit
type: object
x-kubernetes-validations:
- message: groups and everyone are mutually exclusive
rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
self.groups.size() > 0) : true'
status:
description: The current status of this APIRateLimit.
properties:
hash:
description: Hash is a hash representing the APIRateLimit.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true

190
opencloud/charts/traefik/crds/hub.traefik.io_apis.yaml Normal file
View File

@ -0,0 +1,190 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: apis.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: API
listKind: APIList
plural: apis
singular: api
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
API defines an HTTP interface that is exposed to external clients. It specifies the supported versions
and provides instructions for accessing its documentation. Once instantiated, an API object is associated
with an Ingress, IngressRoute, or HTTPRoute resource, enabling the exposure of the described API to the outside world.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: APISpec describes the API.
properties:
openApiSpec:
description: OpenAPISpec defines the API contract as an OpenAPI specification.
properties:
operationSets:
description: OperationSets defines the sets of operations to be
referenced for granular filtering in APIAccesses.
items:
description: |-
OperationSet gives a name to a set of matching OpenAPI operations.
This set of operations can then be referenced for granular filtering in APIAccesses.
properties:
matchers:
description: Matchers defines a list of alternative rules
for matching OpenAPI operations.
items:
description: OperationMatcher defines criteria for matching
an OpenAPI operation.
minProperties: 1
properties:
methods:
description: Methods specifies the HTTP methods to
be included for selection.
items:
type: string
maxItems: 10
type: array
path:
description: Path specifies the exact path of the
operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathPrefix:
description: PathPrefix specifies the path prefix
of the operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathRegex:
description: PathRegex specifies a regular expression
pattern for matching operations based on their paths.
type: string
type: object
x-kubernetes-validations:
- message: path, pathPrefix and pathRegex are mutually
exclusive
rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
x).size() <= 1'
maxItems: 100
minItems: 1
type: array
name:
description: Name is the name of the OperationSet to reference
in APIAccesses.
maxLength: 253
type: string
required:
- matchers
- name
type: object
maxItems: 100
type: array
override:
description: Override holds data used to override OpenAPI specification.
properties:
servers:
items:
properties:
url:
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
required:
- url
type: object
maxItems: 100
minItems: 1
type: array
required:
- servers
type: object
path:
description: |-
Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
url:
description: |-
URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
type: object
x-kubernetes-validations:
- message: path or url must be defined
rule: has(self.path) || has(self.url)
versions:
description: Versions are the different APIVersions available.
items:
description: APIVersionRef references an APIVersion.
properties:
name:
description: Name of the APIVersion.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
minItems: 1
type: array
type: object
status:
description: The current status of this API.
properties:
hash:
description: Hash is a hash representing the API.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true

194
opencloud/charts/traefik/crds/hub.traefik.io_apiversions.yaml Normal file
View File

@ -0,0 +1,194 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: apiversions.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIVersion
listKind: APIVersionList
plural: apiversions
singular: apiversion
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.title
name: Title
type: string
- jsonPath: .spec.release
name: Release
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: APIVersion defines a version of an API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIVersion.
properties:
openApiSpec:
description: OpenAPISpec defines the API contract as an OpenAPI specification.
properties:
operationSets:
description: OperationSets defines the sets of operations to be
referenced for granular filtering in APIAccesses.
items:
description: |-
OperationSet gives a name to a set of matching OpenAPI operations.
This set of operations can then be referenced for granular filtering in APIAccesses.
properties:
matchers:
description: Matchers defines a list of alternative rules
for matching OpenAPI operations.
items:
description: OperationMatcher defines criteria for matching
an OpenAPI operation.
minProperties: 1
properties:
methods:
description: Methods specifies the HTTP methods to
be included for selection.
items:
type: string
maxItems: 10
type: array
path:
description: Path specifies the exact path of the
operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathPrefix:
description: PathPrefix specifies the path prefix
of the operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathRegex:
description: PathRegex specifies a regular expression
pattern for matching operations based on their paths.
type: string
type: object
x-kubernetes-validations:
- message: path, pathPrefix and pathRegex are mutually
exclusive
rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
x).size() <= 1'
maxItems: 100
minItems: 1
type: array
name:
description: Name is the name of the OperationSet to reference
in APIAccesses.
maxLength: 253
type: string
required:
- matchers
- name
type: object
maxItems: 100
type: array
override:
description: Override holds data used to override OpenAPI specification.
properties:
servers:
items:
properties:
url:
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
required:
- url
type: object
maxItems: 100
minItems: 1
type: array
required:
- servers
type: object
path:
description: |-
Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
url:
description: |-
URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
type: object
x-kubernetes-validations:
- message: path or url must be defined
rule: has(self.path) || has(self.url)
release:
description: |-
Release is the version number of the API.
This value must follow the SemVer format: https://semver.org/
maxLength: 100
type: string
x-kubernetes-validations:
- message: must be a valid semver version
rule: self.matches(r"""^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$""")
title:
description: Title is the public facing name of the APIVersion.
type: string
required:
- release
type: object
status:
description: The current status of this APIVersion.
properties:
hash:
description: Hash is a hash representing the APIVersion.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources: {}

366
opencloud/charts/traefik/crds/traefik.io_ingressroutes.yaml Normal file
View File

@ -0,0 +1,366 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: ingressroutes.traefik.io
spec:
group: traefik.io
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressRouteSpec defines the desired state of IngressRoute.
properties:
entryPoints:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
Default: all.
items:
type: string
type: array
routes:
description: Routes defines the list of routes.
items:
description: Route holds the HTTP route configuration.
properties:
kind:
description: |-
Kind defines the kind of the route.
Rule is the only supported kind.
enum:
- Rule
type: string
match:
description: |-
Match defines the router's rule.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
type: string
middlewares:
description: |-
Middlewares defines the list of references to Middleware resources.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
items:
description: MiddlewareRef is a reference to a Middleware
resource.
properties:
name:
description: Name defines the name of the referenced Middleware
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Middleware resource.
type: string
required:
- name
type: object
type: array
priority:
description: |-
Priority defines the router's priority.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
type: integer
services:
description: |-
Services defines the list of Service.
It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
items:
description: Service defines an upstream HTTP service to proxy
traffic to.
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
services.
properties:
followRedirects:
description: |-
FollowRedirects defines whether redirects should be followed during the health check calls.
Default: true
type: boolean
headers:
additionalProperties:
type: string
description: Headers defines custom headers to be
sent to the health check endpoint.
type: object
hostname:
description: Hostname defines the value of hostname
in the Host header of the health check request.
type: string
interval:
anyOf:
- type: integer
- type: string
description: |-
Interval defines the frequency of the health check calls.
Default: 30s
x-kubernetes-int-or-string: true
method:
description: Method defines the healthcheck method.
type: string
mode:
description: |-
Mode defines the health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Default: http
type: string
path:
description: Path defines the server URL path for
the health check endpoint.
type: string
port:
description: Port defines the server URL port for
the health check endpoint.
type: integer
scheme:
description: Scheme replaces the server URL scheme
for the health check endpoint.
type: string
status:
description: Status defines the expected HTTP status
code of the response to the health check request.
type: integer
timeout:
anyOf:
- type: integer
- type: string
description: |-
Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
Default: 5s
x-kubernetes-int-or-string: true
type: object
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
name:
description: |-
Name defines the name of the referenced Kubernetes Service or TraefikService.
The differentiation between the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
passHostHeader:
description: |-
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards
the response from the upstream Kubernetes Service to
the client.
properties:
flushInterval:
description: |-
FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms
type: string
type: object
scheme:
description: |-
Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
It defaults to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: |-
ServersTransport defines the name of ServersTransport resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as
JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
type: string
secure:
description: Secure defines whether the cookie
can only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
type: integer
required:
- name
type: object
type: array
syntax:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
type: string
required:
- kind
- match
type: object
type: array
tls:
description: |-
TLS defines the TLS configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
properties:
certResolver:
description: |-
CertResolver defines the name of the certificate resolver to use.
Cert resolvers have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
type: string
domains:
description: |-
Domains defines the list of domains that will be used to issue certificates.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
items:
description: Domain holds a domain name with SANs.
properties:
main:
description: Main defines the main domain name.
type: string
sans:
description: SANs defines the subject alternative domain
names.
items:
type: string
type: array
type: object
type: array
options:
description: |-
Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
If not defined, the `default` TLSOption is used.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
properties:
name:
description: |-
Name defines the name of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
type: string
namespace:
description: |-
Namespace defines the namespace of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
type: string
required:
- name
type: object
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
store:
description: |-
Store defines the reference to the TLSStore, that will be used to store certificates.
Please note that only `default` TLSStore can be used.
properties:
name:
description: |-
Name defines the name of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
type: string
namespace:
description: |-
Namespace defines the namespace of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
type: string
required:
- name
type: object
type: object
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

247
opencloud/charts/traefik/crds/traefik.io_ingressroutetcps.yaml Normal file
View File

@ -0,0 +1,247 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: ingressroutetcps.traefik.io
spec:
group: traefik.io
names:
kind: IngressRouteTCP
listKind: IngressRouteTCPList
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
properties:
entryPoints:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
Default: all.
items:
type: string
type: array
routes:
description: Routes defines the list of routes.
items:
description: RouteTCP holds the TCP route configuration.
properties:
match:
description: |-
Match defines the router's rule.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
type: string
middlewares:
description: Middlewares defines the list of references to MiddlewareTCP
resources.
items:
description: ObjectReference is a generic reference to a Traefik
resource.
properties:
name:
description: Name defines the name of the referenced Traefik
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string
required:
- name
type: object
type: array
priority:
description: |-
Priority defines the router's priority.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
type: integer
services:
description: Services defines the list of TCP services.
items:
description: ServiceTCP defines an upstream TCP service to
proxy traffic to.
properties:
name:
description: Name defines the name of the referenced Kubernetes
Service.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
proxyProtocol:
description: |-
ProxyProtocol defines the PROXY protocol configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
properties:
version:
description: Version defines the PROXY Protocol version
to use.
type: integer
type: object
serversTransport:
description: |-
ServersTransport defines the name of ServersTransportTCP resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
terminationDelay:
description: |-
TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
it has closed the writing capability of its connection, to close the reading capability as well,
hence fully terminating the connection.
It is a duration in milliseconds, defaulting to 100.
A negative value means an infinite deadline (i.e. the reading capability is never closed).
Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
type: integer
tls:
description: TLS determines whether to use TLS when dialing
with the backend.
type: boolean
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
type: integer
required:
- name
- port
type: object
type: array
syntax:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
type: string
required:
- match
type: object
type: array
tls:
description: |-
TLS defines the TLS configuration on a layer 4 / TCP Route.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
properties:
certResolver:
description: |-
CertResolver defines the name of the certificate resolver to use.
Cert resolvers have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
type: string
domains:
description: |-
Domains defines the list of domains that will be used to issue certificates.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
items:
description: Domain holds a domain name with SANs.
properties:
main:
description: Main defines the main domain name.
type: string
sans:
description: SANs defines the subject alternative domain
names.
items:
type: string
type: array
type: object
type: array
options:
description: |-
Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
If not defined, the `default` TLSOption is used.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
properties:
name:
description: Name defines the name of the referenced Traefik
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string
required:
- name
type: object
passthrough:
description: Passthrough defines whether a TLS router will terminate
the TLS connection.
type: boolean
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
store:
description: |-
Store defines the reference to the TLSStore, that will be used to store certificates.
Please note that only `default` TLSStore can be used.
properties:
name:
description: Name defines the name of the referenced Traefik
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string
required:
- name
type: object
type: object
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

111
opencloud/charts/traefik/crds/traefik.io_ingressrouteudps.yaml Normal file
View File

@ -0,0 +1,111 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: ingressrouteudps.traefik.io
spec:
group: traefik.io
names:
kind: IngressRouteUDP
listKind: IngressRouteUDPList
plural: ingressrouteudps
singular: ingressrouteudp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
properties:
entryPoints:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
Default: all.
items:
type: string
type: array
routes:
description: Routes defines the list of routes.
items:
description: RouteUDP holds the UDP route configuration.
properties:
services:
description: Services defines the list of UDP services.
items:
description: ServiceUDP defines an upstream UDP service to
proxy traffic to.
properties:
name:
description: Name defines the name of the referenced Kubernetes
Service.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
type: integer
required:
- name
- port
type: object
type: array
type: object
type: array
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

1126
opencloud/charts/traefik/crds/traefik.io_middlewares.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

87
opencloud/charts/traefik/crds/traefik.io_middlewaretcps.yaml Normal file
View File

@ -0,0 +1,87 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: middlewaretcps.traefik.io
spec:
group: traefik.io
names:
kind: MiddlewareTCP
listKind: MiddlewareTCPList
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
properties:
inFlightConn:
description: InFlightConn defines the InFlightConn middleware configuration.
properties:
amount:
description: |-
Amount defines the maximum amount of allowed simultaneous connections.
The middleware closes the connection if there are already amount connections opened.
format: int64
type: integer
type: object
ipAllowList:
description: |-
IPAllowList defines the IPAllowList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
ipWhiteList:
description: |-
IPWhiteList defines the IPWhiteList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
Deprecated: please use IPAllowList instead.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

139
opencloud/charts/traefik/crds/traefik.io_serverstransports.yaml Normal file
View File

@ -0,0 +1,139 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: serverstransports.traefik.io
spec:
group: traefik.io
names:
kind: ServersTransport
listKind: ServersTransportList
plural: serverstransports
singular: serverstransport
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ServersTransport is the CRD implementation of a ServersTransport.
If no serversTransport is specified, the default@internal will be used.
The default@internal serversTransport is created from the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServersTransportSpec defines the desired state of a ServersTransport.
properties:
certificatesSecrets:
description: CertificatesSecrets defines a list of secret storing
client certificates for mTLS.
items:
type: string
type: array
disableHTTP2:
description: DisableHTTP2 disables HTTP/2 for connections with backend
servers.
type: boolean
forwardingTimeouts:
description: ForwardingTimeouts defines the timeouts for requests
forwarded to the backend servers.
properties:
dialTimeout:
anyOf:
- type: integer
- type: string
description: DialTimeout is the amount of time to wait until a
connection to a backend server can be established.
x-kubernetes-int-or-string: true
idleConnTimeout:
anyOf:
- type: integer
- type: string
description: IdleConnTimeout is the maximum period for which an
idle HTTP keep-alive connection will remain open before closing
itself.
x-kubernetes-int-or-string: true
pingTimeout:
anyOf:
- type: integer
- type: string
description: PingTimeout is the timeout after which the HTTP/2
connection will be closed if a response to ping is not received.
x-kubernetes-int-or-string: true
readIdleTimeout:
anyOf:
- type: integer
- type: string
description: ReadIdleTimeout is the timeout after which a health
check using ping frame will be carried out if no frame is received
on the HTTP/2 connection.
x-kubernetes-int-or-string: true
responseHeaderTimeout:
anyOf:
- type: integer
- type: string
description: ResponseHeaderTimeout is the amount of time to wait
for a server's response headers after fully writing the request
(including its body, if any).
x-kubernetes-int-or-string: true
type: object
insecureSkipVerify:
description: InsecureSkipVerify disables SSL certificate verification.
type: boolean
maxIdleConnsPerHost:
description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
to keep per-host.
type: integer
peerCertURI:
description: PeerCertURI defines the peer cert URI used to match against
SAN URI during the peer certificate verification.
type: string
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to validate
self-signed certificate.
items:
type: string
type: array
serverName:
description: ServerName defines the server name used to contact the
server.
type: string
spiffe:
description: Spiffe defines the SPIFFE configuration.
properties:
ids:
description: IDs defines the allowed SPIFFE IDs (takes precedence
over the SPIFFE TrustDomain).
items:
type: string
type: array
trustDomain:
description: TrustDomain defines the allowed SPIFFE trust domain.
type: string
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

120
opencloud/charts/traefik/crds/traefik.io_serverstransporttcps.yaml Normal file
View File

@ -0,0 +1,120 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: serverstransporttcps.traefik.io
spec:
group: traefik.io
names:
kind: ServersTransportTCP
listKind: ServersTransportTCPList
plural: serverstransporttcps
singular: serverstransporttcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ServersTransportTCP is the CRD implementation of a TCPServersTransport.
If no tcpServersTransport is specified, a default one named default@internal will be used.
The default@internal tcpServersTransport can be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
properties:
dialKeepAlive:
anyOf:
- type: integer
- type: string
description: DialKeepAlive is the interval between keep-alive probes
for an active network connection. If zero, keep-alive probes are
sent with a default value (currently 15 seconds), if supported by
the protocol and operating system. Network protocols or operating
systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
x-kubernetes-int-or-string: true
dialTimeout:
anyOf:
- type: integer
- type: string
description: DialTimeout is the amount of time to wait until a connection
to a backend server can be established.
x-kubernetes-int-or-string: true
terminationDelay:
anyOf:
- type: integer
- type: string
description: TerminationDelay defines the delay to wait before fully
terminating the connection, after one connected peer has closed
its writing capability.
x-kubernetes-int-or-string: true
tls:
description: TLS defines the TLS configuration
properties:
certificatesSecrets:
description: CertificatesSecrets defines a list of secret storing
client certificates for mTLS.
items:
type: string
type: array
insecureSkipVerify:
description: InsecureSkipVerify disables TLS certificate verification.
type: boolean
peerCertURI:
description: |-
MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
type: string
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to
validate self-signed certificates.
items:
type: string
type: array
serverName:
description: ServerName defines the server name used to contact
the server.
type: string
spiffe:
description: Spiffe defines the SPIFFE configuration.
properties:
ids:
description: IDs defines the allowed SPIFFE IDs (takes precedence
over the SPIFFE TrustDomain).
items:
type: string
type: array
trustDomain:
description: TrustDomain defines the allowed SPIFFE trust
domain.
type: string
type: object
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

114
opencloud/charts/traefik/crds/traefik.io_tlsoptions.yaml Normal file
View File

@ -0,0 +1,114 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: tlsoptions.traefik.io
spec:
group: traefik.io
names:
kind: TLSOption
listKind: TLSOptionList
plural: tlsoptions
singular: tlsoption
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TLSOptionSpec defines the desired state of a TLSOption.
properties:
alpnProtocols:
description: |-
ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
items:
type: string
type: array
cipherSuites:
description: |-
CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
items:
type: string
type: array
clientAuth:
description: ClientAuth defines the server's policy for TLS Client
Authentication.
properties:
clientAuthType:
description: ClientAuthType defines the client authentication
type to apply.
enum:
- NoClientCert
- RequestClientCert
- RequireAnyClientCert
- VerifyClientCertIfGiven
- RequireAndVerifyClientCert
type: string
secretNames:
description: SecretNames defines the names of the referenced Kubernetes
Secret storing certificate details.
items:
type: string
type: array
type: object
curvePreferences:
description: |-
CurvePreferences defines the preferred elliptic curves in a specific order.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
items:
type: string
type: array
maxVersion:
description: |-
MaxVersion defines the maximum TLS version that Traefik will accept.
Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
Default: None.
type: string
minVersion:
description: |-
MinVersion defines the minimum TLS version that Traefik will accept.
Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
Default: VersionTLS10.
type: string
preferServerCipherSuites:
description: |-
PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
It is enabled automatically when minVersion or maxVersion is set.
Deprecated: https://github.com/golang/go/issues/45430
type: boolean
sniStrict:
description: SniStrict defines whether Traefik allows connections
from clients connections that do not specify a server_name extension.
type: boolean
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

97
opencloud/charts/traefik/crds/traefik.io_tlsstores.yaml Normal file
View File

@ -0,0 +1,97 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: tlsstores.traefik.io
spec:
group: traefik.io
names:
kind: TLSStore
listKind: TLSStoreList
plural: tlsstores
singular: tlsstore
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
TLSStore is the CRD implementation of a Traefik TLS Store.
For the time being, only the TLSStore named default is supported.
This means that you cannot have two stores that are named default in different Kubernetes namespaces.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TLSStoreSpec defines the desired state of a TLSStore.
properties:
certificates:
description: Certificates is a list of secret names, each secret holding
a key/certificate pair to add to the store.
items:
description: Certificate holds a secret name for the TLSStore resource.
properties:
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
required:
- secretName
type: object
type: array
defaultCertificate:
description: DefaultCertificate defines the default certificate configuration.
properties:
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
required:
- secretName
type: object
defaultGeneratedCert:
description: DefaultGeneratedCert defines the default generated certificate
configuration.
properties:
domain:
description: Domain is the domain definition for the DefaultCertificate.
properties:
main:
description: Main defines the main domain name.
type: string
sans:
description: SANs defines the subject alternative domain names.
items:
type: string
type: array
type: object
resolver:
description: Resolver is the name of the resolver that will be
used to issue the DefaultCertificate.
type: string
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

644
opencloud/charts/traefik/crds/traefik.io_traefikservices.yaml Normal file
View File

@ -0,0 +1,644 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: traefikservices.traefik.io
spec:
group: traefik.io
names:
kind: TraefikService
listKind: TraefikServiceList
plural: traefikservices
singular: traefikservice
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
TraefikService is the CRD implementation of a Traefik Service.
TraefikService object allows to:
- Apply weight to Services on load-balancing
- Mirror traffic on services
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TraefikServiceSpec defines the desired state of a TraefikService.
properties:
mirroring:
description: Mirroring defines the Mirroring service configuration.
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
services.
properties:
followRedirects:
description: |-
FollowRedirects defines whether redirects should be followed during the health check calls.
Default: true
type: boolean
headers:
additionalProperties:
type: string
description: Headers defines custom headers to be sent to
the health check endpoint.
type: object
hostname:
description: Hostname defines the value of hostname in the
Host header of the health check request.
type: string
interval:
anyOf:
- type: integer
- type: string
description: |-
Interval defines the frequency of the health check calls.
Default: 30s
x-kubernetes-int-or-string: true
method:
description: Method defines the healthcheck method.
type: string
mode:
description: |-
Mode defines the health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Default: http
type: string
path:
description: Path defines the server URL path for the health
check endpoint.
type: string
port:
description: Port defines the server URL port for the health
check endpoint.
type: integer
scheme:
description: Scheme replaces the server URL scheme for the
health check endpoint.
type: string
status:
description: Status defines the expected HTTP status code
of the response to the health check request.
type: integer
timeout:
anyOf:
- type: integer
- type: string
description: |-
Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
Default: 5s
x-kubernetes-int-or-string: true
type: object
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
maxBodySize:
description: |-
MaxBodySize defines the maximum size allowed for the body of the request.
If the body is larger, the request is not mirrored.
Default value is -1, which means unlimited size.
format: int64
type: integer
mirrorBody:
description: |-
MirrorBody defines whether the body of the request should be mirrored.
Default value is true.
type: boolean
mirrors:
description: Mirrors defines the list of mirrors where Traefik
will duplicate the traffic.
items:
description: MirrorService holds the mirror configuration.
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
services.
properties:
followRedirects:
description: |-
FollowRedirects defines whether redirects should be followed during the health check calls.
Default: true
type: boolean
headers:
additionalProperties:
type: string
description: Headers defines custom headers to be sent
to the health check endpoint.
type: object
hostname:
description: Hostname defines the value of hostname
in the Host header of the health check request.
type: string
interval:
anyOf:
- type: integer
- type: string
description: |-
Interval defines the frequency of the health check calls.
Default: 30s
x-kubernetes-int-or-string: true
method:
description: Method defines the healthcheck method.
type: string
mode:
description: |-
Mode defines the health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Default: http
type: string
path:
description: Path defines the server URL path for the
health check endpoint.
type: string
port:
description: Port defines the server URL port for the
health check endpoint.
type: integer
scheme:
description: Scheme replaces the server URL scheme for
the health check endpoint.
type: string
status:
description: Status defines the expected HTTP status
code of the response to the health check request.
type: integer
timeout:
anyOf:
- type: integer
- type: string
description: |-
Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
Default: 5s
x-kubernetes-int-or-string: true
type: object
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
name:
description: |-
Name defines the name of the referenced Kubernetes Service or TraefikService.
The differentiation between the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
passHostHeader:
description: |-
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
percent:
description: |-
Percent defines the part of the traffic to mirror.
Supported values: 0 to 100.
type: integer
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards
the response from the upstream Kubernetes Service to the
client.
properties:
flushInterval:
description: |-
FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms
type: string
type: object
scheme:
description: |-
Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
It defaults to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: |-
ServersTransport defines the name of ServersTransport resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
type: string
secure:
description: Secure defines whether the cookie can
only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
type: integer
required:
- name
type: object
type: array
name:
description: |-
Name defines the name of the referenced Kubernetes Service or TraefikService.
The differentiation between the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
passHostHeader:
description: |-
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards the
response from the upstream Kubernetes Service to the client.
properties:
flushInterval:
description: |-
FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms
type: string
type: object
scheme:
description: |-
Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
It defaults to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: |-
ServersTransport defines the name of ServersTransport resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
httpOnly:
description: HTTPOnly defines whether the cookie can be
accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
type: string
secure:
description: Secure defines whether the cookie can only
be transmitted over an encrypted connection (i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
type: integer
required:
- name
type: object
weighted:
description: Weighted defines the Weighted Round Robin configuration.
properties:
services:
description: Services defines the list of Kubernetes Service and/or
TraefikService to load-balance, with weight.
items:
description: Service defines an upstream HTTP service to proxy
traffic to.
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
services.
properties:
followRedirects:
description: |-
FollowRedirects defines whether redirects should be followed during the health check calls.
Default: true
type: boolean
headers:
additionalProperties:
type: string
description: Headers defines custom headers to be sent
to the health check endpoint.
type: object
hostname:
description: Hostname defines the value of hostname
in the Host header of the health check request.
type: string
interval:
anyOf:
- type: integer
- type: string
description: |-
Interval defines the frequency of the health check calls.
Default: 30s
x-kubernetes-int-or-string: true
method:
description: Method defines the healthcheck method.
type: string
mode:
description: |-
Mode defines the health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Default: http
type: string
path:
description: Path defines the server URL path for the
health check endpoint.
type: string
port:
description: Port defines the server URL port for the
health check endpoint.
type: integer
scheme:
description: Scheme replaces the server URL scheme for
the health check endpoint.
type: string
status:
description: Status defines the expected HTTP status
code of the response to the health check request.
type: integer
timeout:
anyOf:
- type: integer
- type: string
description: |-
Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
Default: 5s
x-kubernetes-int-or-string: true
type: object
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
name:
description: |-
Name defines the name of the referenced Kubernetes Service or TraefikService.
The differentiation between the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
passHostHeader:
description: |-
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards
the response from the upstream Kubernetes Service to the
client.
properties:
flushInterval:
description: |-
FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms
type: string
type: object
scheme:
description: |-
Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
It defaults to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: |-
ServersTransport defines the name of ServersTransport resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
type: string
secure:
description: Secure defines whether the cookie can
only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
type: integer
required:
- name
type: object
type: array
sticky:
description: |-
Sticky defines whether sticky sessions are enabled.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
httpOnly:
description: HTTPOnly defines whether the cookie can be
accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
type: string
secure:
description: Secure defines whether the cookie can only
be transmitted over an encrypted connection (i.e. HTTPS).
type: boolean
type: object
type: object
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

36
opencloud/charts/traefik/templates/NOTES.txt Normal file
View File

@ -0,0 +1,36 @@
{{ .Release.Name }} with {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} has been deployed successfully on {{ template "traefik.namespace" . }} namespace !
{{- if .Values.persistence }}
{{- if and .Values.persistence.enabled (empty .Values.deployment.initContainer)}}
🚨 When enabling persistence for certificates, permissions on acme.json can be
lost when Traefik restarts. You can ensure correct permissions with an
initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager
for more info. 🚨
{{- end }}
{{- end }}
{{- with .Values.providers.kubernetesCRD.labelSelector }}
{{- $labelsApplied := include "traefik.labels" $ }}
{{- $labelSelectors := regexSplit "," . -1 }}
{{- range $labelSelectors }}
{{- $labelSelectorRaw := regexSplit "=" . -1 }}
{{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }}
{{- if not (contains $labelSelector $labelsApplied) }}
🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesCRD provider 🚨
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.providers.kubernetesIngress.labelSelector }}
{{- $labelsApplied := include "traefik.labels" $ }}
{{- $labelSelectors := regexSplit "," . -1 }}
{{- range $labelSelectors }}
{{- $labelSelectorRaw := regexSplit "=" . -1 }}
{{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }}
{{- if not (contains $labelSelector $labelsApplied) }}
🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesIngress provider 🚨
{{- end }}
{{- end }}
{{- end }}

178
opencloud/charts/traefik/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,178 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "traefik.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "traefik.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the chart image name.
*/}}
{{- define "traefik.image-name" -}}
{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (.Values.image.tag | default .Chart.AppVersion) }}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "traefik.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Allow customization of the instance label value.
*/}}
{{- define "traefik.instance-name" -}}
{{- default (printf "%s-%s" .Release.Name .Release.Namespace) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Shared labels used for selector*/}}
{{/* This is an immutable field: this should not change between upgrade */}}
{{- define "traefik.labelselector" -}}
app.kubernetes.io/name: {{ template "traefik.name" . }}
app.kubernetes.io/instance: {{ template "traefik.instance-name" . }}
{{- end }}
{{/* Shared labels used in metada */}}
{{- define "traefik.labels" -}}
{{ include "traefik.labelselector" . }}
helm.sh/chart: {{ template "traefik.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Construct the namespace for all namespaced resources
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
Preserve the default behavior of the Release namespace if no override is provided
*/}}
{{- define "traefik.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
The name of the service account to use
*/}}
{{- define "traefik.serviceAccountName" -}}
{{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}}
{{- end -}}
{{/*
The name of the ClusterRole and ClusterRoleBinding to use.
Adds the namespace to name to prevent duplicate resource names when there
are multiple namespaced releases with the same release name.
*/}}
{{- define "traefik.clusterRoleName" -}}
{{- (printf "%s-%s" (include "traefik.fullname" .) .Release.Namespace) | trunc 63 | trimSuffix "-" }}
{{- end -}}
{{/*
Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice.
By convention this will simply use the <namespace>/<service-name> to match the name of the
service generated.
Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride`
*/}}
{{- define "providers.kubernetesIngress.publishedServicePath" -}}
{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}}
{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct a comma-separated list of whitelisted namespaces
*/}}
{{- define "providers.kubernetesCRD.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }}
{{- end -}}
{{- define "providers.kubernetesGateway.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesGateway.namespaces) }}
{{- end -}}
{{- define "providers.kubernetesIngress.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }}
{{- end -}}
{{/*
Renders a complete tree, even values that contains template.
*/}}
{{- define "traefik.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{ else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{- define "imageVersion" -}}
{{/*
Traefik hub is based on v3.1 (v3.0 before v3.3.1) of traefik proxy, so this is a hack to avoid to much complexity in RBAC management which are
based on semverCompare
*/}}
{{- if $.Values.hub.token -}}
{{ if and (regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag)) (semverCompare "<v3.3.2-0" $.Values.image.tag) -}}
v3.0
{{- else -}}
v3.1
{{- end -}}
{{- else -}}
{{ (split "@" (default $.Chart.AppVersion $.Values.image.tag))._0 | replace "latest-" "" | replace "experimental-" "" }}
{{- end -}}
{{- end -}}
{{/* Generate/load self-signed certificate for admission webhooks */}}
{{- define "traefik-hub.webhook_cert" -}}
{{- $cert := lookup "v1" "Secret" .Release.Namespace "hub-agent-cert" -}}
{{- if $cert -}}
{{/* reusing value of existing cert */}}
Cert: {{ index $cert.data "tls.crt" }}
Key: {{ index $cert.data "tls.key" }}
{{- else -}}
{{/* generate a new one */}}
{{- $altNames := list ( printf "admission.%s.svc" .Release.Namespace ) -}}
{{- $cert := genSelfSignedCert ( printf "admission.%s.svc" .Release.Namespace ) (list) $altNames 3650 -}}
Cert: {{ $cert.Cert | b64enc }}
Key: {{ $cert.Key | b64enc }}
{{- end -}}
{{- end -}}
{{- define "traefik.yaml2CommandLineArgsRec" -}}
{{- $path := .path -}}
{{- range $key, $value := .content -}}
{{- if kindIs "map" $value }}
{{- include "traefik.yaml2CommandLineArgsRec" (dict "path" (printf "%s.%s" $path $key) "content" $value) -}}
{{- else }}
--{{ join "." (list $path $key)}}={{ join "," $value }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "traefik.yaml2CommandLineArgs" -}}
{{- range ((regexSplit "\n" ((include "traefik.yaml2CommandLineArgsRec" (dict "path" .path "content" .content)) | trim) -1) | compact) -}}
{{ printf "- \"%s\"\n" . }}
{{- end -}}
{{- end -}}

850
opencloud/charts/traefik/templates/_podtemplate.tpl Normal file
View File

@ -0,0 +1,850 @@
{{- define "traefik.podTemplate" }}
{{- $version := include "imageVersion" $ }}
metadata:
annotations:
{{- if .Values.deployment.podAnnotations }}
{{- tpl (toYaml .Values.deployment.podAnnotations) . | nindent 8 }}
{{- end }}
{{- if .Values.metrics }}
{{- if and (.Values.metrics.prometheus) (not (.Values.metrics.prometheus.serviceMonitor).enabled) }}
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: {{ quote (index .Values.ports .Values.metrics.prometheus.entryPoint).port }}
{{- end }}
{{- end }}
labels:
{{- include "traefik.labels" . | nindent 8 -}}
{{- with .Values.deployment.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.deployment.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "traefik.serviceAccountName" . }}
automountServiceAccountToken: true
terminationGracePeriodSeconds: {{ default 60 .Values.deployment.terminationGracePeriodSeconds }}
hostNetwork: {{ .Values.hostNetwork }}
{{- with .Values.deployment.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- if .searches }}
searches:
{{- toYaml .searches | nindent 10 }}
{{- end }}
{{- if .nameservers }}
nameservers:
{{- toYaml .nameservers | nindent 10 }}
{{- end }}
{{- if .options }}
options:
{{- toYaml .options | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.deployment.hostAliases }}
hostAliases: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.initContainers }}
initContainers:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- if .Values.deployment.shareProcessNamespace }}
shareProcessNamespace: true
{{- end }}
{{- with .Values.deployment.runtimeClassName }}
runtimeClassName: {{ . }}
{{- end }}
containers:
- image: {{ template "traefik.image-name" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: {{ template "traefik.fullname" . }}
resources:
{{- with .Values.resources }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if (and (empty .Values.ports.traefik) (empty .Values.deployment.healthchecksPort)) }}
{{- fail "ERROR: When disabling traefik port, you need to specify `deployment.healthchecksPort`" }}
{{- end }}
{{- $healthchecksPort := (default (.Values.ports.traefik).port .Values.deployment.healthchecksPort) }}
{{- $healthchecksHost := (default (.Values.ports.traefik).hostIP .Values.deployment.healthchecksHost) }}
{{- $healthchecksScheme := (default "HTTP" .Values.deployment.healthchecksScheme) }}
{{- $readinessPath := (default "/ping" .Values.deployment.readinessPath) }}
{{- $livenessPath := (default "/ping" .Values.deployment.livenessPath) }}
readinessProbe:
httpGet:
{{- with $healthchecksHost }}
host: {{ . }}
{{- end }}
path: {{ $readinessPath }}
port: {{ $healthchecksPort }}
scheme: {{ $healthchecksScheme }}
{{- toYaml .Values.readinessProbe | nindent 10 }}
livenessProbe:
httpGet:
{{- with $healthchecksHost }}
host: {{ . }}
{{- end }}
path: {{ $livenessPath }}
port: {{ $healthchecksPort }}
scheme: {{ $healthchecksScheme }}
{{- toYaml .Values.livenessProbe | nindent 10 }}
{{- with .Values.startupProbe}}
startupProbe:
{{- toYaml . | nindent 10 }}
{{- end }}
lifecycle:
{{- with .Values.deployment.lifecycle }}
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
{{- $hostNetwork := .Values.hostNetwork }}
{{- range $name, $config := .Values.ports }}
{{- if $config }}
{{- if and $hostNetwork (and $config.hostPort $config.port) }}
{{- if ne ($config.hostPort | int) ($config.port | int) }}
{{- fail "ERROR: All hostPort must match their respective containerPort when `hostNetwork` is enabled" }}
{{- end }}
{{- end }}
- name: {{ $name | quote }}
containerPort: {{ default $config.port $config.containerPort }}
{{- if $config.hostPort }}
hostPort: {{ $config.hostPort }}
{{- end }}
{{- if $config.hostIP }}
hostIP: {{ $config.hostIP }}
{{- end }}
protocol: {{ default "TCP" $config.protocol | quote }}
{{- if ($config.http3).enabled }}
- name: "{{ $name }}-http3"
containerPort: {{ $config.port }}
{{- if $config.hostPort }}
hostPort: {{ default $config.hostPort $config.http3.advertisedPort }}
{{- end }}
protocol: UDP
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.hub.token }}
{{- $listenAddr := default ":9943" .Values.hub.apimanagement.admission.listenAddr }}
- name: admission
containerPort: {{ last (mustRegexSplit ":" $listenAddr 2) }}
protocol: TCP
{{- if .Values.hub.apimanagement.enabled }}
- name: apiportal
containerPort: 9903
protocol: TCP
{{- end }}
{{- end }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- name: {{ .Values.persistence.name }}
mountPath: {{ .Values.persistence.path }}
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: tmp
mountPath: /tmp
{{- $root := . }}
{{- range .Values.volumes }}
- name: {{ tpl (.name) $root | replace "." "-" }}
mountPath: {{ .mountPath }}
readOnly: true
{{- end }}
{{- if gt (len .Values.experimental.plugins) 0 }}
- name: plugins
mountPath: "/plugins-storage"
{{- end }}
{{- if .Values.providers.file.enabled }}
- name: traefik-extra-config
mountPath: "/etc/traefik/dynamic"
{{- end }}
{{- if .Values.additionalVolumeMounts }}
{{- toYaml .Values.additionalVolumeMounts | nindent 10 }}
{{- end }}
args:
{{- with .Values.globalArguments }}
{{- range . }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- range $name, $config := .Values.ports }}
{{- if $config }}
- "--entryPoints.{{$name}}.address={{ $config.hostIP }}:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}"
{{- with $config.asDefault }}
- "--entryPoints.{{$name}}.asDefault={{ . }}"
{{- end }}
{{- end }}
{{- end }}
- "--api.dashboard=true"
- "--ping=true"
{{- with .Values.core }}
{{- with .defaultRuleSyntax }}
- "--core.defaultRuleSyntax={{ . }}"
{{- end }}
{{- end }}
{{- if .Values.metrics }}
{{- if .Values.metrics.addInternals }}
- "--metrics.addinternals"
{{- end }}
{{- with .Values.metrics.datadog }}
- "--metrics.datadog=true"
{{- with .address }}
- "--metrics.datadog.address={{ . }}"
{{- end }}
{{- with .pushInterval }}
- "--metrics.datadog.pushInterval={{ . }}"
{{- end }}
{{- with .prefix }}
- "--metrics.datadog.prefix={{ . }}"
{{- end }}
{{- if ne .addRoutersLabels nil }}
{{- with .addRoutersLabels | toString }}
- "--metrics.datadog.addRoutersLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .addEntryPointsLabels nil }}
{{- with .addEntryPointsLabels | toString }}
- "--metrics.datadog.addEntryPointsLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .addServicesLabels nil }}
{{- with .addServicesLabels | toString }}
- "--metrics.datadog.addServicesLabels={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.metrics.influxdb2 }}
- "--metrics.influxdb2=true"
- "--metrics.influxdb2.address={{ .address }}"
- "--metrics.influxdb2.token={{ .token }}"
- "--metrics.influxdb2.org={{ .org }}"
- "--metrics.influxdb2.bucket={{ .bucket }}"
{{- with .pushInterval }}
- "--metrics.influxdb2.pushInterval={{ . }}"
{{- end }}
{{- range $name, $value := .additionalLabels }}
- "--metrics.influxdb2.additionalLabels.{{ $name }}={{ $value }}"
{{- end }}
{{- if ne .addRoutersLabels nil }}
{{- with .addRoutersLabels | toString }}
- "--metrics.influxdb2.addRoutersLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .addEntryPointsLabels nil }}
{{- with .addEntryPointsLabels | toString }}
- "--metrics.influxdb2.addEntryPointsLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .addServicesLabels nil }}
{{- with .addServicesLabels | toString }}
- "--metrics.influxdb2.addServicesLabels={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- if (.Values.metrics.prometheus) }}
- "--metrics.prometheus=true"
- "--metrics.prometheus.entrypoint={{ .Values.metrics.prometheus.entryPoint }}"
{{- if (eq (.Values.metrics.prometheus.addRoutersLabels | toString) "true") }}
- "--metrics.prometheus.addRoutersLabels=true"
{{- end }}
{{- if ne .Values.metrics.prometheus.addEntryPointsLabels nil }}
{{- with .Values.metrics.prometheus.addEntryPointsLabels | toString }}
- "--metrics.prometheus.addEntryPointsLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .Values.metrics.prometheus.addServicesLabels nil }}
{{- with .Values.metrics.prometheus.addServicesLabels| toString }}
- "--metrics.prometheus.addServicesLabels={{ . }}"
{{- end }}
{{- end }}
{{- if .Values.metrics.prometheus.buckets }}
- "--metrics.prometheus.buckets={{ .Values.metrics.prometheus.buckets }}"
{{- end }}
{{- if .Values.metrics.prometheus.manualRouting }}
- "--metrics.prometheus.manualrouting=true"
{{- end }}
{{- end }}
{{- with .Values.metrics.statsd }}
- "--metrics.statsd=true"
- "--metrics.statsd.address={{ .address }}"
{{- with .pushInterval }}
- "--metrics.statsd.pushInterval={{ . }}"
{{- end }}
{{- with .prefix }}
- "--metrics.statsd.prefix={{ . }}"
{{- end }}
{{- if .addRoutersLabels}}
- "--metrics.statsd.addRoutersLabels=true"
{{- end }}
{{- if ne .addEntryPointsLabels nil }}
{{- with .addEntryPointsLabels | toString }}
- "--metrics.statsd.addEntryPointsLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .addServicesLabels nil }}
{{- with .addServicesLabels | toString }}
- "--metrics.statsd.addServicesLabels={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.metrics.otlp }}
{{- if .enabled }}
- "--metrics.otlp=true"
{{- if ne .addEntryPointsLabels nil }}
{{- with .addEntryPointsLabels | toString }}
- "--metrics.otlp.addEntryPointsLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .addRoutersLabels nil }}
{{- with .addRoutersLabels | toString }}
- "--metrics.otlp.addRoutersLabels={{ . }}"
{{- end }}
{{- end }}
{{- if ne .addServicesLabels nil }}
{{- with .addServicesLabels | toString }}
- "--metrics.otlp.addServicesLabels={{ . }}"
{{- end }}
{{- end }}
{{- with .explicitBoundaries }}
- "--metrics.otlp.explicitBoundaries={{ join "," . }}"
{{- end }}
{{- with .pushInterval }}
- "--metrics.otlp.pushInterval={{ . }}"
{{- end }}
{{- with .http }}
{{- if .enabled }}
- "--metrics.otlp.http=true"
{{- with .endpoint }}
- "--metrics.otlp.http.endpoint={{ . }}"
{{- end }}
{{- range $name, $value := .headers }}
- "--metrics.otlp.http.headers.{{ $name }}={{ $value }}"
{{- end }}
{{- with .tls }}
{{- with .ca }}
- "--metrics.otlp.http.tls.ca={{ . }}"
{{- end }}
{{- with .cert }}
- "--metrics.otlp.http.tls.cert={{ . }}"
{{- end }}
{{- with .key }}
- "--metrics.otlp.http.tls.key={{ . }}"
{{- end }}
{{- with .insecureSkipVerify }}
- "--metrics.otlp.http.tls.insecureSkipVerify={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- with .grpc }}
{{- if .enabled }}
- "--metrics.otlp.grpc=true"
{{- with .endpoint }}
- "--metrics.otlp.grpc.endpoint={{ . }}"
{{- end }}
{{- with .insecure }}
- "--metrics.otlp.grpc.insecure={{ . }}"
{{- end }}
{{- range $name, $value := .headers }}
- "--metrics.otlp.grpc.headers.{{ $name }}={{ $value }}"
{{- end }}
{{- with .tls }}
{{- with .ca }}
- "--metrics.otlp.grpc.tls.ca={{ . }}"
{{- end }}
{{- with .cert }}
- "--metrics.otlp.grpc.tls.cert={{ . }}"
{{- end }}
{{- with .key }}
- "--metrics.otlp.grpc.tls.key={{ . }}"
{{- end }}
{{- with .insecureSkipVerify }}
- "--metrics.otlp.grpc.tls.insecureSkipVerify={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.tracing.addInternals }}
- "--tracing.addinternals"
{{- end }}
{{- with .Values.tracing.otlp }}
{{- if .enabled }}
- "--tracing.otlp=true"
{{- with .http }}
{{- if .enabled }}
- "--tracing.otlp.http=true"
{{- with .endpoint }}
- "--tracing.otlp.http.endpoint={{ . }}"
{{- end }}
{{- range $name, $value := .headers }}
- "--tracing.otlp.http.headers.{{ $name }}={{ $value }}"
{{- end }}
{{- with .tls }}
{{- with .ca }}
- "--tracing.otlp.http.tls.ca={{ . }}"
{{- end }}
{{- with .cert }}
- "--tracing.otlp.http.tls.cert={{ . }}"
{{- end }}
{{- with .key }}
- "--tracing.otlp.http.tls.key={{ . }}"
{{- end }}
{{- with .insecureSkipVerify }}
- "--tracing.otlp.http.tls.insecureSkipVerify={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- with .grpc }}
{{- if .enabled }}
- "--tracing.otlp.grpc=true"
{{- with .endpoint }}
- "--tracing.otlp.grpc.endpoint={{ . }}"
{{- end }}
{{- with .insecure }}
- "--tracing.otlp.grpc.insecure={{ . }}"
{{- end }}
{{- range $name, $value := .headers }}
- "--tracing.otlp.grpc.headers.{{ $name }}={{ $value }}"
{{- end }}
{{- with .tls }}
{{- with .ca }}
- "--tracing.otlp.grpc.tls.ca={{ . }}"
{{- end }}
{{- with .cert }}
- "--tracing.otlp.grpc.tls.cert={{ . }}"
{{- end }}
{{- with .key }}
- "--tracing.otlp.grpc.tls.key={{ . }}"
{{- end }}
{{- with .insecureSkipVerify }}
- "--tracing.otlp.grpc.tls.insecureSkipVerify={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- range $pluginName, $plugin := .Values.experimental.plugins }}
{{- if or (ne (typeOf $plugin) "map[string]interface {}") (not (hasKey $plugin "moduleName")) (not (hasKey $plugin "version")) }}
{{- fail (printf "ERROR: plugin %s is missing moduleName/version keys !" $pluginName) }}
{{- end }}
- "--experimental.plugins.{{ $pluginName }}.moduleName={{ $plugin.moduleName }}"
- "--experimental.plugins.{{ $pluginName }}.version={{ $plugin.version }}"
{{- end }}
{{- if .Values.providers.kubernetesCRD.enabled }}
- "--providers.kubernetescrd"
{{- if .Values.providers.kubernetesCRD.labelSelector }}
- "--providers.kubernetescrd.labelSelector={{ .Values.providers.kubernetesCRD.labelSelector }}"
{{- end }}
{{- if .Values.providers.kubernetesCRD.ingressClass }}
- "--providers.kubernetescrd.ingressClass={{ .Values.providers.kubernetesCRD.ingressClass }}"
{{- end }}
{{- if .Values.providers.kubernetesCRD.allowCrossNamespace }}
- "--providers.kubernetescrd.allowCrossNamespace=true"
{{- end }}
{{- if .Values.providers.kubernetesCRD.allowExternalNameServices }}
- "--providers.kubernetescrd.allowExternalNameServices=true"
{{- end }}
{{- if .Values.providers.kubernetesCRD.allowEmptyServices }}
- "--providers.kubernetescrd.allowEmptyServices=true"
{{- end }}
{{- if and .Values.rbac.namespaced (semverCompare ">=3.1.2-0" $version) }}
- "--providers.kubernetescrd.disableClusterScopeResources=true"
{{- end }}
{{- if .Values.providers.kubernetesCRD.nativeLBByDefault }}
- "--providers.kubernetescrd.nativeLBByDefault=true"
{{- end }}
{{- end }}
{{- if .Values.providers.kubernetesIngress.enabled }}
- "--providers.kubernetesingress"
{{- if .Values.providers.kubernetesIngress.allowExternalNameServices }}
- "--providers.kubernetesingress.allowExternalNameServices=true"
{{- end }}
{{- if .Values.providers.kubernetesIngress.allowEmptyServices }}
- "--providers.kubernetesingress.allowEmptyServices=true"
{{- end }}
{{- if and .Values.service.enabled .Values.providers.kubernetesIngress.publishedService.enabled }}
- "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}"
{{- end }}
{{- if .Values.providers.kubernetesIngress.labelSelector }}
- "--providers.kubernetesingress.labelSelector={{ .Values.providers.kubernetesIngress.labelSelector }}"
{{- end }}
{{- if .Values.providers.kubernetesIngress.ingressClass }}
- "--providers.kubernetesingress.ingressClass={{ .Values.providers.kubernetesIngress.ingressClass }}"
{{- end }}
{{- if .Values.rbac.namespaced }}
{{- if semverCompare "<3.1.5-0" $version }}
- "--providers.kubernetesingress.disableIngressClassLookup=true"
{{- if semverCompare ">=3.1.2-0" $version }}
- "--providers.kubernetesingress.disableClusterScopeResources=true"
{{- end }}
{{- else }}
- "--providers.kubernetesingress.disableClusterScopeResources=true"
{{- end }}
{{- end }}
{{- if .Values.providers.kubernetesIngress.nativeLBByDefault }}
- "--providers.kubernetesingress.nativeLBByDefault=true"
{{- end }}
{{- end }}
{{- if .Values.experimental.kubernetesGateway.enabled }}
- "--experimental.kubernetesgateway"
{{- end }}
{{- with .Values.providers.kubernetesCRD }}
{{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }}
- "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" $ }}"
{{- end }}
{{- end }}
{{- with .Values.providers.kubernetesGateway }}
{{- if .enabled }}
- "--providers.kubernetesgateway"
{{- with .statusAddress }}
{{- with .ip }}
- "--providers.kubernetesgateway.statusaddress.ip={{ . }}"
{{- end }}
{{- with .hostname }}
- "--providers.kubernetesgateway.statusaddress.hostname={{ . }}"
{{- end }}
{{- with .service }}
- "--providers.kubernetesgateway.statusaddress.service.name={{ tpl .name $ }}"
- "--providers.kubernetesgateway.statusaddress.service.namespace={{ tpl .namespace $ }}"
{{- end }}
{{- end }}
{{- if or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced) }}
- "--providers.kubernetesgateway.namespaces={{ template "providers.kubernetesGateway.namespaces" $ }}"
{{- end }}
{{- if .experimentalChannel }}
- "--providers.kubernetesgateway.experimentalchannel=true"
{{- end }}
{{- with .labelselector }}
- "--providers.kubernetesgateway.labelselector={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.providers.kubernetesIngress }}
{{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }}
- "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" $ }}"
{{- end }}
{{- end }}
{{- with .Values.providers.file }}
{{- if .enabled }}
- "--providers.file.directory=/etc/traefik/dynamic"
{{- if .watch }}
- "--providers.file.watch=true"
{{- end }}
{{- end }}
{{- end }}
{{- range $entrypoint, $config := $.Values.ports }}
{{- if $config }}
{{- if $config.redirectTo }}
{{- $toPort := index $.Values.ports $config.redirectTo.port }}
- "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}"
- "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https"
{{- if $config.redirectTo.priority }}
- "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.priority={{ $config.redirectTo.priority }}"
{{- end }}
{{- if $config.redirectTo.permanent }}
- "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.permanent=true"
{{- end }}
{{- end }}
{{- if $config.middlewares }}
- "--entryPoints.{{ $entrypoint }}.http.middlewares={{ join "," $config.middlewares }}"
{{- end }}
{{- if $config.tls }}
{{- if $config.tls.enabled }}
- "--entryPoints.{{ $entrypoint }}.http.tls=true"
{{- if $config.tls.options }}
- "--entryPoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}"
{{- end }}
{{- if $config.tls.certResolver }}
- "--entryPoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}"
{{- end }}
{{- if $config.tls.domains }}
{{- range $index, $domain := $config.tls.domains }}
{{- if $domain.main }}
- "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}"
{{- end }}
{{- if $domain.sans }}
- "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}"
{{- end }}
{{- end }}
{{- end }}
{{- if $config.http3 }}
{{- if $config.http3.enabled }}
- "--entryPoints.{{ $entrypoint }}.http3"
{{- if $config.http3.advertisedPort }}
- "--entryPoints.{{ $entrypoint }}.http3.advertisedPort={{ $config.http3.advertisedPort }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if $config.allowACMEByPass }}
{{- if (semverCompare "<3.1.3-0" $version) }}
{{- fail "ERROR: allowACMEByPass has been introduced with Traefik v3.1.3+" -}}
{{- end }}
- "--entryPoints.name.allowACMEByPass=true"
{{- end }}
{{- if $config.forwardedHeaders }}
{{- if $config.forwardedHeaders.trustedIPs }}
- "--entryPoints.{{ $entrypoint }}.forwardedHeaders.trustedIPs={{ join "," $config.forwardedHeaders.trustedIPs }}"
{{- end }}
{{- if $config.forwardedHeaders.insecure }}
- "--entryPoints.{{ $entrypoint }}.forwardedHeaders.insecure"
{{- end }}
{{- end }}
{{- if $config.proxyProtocol }}
{{- if $config.proxyProtocol.trustedIPs }}
- "--entryPoints.{{ $entrypoint }}.proxyProtocol.trustedIPs={{ join "," $config.proxyProtocol.trustedIPs }}"
{{- end }}
{{- if $config.proxyProtocol.insecure }}
- "--entryPoints.{{ $entrypoint }}.proxyProtocol.insecure"
{{- end }}
{{- end }}
{{- with $config.transport }}
{{- with .respondingTimeouts }}
{{- if and (ne .readTimeout nil) (toString .readTimeout) }}
- "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.readTimeout={{ .readTimeout }}"
{{- end }}
{{- if and (ne .writeTimeout nil) (toString .writeTimeout) }}
- "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.writeTimeout={{ .writeTimeout }}"
{{- end }}
{{- if and (ne .idleTimeout nil) (toString .idleTimeout) }}
- "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.idleTimeout={{ .idleTimeout }}"
{{- end }}
{{- end }}
{{- with .lifeCycle }}
{{- if and (ne .requestAcceptGraceTimeout nil) (toString .requestAcceptGraceTimeout) }}
- "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.requestAcceptGraceTimeout={{ .requestAcceptGraceTimeout }}"
{{- end }}
{{- if and (ne .graceTimeOut nil) (toString .graceTimeOut) }}
- "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.graceTimeOut={{ .graceTimeOut }}"
{{- end }}
{{- end }}
{{- if and (ne .keepAliveMaxRequests nil) (toString .keepAliveMaxRequests) }}
- "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxRequests={{ .keepAliveMaxRequests }}"
{{- end }}
{{- if and (ne .keepAliveMaxTime nil) (toString .keepAliveMaxTime) }}
- "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxTime={{ .keepAliveMaxTime }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.logs }}
{{- if and .general.format (not (has .general.format (list "common" "json"))) }}
{{- fail "ERROR: .Values.logs.general.format must be either common or json" }}
{{- end }}
{{- with .general.format }}
- "--log.format={{ . }}"
{{- end }}
{{- with .general.filePath }}
- "--log.filePath={{ . }}"
{{- end }}
{{- if and (or (eq .general.format "common") (not .general.format)) (eq .general.noColor true) }}
- "--log.noColor={{ .general.noColor }}"
{{- end }}
{{- with .general.level }}
- "--log.level={{ . | upper }}"
{{- end }}
{{- if .access.enabled }}
- "--accesslog=true"
{{- with .access.format }}
- "--accesslog.format={{ . }}"
{{- end }}
{{- with .access.filePath }}
- "--accesslog.filepath={{ . }}"
{{- end }}
{{- if .access.addInternals }}
- "--accesslog.addinternals"
{{- end }}
{{- with .access.bufferingSize }}
- "--accesslog.bufferingsize={{ . }}"
{{- end }}
{{- with .access.filters }}
{{- with .statuscodes }}
- "--accesslog.filters.statuscodes={{ . }}"
{{- end }}
{{- if .retryattempts }}
- "--accesslog.filters.retryattempts"
{{- end }}
{{- with .minduration }}
- "--accesslog.filters.minduration={{ . }}"
{{- end }}
{{- end }}
- "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}"
{{- range $fieldname, $fieldaction := .access.fields.general.names }}
- "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}"
{{- end }}
- "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}"
{{- range $fieldname, $fieldaction := .access.fields.headers.names }}
- "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}"
{{- end }}
{{- end }}
{{- end }}
{{- include "traefik.yaml2CommandLineArgs" (dict "path" "certificatesresolvers" "content" $.Values.certificatesResolvers) | nindent 10 }}
{{- with .Values.additionalArguments }}
{{- range . }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- with .Values.hub }}
{{- if .token }}
- "--hub.token=$(HUB_TOKEN)"
{{- if and (not .apimanagement.enabled) ($.Values.hub.apimanagement.admission.listenAddr) }}
{{- fail "ERROR: Cannot configure admission without enabling hub.apimanagement" }}
{{- end }}
{{- with .apimanagement }}
{{- if .enabled }}
{{- $listenAddr := default ":9943" .admission.listenAddr }}
- "--hub.apimanagement"
- "--hub.apimanagement.admission.listenAddr={{ $listenAddr }}"
{{- with .admission.secretName }}
- "--hub.apimanagement.admission.secretName={{ . }}"
{{- end }}
{{- end }}
{{- end }}
{{- with .platformUrl }}
- "--hub.platformUrl={{ . }}"
{{- end -}}
{{- range $field, $value := .redis }}
{{- if has $field (list "cluster" "database" "endpoints" "username" "password" "timeout") -}}
{{- with $value }}
- "--hub.redis.{{ $field }}={{ $value }}"
{{- end }}
{{- end }}
{{- end }}
{{- range $field, $value := .redis.sentinel }}
{{- if has $field (list "masterset" "password" "username") -}}
{{- with $value }}
- "--hub.redis.sentinel.{{ $field }}={{ $value }}"
{{- end }}
{{- end }}
{{- end }}
{{- range $field, $value := .redis.tls }}
{{- if has $field (list "ca" "cert" "insecureSkipVerify" "key") -}}
{{- with $value }}
- "--hub.redis.tls.{{ $field }}={{ $value }}"
{{- end }}
{{- end }}
{{- end }}
{{- with .sendlogs }}
- "--hub.sendlogs={{ . }}"
{{- end }}
{{- end }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if ($.Values.resources.limits).cpu }}
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
divisor: '1'
{{- end }}
{{- if ($.Values.resources.limits).memory }}
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: '1'
{{- end }}
{{- with .Values.hub.token }}
- name: HUB_TOKEN
valueFrom:
secretKeyRef:
name: {{ . }}
key: token
{{- end }}
{{- with .Values.env }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.deployment.additionalContainers }}
{{- toYaml .Values.deployment.additionalContainers | nindent 6 }}
{{- end }}
volumes:
- name: {{ .Values.persistence.name }}
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }}
{{- else }}
emptyDir: {}
{{- end }}
- name: tmp
emptyDir: {}
{{- $root := . }}
{{- range .Values.volumes }}
- name: {{ tpl (.name) $root | replace "." "-" }}
{{- if eq .type "secret" }}
secret:
secretName: {{ tpl (.name) $root }}
{{- else if eq .type "configMap" }}
configMap:
name: {{ tpl (.name) $root }}
{{- end }}
{{- end }}
{{- if .Values.deployment.additionalVolumes }}
{{- toYaml .Values.deployment.additionalVolumes | nindent 8 }}
{{- end }}
{{- if gt (len .Values.experimental.plugins) 0 }}
- name: plugins
emptyDir: {}
{{- end }}
{{- if .Values.providers.file.enabled }}
- name: traefik-extra-config
configMap:
name: {{ template "traefik.fullname" . }}-file-provider
{{- end }}
{{- if .Values.affinity }}
affinity:
{{- tpl (toYaml .Values.affinity) . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
{{- if (semverCompare "<1.19.0-0" .Capabilities.KubeVersion.Version) }}
{{- fail "ERROR: topologySpreadConstraints are supported only on kubernetes >= v1.19" -}}
{{- end }}
topologySpreadConstraints:
{{- tpl (toYaml .Values.topologySpreadConstraints) . | nindent 8 }}
{{- end }}
{{ end -}}

25
opencloud/charts/traefik/templates/_service-metrics.tpl Normal file
View File

@ -0,0 +1,25 @@
{{- define "traefik.metrics-service-metadata" }}
labels:
{{- include "traefik.metricsservicelabels" . | nindent 4 -}}
{{- with .Values.metrics.prometheus.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{/* Labels used for metrics-relevant selector*/}}
{{/* This is an immutable field: this should not change between upgrade */}}
{{- define "traefik.metricslabelselector" -}}
{{- include "traefik.labelselector" . }}
app.kubernetes.io/component: metrics
{{- end }}
{{/* Shared labels used in metadata of metrics-service and servicemonitor */}}
{{- define "traefik.metricsservicelabels" -}}
{{ include "traefik.metricslabelselector" . }}
helm.sh/chart: {{ template "traefik.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}

84
opencloud/charts/traefik/templates/_service.tpl Normal file
View File

@ -0,0 +1,84 @@
{{- define "traefik.service-name" -}}
{{- $fullname := printf "%s-%s" (include "traefik.fullname" .root) .name -}}
{{- if eq .name "default" -}}
{{- $fullname = include "traefik.fullname" .root -}}
{{- end -}}
{{- if ge (len $fullname) 60 -}} # 64 - 4 (udp-postfix) = 60
{{- fail "ERROR: Cannot create a service whose full name contains more than 60 characters" -}}
{{- end -}}
{{- $fullname -}}
{{- end -}}
{{- define "traefik.service-metadata" }}
labels:
{{- include "traefik.labels" .root | nindent 4 -}}
{{- with .service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- define "traefik.service-spec" -}}
{{- $type := default "LoadBalancer" .service.type }}
type: {{ $type }}
{{- with .service.loadBalancerClass }}
loadBalancerClass: {{ . }}
{{- end}}
{{- with .service.spec }}
{{- toYaml . | nindent 2 }}
{{- end }}
selector:
{{- include "traefik.labelselector" .root | nindent 4 }}
{{- if eq $type "LoadBalancer" }}
{{- with .service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- end -}}
{{- with .service.externalIPs }}
externalIPs:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- with .service.ipFamilyPolicy }}
ipFamilyPolicy: {{ . }}
{{- end }}
{{- with .service.ipFamilies }}
ipFamilies:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- end }}
{{- define "traefik.service-ports" }}
{{- range $name, $config := .ports }}
{{- if (index (default dict $config.expose) $.serviceName) }}
{{- $port := default $config.port $config.exposedPort }}
{{- if empty $port }}
{{- fail (print "ERROR: Cannot create " (trim $name) " port on Service without .port or .exposedPort") }}
{{- end }}
- port: {{ $port }}
name: {{ $name | quote }}
targetPort: {{ default $name $config.targetPort }}
protocol: {{ default "TCP" $config.protocol }}
{{- if $config.nodePort }}
nodePort: {{ $config.nodePort }}
{{- end }}
{{- if $config.appProtocol }}
appProtocol: {{ $config.appProtocol }}
{{- end }}
{{- if and ($config.http3).enabled ($config.single) }}
{{- $http3Port := default $config.exposedPort $config.http3.advertisedPort }}
- port: {{ $http3Port }}
name: "{{ $name }}-http3"
targetPort: "{{ $name }}-http3"
protocol: UDP
{{- if $config.nodePort }}
nodePort: {{ $config.nodePort }}
{{- end }}
{{- if $config.appProtocol }}
appProtocol: {{ $config.appProtocol }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

58
opencloud/charts/traefik/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,58 @@
{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "DaemonSet") -}}
{{- with .Values.additionalArguments -}}
{{- range . -}}
{{- if contains ".acme." . -}}
{{- fail (printf "ACME functionality is not supported when running Traefik as a DaemonSet") -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }}
{{- fail "\n\n ERROR: latest tag should not be used" }}
{{- end }}
{{- with .Values.updateStrategy }}
{{- if and (eq (.type) "RollingUpdate") (.rollingUpdate) }}
{{- if not (contains "%" (toString .rollingUpdate.maxUnavailable)) }}
{{- if and ($.Values.hostNetwork) (lt (float64 .rollingUpdate.maxUnavailable) 1.0) }}
{{- fail "maxUnavailable should be greater than 1 when using hostNetwork." }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }}
checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }}
{{- end }}
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "traefik.labelselector" . | nindent 6 }}
{{- with .Values.updateStrategy }}
updateStrategy:
type: {{ .type }}
{{- if (eq .type "RollingUpdate") }}
rollingUpdate:
maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
maxSurge: {{ .rollingUpdate.maxSurge }}
{{- end }}
{{- end }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- if .Values.deployment.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
{{- end }}
template: {{ template "traefik.podTemplate" . }}
{{- end -}}

58
opencloud/charts/traefik/templates/deployment.yaml Normal file
View File

@ -0,0 +1,58 @@
{{/* check helm version */}}
{{- if (semverCompare "<v3.9.0" (.Capabilities.HelmVersion.Version | default "v3.0.0")) -}}
{{- fail "ERROR: Helm >= 3.9.0 is required" -}}
{{- end -}}
{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "Deployment") -}}
{{- if gt (int .Values.deployment.replicas) 1 -}}
{{- with .Values.additionalArguments -}}
{{- range . -}}
{{- if contains ".acme." . -}}
{{- fail (printf "You can not enable acme if you set more than one traefik replica") -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }}
{{- fail "\n\n ERROR: latest tag should not be used" }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }}
checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }}
{{- end }}
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ default 1 .Values.deployment.replicas }}
{{- end }}
{{- if .Values.deployment.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
{{- end }}
selector:
matchLabels:
{{- include "traefik.labelselector" . | nindent 6 }}
{{- with .Values.updateStrategy }}
strategy:
type: {{ .type }}
{{- if (eq .type "RollingUpdate") }}
rollingUpdate:
maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
maxSurge: {{ .rollingUpdate.maxSurge }}
{{- end }}
{{- end }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
template: {{ template "traefik.podTemplate" . }}
{{- end -}}

4
opencloud/charts/traefik/templates/extra-objects.yaml Normal file
View File

@ -0,0 +1,4 @@
{{- range .Values.extraObjects }}
---
{{ include "traefik.render" (dict "value" . "context" $) }}
{{- end }}

62
opencloud/charts/traefik/templates/gateway.yaml Normal file
View File

@ -0,0 +1,62 @@
{{- if and (.Values.gateway).enabled (.Values.providers.kubernetesGateway).enabled }}
{{- if not .Values.gateway.listeners }}
{{- fail "ERROR: gateway must have at least one listener or should be disabled" }}
{{- end }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: {{ default "traefik-gateway" .Values.gateway.name }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.gateway.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
gatewayClassName: {{ default "traefik" .Values.gatewayClass.name }}
{{- with .Values.gateway.infrastructure }}
infrastructure:
{{ toYaml . | nindent 4 }}
{{- end }}
listeners:
{{- range $name, $config := .Values.gateway.listeners }}
- name: {{ $name }}
{{ if not .port }}
{{- fail "ERROR: port needs to be specified" }}
{{- end -}}
{{ $found := false }}
{{- range $portName, $portConfig := $.Values.ports -}}
{{- if eq $portConfig.port $config.port -}}
{{ $found = true }}
{{- end -}}
{{- end -}}
{{ if not $found }}
{{- fail (printf "ERROR: port %0.f is not declared in ports" .port ) }}
{{- end -}}
port: {{ .port }}
protocol: {{ .protocol }}
{{- with .hostname }}
hostname: {{ . | toYaml }}
{{- end }}
{{- with .namespacePolicy }}
allowedRoutes:
namespaces:
from: {{ . }}
{{- end }}
{{ if and (eq .protocol "HTTPS") (not .certificateRefs) }}
{{- fail "ERROR: certificateRefs needs to be specified using HTTPS" }}
{{- end }}
{{ if or .certificateRefs .mode }}
tls:
{{ with .mode }}
mode: {{ . }}
{{- end }}
{{ with .certificateRefs }}
certificateRefs:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

14
opencloud/charts/traefik/templates/gatewayclass.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if and (.Values.gatewayClass).enabled (.Values.providers.kubernetesGateway).enabled }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: {{ default "traefik" .Values.gatewayClass.name }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.gatewayClass.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
controllerName: traefik.io/gateway-controller
{{- end }}

35
opencloud/charts/traefik/templates/hpa.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if .Values.autoscaling.enabled }}
{{- if not .Values.autoscaling.maxReplicas }}
{{- fail "ERROR: maxReplicas is required on HPA" }}
{{- end }}
{{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version }}
apiVersion: autoscaling/v2
{{- else }}
apiVersion: autoscaling/v2beta2
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "traefik.fullname" . }}
{{- if .Values.autoscaling.minReplicas }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
{{- end }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
{{- if .Values.autoscaling.metrics }}
metrics:
{{ toYaml .Values.autoscaling.metrics | indent 4 }}
{{- end }}
{{- if .Values.autoscaling.behavior }}
behavior:
{{ toYaml .Values.autoscaling.behavior | indent 4 }}
{{- end }}
{{- end }}

198
opencloud/charts/traefik/templates/hub-admission-controller.yaml Normal file
View File

@ -0,0 +1,198 @@
{{- if .Values.hub.token -}}
{{- if .Values.hub.apimanagement.enabled }}
{{- $cert := include "traefik-hub.webhook_cert" . | fromYaml }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: hub-agent-cert
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
data:
tls.crt: {{ $cert.Cert }}
tls.key: {{ $cert.Key }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: hub-acp
labels:
{{- include "traefik.labels" . | nindent 4 }}
webhooks:
- name: admission.traefik.svc
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /acp
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- accesscontrolpolicies
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: hub-api
labels:
{{- include "traefik.labels" . | nindent 4 }}
webhooks:
- name: hub-agent.traefik.portal
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /api-portal
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- apiportals
- name: hub-agent.traefik.api
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /api
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- apis
- name: hub-agent.traefik.access
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /api-access
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- apiaccesses
- name: hub-agent.traefik.plan
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /api-plan
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- apiplans
- name: hub-agent.traefik.bundle
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /api-bundle
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- apibundles
- name: hub-agent.traefik.version
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /api-version
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- apiversions
---
apiVersion: v1
kind: Service
metadata:
name: admission
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
ports:
- name: https
port: 443
targetPort: admission
selector:
{{- include "traefik.labelselector" . | nindent 4 }}
{{- end -}}
{{- end -}}

19
opencloud/charts/traefik/templates/hub-apiportal.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.hub.apimanagement.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: apiportal
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
ports:
- name: apiportal
port: 9903
protocol: TCP
targetPort: apiportal
selector:
{{- include "traefik.labelselector" . | nindent 4 }}
{{- end -}}

12
opencloud/charts/traefik/templates/ingressclass.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.ingressClass.enabled -}}
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
annotations:
ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
name: {{ .Values.ingressClass.name | default (include "traefik.fullname" .) }}
spec:
controller: traefik.io/ingress-controller
{{- end -}}

43
opencloud/charts/traefik/templates/ingressroute.yaml Normal file
View File

@ -0,0 +1,43 @@
{{ range $name, $config := .Values.ingressRoute }}
{{ if $config.enabled }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ $.Release.Name }}-{{ $name }}
namespace: {{ template "traefik.namespace" $ }}
annotations:
{{- if and $.Values.ingressClass.enabled $.Values.providers.kubernetesCRD.enabled $.Values.providers.kubernetesCRD.ingressClass }}
kubernetes.io/ingress.class: {{ $.Values.providers.kubernetesCRD.ingressClass }}
{{- end }}
{{- with $config.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
{{- with $config.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
entryPoints:
{{- range $config.entryPoints }}
- {{ . }}
{{- end }}
routes:
- match: {{ $config.matchRule }}
kind: Rule
{{- with $config.services }}
services:
{{- toYaml . | nindent 6 }}
{{- end -}}
{{- with $config.middlewares }}
middlewares:
{{- toYaml . | nindent 6 }}
{{- end -}}
{{- with $config.tls }}
tls:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{ end }}

23
opencloud/charts/traefik/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.podDisruptionBudget.enabled -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "traefik.labelselector" . | nindent 6 }}
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end -}}

28
opencloud/charts/traefik/templates/prometheusrules.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.metrics.prometheus }}
{{- if (.Values.metrics.prometheus.prometheusRule).enabled }}
{{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }}
{{- if (not (.Values.metrics.prometheus.disableAPICheck)) }}
{{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }}
{{- end }}
{{- end }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ .Values.metrics.prometheus.prometheusRule.namespace | default (include "traefik.namespace" .) }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.metrics.prometheus.prometheusRule.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.metrics.prometheus.prometheusRule.rules }}
groups:
- name: {{ template "traefik.name" $ }}
rules:
{{- with .Values.metrics.prometheus.prometheusRule.rules }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

12
opencloud/charts/traefik/templates/provider-file-cm.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.providers.file.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "traefik.fullname" . }}-file-provider
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
data:
config.yml:
{{ toYaml .Values.providers.file.content | nindent 4 }}
{{- end -}}

26
opencloud/charts/traefik/templates/pvc.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
annotations:
{{- with .Values.persistence.annotations }}
{{ toYaml . | nindent 4 }}
{{- end }}
helm.sh/resource-policy: keep
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass | quote }}
{{- end }}
{{- if .Values.persistence.volumeName }}
volumeName: {{ .Values.persistence.volumeName | quote }}
{{- end }}
{{- end -}}

271
opencloud/charts/traefik/templates/rbac/clusterrole.yaml Normal file
View File

@ -0,0 +1,271 @@
{{- $version := include "imageVersion" $ }}
{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.clusterRoleName" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- range .Values.rbac.aggregateTo }}
rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
{{- end }}
rules:
{{- if semverCompare ">=v3.1.0-0" $version }}
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
{{- end }}
{{- if (semverCompare "<v3.1.0-0" $version) }}
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- get
- list
- watch
{{- if $.Values.hub.token }}
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
{{- end }}
{{- else }}
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
{{- end }}
- apiGroups:
- ""
resources:
- secrets
{{- with .Values.rbac.secretResourceNames }}
resourceNames: {{ toYaml . | nindent 6 }}
{{- end }}
verbs:
- get
- list
- watch
{{- if and .Values.hub.token }}
- update
- create
- delete
- deletecollection
{{- end }}
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups:
- policy
resourceNames:
- {{ template "traefik.fullname" . }}
resources:
- podsecuritypolicies
verbs:
- use
{{- end -}}
{{- if .Values.providers.kubernetesIngress.enabled }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingressclasses
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
{{- end -}}
{{- if .Values.providers.kubernetesCRD.enabled }}
- apiGroups:
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- serverstransports
- serverstransporttcps
- tlsoptions
- tlsstores
- traefikservices
verbs:
- get
- list
- watch
{{- end -}}
{{- if (.Values.providers.kubernetesGateway).enabled }}
- apiGroups:
- ""
resources:
- namespaces
{{- if (semverCompare "<v3.1.0-0" $version) }}
- endpoints
{{- end }}
- secrets
- services
{{- if semverCompare ">=v3.2.0-0" $version }}
- configmaps
{{- end }}
verbs:
- get
- list
- watch
{{- if (semverCompare ">=v3.1.0-0" $version) }}
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
{{- end }}
- apiGroups:
- gateway.networking.k8s.io
resources:
{{- if semverCompare ">=v3.2.0-0" $version }}
- backendtlspolicies
{{- end }}
- gatewayclasses
- gateways
{{- if semverCompare ">=v3.2.0-0" $version }}
- grpcroutes
{{- end }}
- httproutes
- referencegrants
- tcproutes
- tlsroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
{{- if semverCompare ">=v3.2.0-0" $version }}
- backendtlspolicies/status
{{- end }}
- gatewayclasses/status
- gateways/status
{{- if semverCompare ">=v3.2.0-0" $version }}
- grpcroutes/status
{{- end }}
- httproutes/status
- tcproutes/status
- tlsroutes/status
verbs:
- update
{{- end }}
{{- if .Values.hub.token }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end }}
{{- if .Values.hub.token }}
{{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
- apiGroups:
- ""
resources:
- endpoints
verbs:
- list
- watch
{{- end }}
- apiGroups:
- ""
resources:
- namespaces
{{- if .Values.hub.apimanagement.enabled }}
- pods
{{- end }}
verbs:
- get
- list
{{- if .Values.hub.apimanagement.enabled }}
- watch
{{- end }}
{{- if .Values.hub.apimanagement.enabled }}
- apiGroups:
- hub.traefik.io
resources:
- accesscontrolpolicies
- apiaccesses
- apiportals
- apiratelimits
- apis
- apiversions
- apibundles
- apiplans
verbs:
- list
- watch
- create
- update
- patch
- delete
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
{{- if (semverCompare "<v3.1.0-0" $version) }}
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
{{- end -}}
{{- end -}}
{{- end }}
{{- end }}

17
opencloud/charts/traefik/templates/rbac/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.clusterRoleName" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "traefik.clusterRoleName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "traefik.serviceAccountName" . }}
namespace: {{ template "traefik.namespace" . }}
{{- end -}}

68
opencloud/charts/traefik/templates/rbac/podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,68 @@
{{- if .Values.podSecurityPolicy.enabled }}
{{- if semverCompare ">=1.25.0-0" .Capabilities.KubeVersion.Version }}
{{- fail "ERROR: PodSecurityPolicy has been removed in Kubernetes v1.25+" }}
{{- end }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
name: {{ template "traefik.fullname" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
{{- if not .Values.securityContext.runAsNonRoot }}
allowedCapabilities:
- NET_BIND_SERVICE
{{- end }}
hostNetwork: {{ .Values.hostNetwork }}
hostIPC: false
hostPID: false
fsGroup:
{{- if .Values.securityContext.runAsNonRoot }}
ranges:
- max: 65535
min: 1
rule: MustRunAs
{{- else }}
rule: RunAsAny
{{- end }}
{{- if .Values.hostNetwork }}
hostPorts:
- max: 65535
min: 1
{{- end }}
readOnlyRootFilesystem: true
runAsUser:
{{- if .Values.securityContext.runAsNonRoot }}
rule: MustRunAsNonRoot
{{- else }}
rule: RunAsAny
{{- end }}
seLinux:
rule: RunAsAny
supplementalGroups:
{{- if .Values.securityContext.runAsNonRoot }}
ranges:
- max: 65535
min: 1
rule: MustRunAs
{{- else }}
rule: RunAsAny
{{- end }}
volumes:
- configMap
- downwardAPI
- secret
- emptyDir
- projected
{{- if .Values.persistence.enabled }}
- persistentVolumeClaim
{{- end -}}
{{- end -}}

143
opencloud/charts/traefik/templates/rbac/role.yaml Normal file
View File

@ -0,0 +1,143 @@
{{- $version := include "imageVersion" $ }}
{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}}
{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
{{- range $allNamespaces }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.fullname" $ }}
namespace: {{ . }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
rules:
{{- if (semverCompare "<v3.1.0-0" $version) }}
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- get
- list
- watch
{{- else }}
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
{{- end }}
# Required while https://github.com/traefik/traefik/issues/7097#issuecomment-1983581843
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- apiGroups:
- ""
resources:
- secrets
{{- if gt (len $.Values.rbac.secretResourceNames) 0 }}
resourceNames: {{ $.Values.rbac.secretResourceNames }}
{{- end }}
verbs:
- get
- list
- watch
{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
{{- end -}}
{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }}
- apiGroups:
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
{{- end -}}
{{- if $.Values.podSecurityPolicy.enabled }}
- apiGroups:
- extensions
resourceNames:
- {{ template "traefik.fullname" $ }}
resources:
- podsecuritypolicies
verbs:
- use
{{- end -}}
{{- if $.Values.hub.token }}
- apiGroups:
- ""
resources:
- services
- endpoints
- namespaces
- pods
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end }}
{{- end -}}
{{- end -}}

25
opencloud/charts/traefik/templates/rbac/rolebinding.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
{{- $gatewayNamespaces := concat (include "traefik.namespace" . | list) ((.Values.providers.kubernetesGateway).namespaces) -}}
{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces $gatewayNamespaces)) -}}
{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
{{- range $allNamespaces }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.fullname" $ }}
namespace: {{ . }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "traefik.fullname" $ }}
subjects:
- kind: ServiceAccount
name: {{ include "traefik.serviceAccountName" $ }}
namespace: {{ template "traefik.namespace" $ }}
{{- end -}}
{{- end -}}

14
opencloud/charts/traefik/templates/rbac/serviceaccount.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if not .Values.serviceAccount.name -}}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ include "traefik.serviceAccountName" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
annotations:
{{- with .Values.serviceAccountAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

33
opencloud/charts/traefik/templates/requirements.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- $version := include "imageVersion" $ }}
{{- if (ne $version "experimental-v3.0") }}
{{- if (semverCompare "<3.0.0-0" $version) }}
{{- fail "ERROR: This version of the Chart only supports Traefik Proxy v3" -}}
{{- end }}
{{- end }}
{{- if .Values.certResolvers }}
{{- fail "ERROR: certResolvers setting has been removed. See v33.0.0 Changelog." }}
{{- end }}
{{- if and .Values.hub.enabled (not (contains "traefik-hub" .Values.image.repository)) }}
{{- fail "ERROR: traefik-hub image is required when enabling Traefik Hub" -}}
{{- end }}
{{- if and (.Values.providers.kubernetesGateway).enabled (and (semverCompare "<3.1.0-rc3" $version) (not .Values.experimental.kubernetesGateway.enabled)) }}
{{- fail "ERROR: Before traefik v3.1.0-rc3, kubernetesGateway is experimental. Enable it by setting experimental.kubernetesGateway.enabled to true" -}}
{{- end }}
{{- if .Values.hub.token }}
{{- if and .Values.hub.apimanagement.enabled (and .Values.rbac.enabled .Values.rbac.namespaced) }}
{{- fail "ERROR: Currently Traefik Hub doesn't support namespaced RBACs" -}}
{{- end }}
{{- end }}
{{- if .Values.rbac.namespaced }}
{{- if .Values.providers.kubernetesGateway.enabled }}
{{- fail "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced." }}
{{- end }}
{{- if and (not .Values.providers.kubernetesIngress.enabled) (not .Values.providers.kubernetesCRD.enabled) }}
{{- fail "ERROR: namespaced rbac requires Kubernetes CRD or Kubernetes Ingress provider." }}
{{- end }}
{{- end }}

33
opencloud/charts/traefik/templates/service-metrics.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.metrics.prometheus }}
{{- if .Values.metrics.prometheus.service }}
{{- if (.Values.metrics.prometheus.service).enabled -}}
{{- $fullname := include "traefik.fullname" . }}
{{- if ge (len $fullname) 50 }}
{{- fail "ERROR: Cannot create a metrics service when name contains more than 50 characters" }}
{{- end }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "traefik.service-name" (dict "root" . "name" "metrics") }}
namespace: {{ template "traefik.namespace" . }}
{{- template "traefik.metrics-service-metadata" . }}
annotations:
{{- with .Values.metrics.prometheus.service.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
selector:
{{- include "traefik.labelselector" . | nindent 4 }}
ports:
- port: {{ .Values.ports.metrics.port }}
name: "metrics"
targetPort: metrics
protocol: TCP
{{- if .Values.ports.metrics.nodePort }}
nodePort: {{ .Values.ports.metrics.nodePort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

86
opencloud/charts/traefik/templates/service.yaml Normal file
View File

@ -0,0 +1,86 @@
{{- $services := .Values.service.additionalServices -}}
{{- $services = set $services "default" (omit .Values.service "additionalServices") }}
{{- range $name, $service := $services -}}
{{- if ne $service.enabled false -}}
{{- $fullname := include "traefik.service-name" (dict "root" $ "name" $name) }}
{{- $tcpPorts := dict -}}
{{- $udpPorts := dict -}}
{{- $exposedPorts := false -}}
{{- range $portName, $config := $.Values.ports -}}
{{- if $config -}}
{{- if ($config.http3).enabled -}}
{{- if (not $config.tls.enabled) -}}
{{- fail "ERROR: You cannot enable http3 without enabling tls" -}}
{{- end -}}
{{ $udpConfig := deepCopy $config -}}
{{ $_ := set $udpConfig "protocol" "UDP" -}}
{{ $_ := set $udpConfig "exposedPort" (default $config.exposedPort $config.http3.advertisedPort) -}}
{{- if (not $service.single) }}
{{ $_ := set $udpPorts (printf "%s-http3" $portName) $udpConfig -}}
{{- else }}
{{ $_ := set $tcpPorts (printf "%s-http3" $portName) $udpConfig -}}
{{- end }}
{{- end -}}
{{- if eq (toString $config.protocol) "UDP" -}}
{{ $_ := set $udpPorts $portName $config -}}
{{- end -}}
{{- if eq (toString (default "TCP" $config.protocol)) "TCP" -}}
{{ $_ := set $tcpPorts $portName $config -}}
{{- end -}}
{{- if (index (default dict $config.expose) $name) -}}
{{- $exposedPorts = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if (eq $exposedPorts false) -}}
{{- fail (printf "ERROR: Cannot create Service %s without ports" $fullname) -}}
{{- end -}}
{{- if and $exposedPorts (or $tcpPorts $service.single) }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $fullname }}
namespace: {{ template "traefik.namespace" $ }}
{{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
annotations:
{{- with (merge dict (default dict $service.annotationsTCP) (default dict $service.annotations)) }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
ports:
{{- template "traefik.service-ports" (dict "ports" $tcpPorts "serviceName" $name) }}
{{- if $service.single }}
{{- template "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
{{- end }}
{{- end }}
{{- if and $exposedPorts (and $udpPorts (not $service.single)) }}
{{- $ports := include "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
{{- if not (empty $ports) }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $fullname }}-udp
namespace: {{ template "traefik.namespace" $ }}
{{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
annotations:
{{- with (merge dict (default dict $service.annotationsUDP) (default dict $service.annotations)) }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
ports:
{{- $ports }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

69
opencloud/charts/traefik/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if .Values.metrics.prometheus }}
{{- if (.Values.metrics.prometheus.serviceMonitor).enabled }}
{{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }}
{{- if (not (.Values.metrics.prometheus.disableAPICheck)) }}
{{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }}
{{- end }}
{{- end }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ .Values.metrics.prometheus.serviceMonitor.namespace | default (include "traefik.namespace" .) }}
labels:
{{- if (.Values.metrics.prometheus.service).enabled }}
{{- include "traefik.metricsservicelabels" . | nindent 4 }}
{{- else }}
{{- include "traefik.labels" . | nindent 4 }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.prometheus.serviceMonitor.jobLabel | default .Release.Name }}
endpoints:
- targetPort: metrics
path: /{{ .Values.metrics.prometheus.entryPoint }}
{{- with .Values.metrics.prometheus.serviceMonitor.honorLabels }}
honorLabels: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.honorTimestamps }}
honorTimestamps: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.enableHttp2 }}
enableHttp2: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.followRedirects }}
followRedirects: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
{{- if .Values.metrics.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{ tpl (toYaml .Values.metrics.prometheus.serviceMonitor.metricRelabelings | indent 6) . }}
{{- end }}
{{- if .Values.metrics.prometheus.serviceMonitor.relabelings }}
relabelings:
{{ toYaml .Values.metrics.prometheus.serviceMonitor.relabelings | indent 6 }}
{{- end }}
{{- if .Values.metrics.prometheus.serviceMonitor.namespaceSelector }}
namespaceSelector:
{{ toYaml .Values.metrics.prometheus.serviceMonitor.namespaceSelector | indent 4 -}}
{{ else }}
namespaceSelector:
matchNames:
- {{ template "traefik.namespace" . }}
{{- end }}
selector:
matchLabels:
{{- if (.Values.metrics.prometheus.service).enabled }}
{{- include "traefik.metricslabelselector" . | nindent 6 }}
{{- else }}
{{- include "traefik.labelselector" . | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}

39
opencloud/charts/traefik/templates/tlsoption.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- range $name, $config := .Values.tlsOptions }}
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: {{ $name }}
namespace: {{ template "traefik.namespace" $ }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
{{- with $config.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with $config.alpnProtocols }}
alpnProtocols:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.cipherSuites }}
cipherSuites:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.clientAuth }}
clientAuth:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.curvePreferences }}
curvePreferences:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.maxVersion }}
maxVersion: {{ . }}
{{- end }}
{{- with $config.minVersion }}
minVersion: {{ . }}
{{- end }}
{{- with $config.sniStrict }}
sniStrict: {{ . }}
{{- end }}
---
{{- end -}}

12
opencloud/charts/traefik/templates/tlsstore.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- range $name, $config := .Values.tlsStore }}
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: {{ $name }}
namespace: {{ template "traefik.namespace" $ }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
spec:
{{- toYaml $config | nindent 2 }}
---
{{- end -}}

1676
opencloud/charts/traefik/values.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff

951
opencloud/charts/traefik/values.yaml Normal file
View File

@ -0,0 +1,951 @@
# Default values for Traefik
# This is a YAML-formatted file.
# Declare variables to be passed into templates
image: # @schema additionalProperties: false
# -- Traefik image host registry
registry: docker.io
# -- Traefik image repository
repository: traefik
# -- defaults to appVersion
tag: # @schema type:[string, null]
# -- Traefik image pull policy
pullPolicy: IfNotPresent
# -- Add additional label to all resources
commonLabels: {}
deployment:
# -- Enable deployment
enabled: true
# -- Deployment or DaemonSet
kind: Deployment
# -- Number of pods of the deployment (only applies when kind == Deployment)
replicas: 1
# -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
revisionHistoryLimit: # @schema type:[integer, null];minimum:0
# -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
terminationGracePeriodSeconds: 60
# -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
minReadySeconds: 0
## -- Override the liveness/readiness port. This is useful to integrate traefik
## with an external Load Balancer that performs healthchecks.
## Default: ports.traefik.port
healthchecksPort: # @schema type:[integer, null];minimum:0
## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint.
## Default: ports.traefik.hostIP if set, otherwise Pod IP
healthchecksHost: ""
## -- Override the liveness/readiness scheme. Useful for getting ping to
## respond on websecure entryPoint.
healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP
## -- Override the readiness path.
## Default: /ping
readinessPath: ""
# -- Override the liveness path.
# Default: /ping
livenessPath: ""
# -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
annotations: {}
# -- Additional deployment labels (e.g. for filtering deployment by custom labels)
labels: {}
# -- Additional pod annotations (e.g. for mesh injection or prometheus scraping)
# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
podAnnotations: {}
# -- Additional Pod labels (e.g. for filtering Pod by custom labels)
podLabels: {}
# -- Additional containers (e.g. for metric offloading sidecars)
additionalContainers: []
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
# - name: socat-proxy
# image: alpine/socat:1.0.5
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
# volumeMounts:
# - name: dsdsocket
# mountPath: /socket
# -- Additional volumes available for use with initContainers and additionalContainers
additionalVolumes: []
# - name: dsdsocket
# hostPath:
# path: /var/run/statsd-exporter
# -- Additional initContainers (e.g. for setting file permission as shown below)
initContainers: []
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
# - name: volume-permissions
# image: busybox:latest
# command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
# volumeMounts:
# - name: data
# mountPath: /data
# -- Use process namespace sharing
shareProcessNamespace: false
# -- Custom pod DNS policy. Apply if `hostNetwork: true`
dnsPolicy: ""
# -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core)
dnsConfig: {}
# -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
hostAliases: []
# -- Pull secret for fetching traefik container image
imagePullSecrets: []
# -- Pod lifecycle actions
lifecycle: {}
# preStop:
# exec:
# command: ["/bin/sh", "-c", "sleep 40"]
# postStart:
# httpGet:
# path: /ping
# port: 8080
# host: localhost
# scheme: HTTP
# -- Set a runtimeClassName on pod
runtimeClassName: ""
# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
podDisruptionBudget: # @schema additionalProperties: false
enabled: false
maxUnavailable: # @schema type:[string, integer, null];minimum:0
minAvailable: # @schema type:[string, integer, null];minimum:0
# -- Create a default IngressClass for Traefik
ingressClass: # @schema additionalProperties: false
enabled: true
isDefaultClass: true
name: ""
core: # @schema additionalProperties: false
# -- Can be used to use globally v2 router syntax
# See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes
defaultRuleSyntax: ""
# Traefik experimental features
experimental:
# -- Enable traefik experimental plugins
plugins: {}
# demo:
# moduleName: github.com/traefik/plugindemo
# version: v0.2.1
kubernetesGateway:
# -- Enable traefik experimental GatewayClass CRD
enabled: false
gateway:
# -- When providers.kubernetesGateway.enabled, deploy a default gateway
enabled: true
# -- Set a custom name to gateway
name: ""
# -- By default, Gateway is created in the same `Namespace` than Traefik.
namespace: ""
# -- Additional gateway annotations (e.g. for cert-manager.io/issuer)
annotations: {}
# -- [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels)
infrastructure: {}
# -- Define listeners
listeners:
web:
# -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
# The port must match a port declared in ports section.
port: 8000
# -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
hostname: ""
# Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
protocol: HTTP
# -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces
namespacePolicy: # @schema type:[string, null]
# websecure listener is disabled by default because certificateRefs needs to be added,
# or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section.
# websecure:
# # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
# # The port must match a port declared in ports section.
# port: 8443
# # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
# hostname:
# # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
# protocol: HTTPS
# # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces)
# namespacePolicy:
# # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig)
# certificateRefs:
# # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType).
# mode:
gatewayClass: # @schema additionalProperties: false
# -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass
enabled: true
# -- Set a custom name to GatewayClass
name: ""
# -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)
labels: {}
ingressRoute:
dashboard:
# -- Create an IngressRoute for the dashboard
enabled: false
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
# -- The router match rule used for the dashboard ingressRoute
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
# -- The internal service used for the dashboard ingressRoute
services:
- name: api@internal
kind: TraefikService
# -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
# By default, it's using traefik entrypoint, which is not exposed.
# /!\ Do not expose your dashboard without any protection over the internet /!\
entryPoints: ["traefik"]
# -- Additional ingressRoute middlewares (e.g. for authentication)
middlewares: []
# -- TLS options (e.g. secret containing certificate)
tls: {}
healthcheck:
# -- Create an IngressRoute for the healthcheck probe
enabled: false
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
# -- The router match rule used for the healthcheck ingressRoute
matchRule: PathPrefix(`/ping`)
# -- The internal service used for the healthcheck ingressRoute
services:
- name: ping@internal
kind: TraefikService
# -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure).
# By default, it's using traefik entrypoint, which is not exposed.
entryPoints: ["traefik"]
# -- Additional ingressRoute middlewares (e.g. for authentication)
middlewares: []
# -- TLS options (e.g. secret containing certificate)
tls: {}
updateStrategy: # @schema additionalProperties: false
# -- Customize updateStrategy of Deployment or DaemonSet
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0 # @schema type:[integer, string, null]
maxSurge: 1 # @schema type:[integer, string, null]
readinessProbe: # @schema additionalProperties: false
# -- The number of consecutive failures allowed before considering the probe as failed.
failureThreshold: 1
# -- The number of seconds to wait before starting the first probe.
initialDelaySeconds: 2
# -- The number of seconds to wait between consecutive probes.
periodSeconds: 10
# -- The minimum consecutive successes required to consider the probe successful.
successThreshold: 1
# -- The number of seconds to wait for a probe response before considering it as failed.
timeoutSeconds: 2
livenessProbe: # @schema additionalProperties: false
# -- The number of consecutive failures allowed before considering the probe as failed.
failureThreshold: 3
# -- The number of seconds to wait before starting the first probe.
initialDelaySeconds: 2
# -- The number of seconds to wait between consecutive probes.
periodSeconds: 10
# -- The minimum consecutive successes required to consider the probe successful.
successThreshold: 1
# -- The number of seconds to wait for a probe response before considering it as failed.
timeoutSeconds: 2
# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)
startupProbe: {}
providers: # @schema additionalProperties: false
kubernetesCRD:
# -- Load Kubernetes IngressRoute provider
enabled: true
# -- Allows IngressRoute to reference resources in namespace other than theirs
allowCrossNamespace: false
# -- Allows to reference ExternalName services in IngressRoute
allowExternalNameServices: false
# -- Allows to return 503 when there is no endpoints available
allowEmptyServices: true
# -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.
ingressClass: ""
# labelSelector: environment=production,method=traefik
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
namespaces: []
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
nativeLBByDefault: false
kubernetesIngress:
# -- Load Kubernetes Ingress provider
enabled: true
# -- Allows to reference ExternalName services in Ingress
allowExternalNameServices: false
# -- Allows to return 503 when there is no endpoints available
allowEmptyServices: true
# -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.
ingressClass: # @schema type:[string, null]
# labelSelector: environment=production,method=traefik
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
namespaces: []
# IP used for Kubernetes Ingress endpoints
publishedService:
# -- Enable [publishedService](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#publishedservice)
enabled: true
# -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.
# Default to Service deployed with this Chart.
pathOverride: ""
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
nativeLBByDefault: false
kubernetesGateway:
# -- Enable Traefik Gateway provider for Gateway API
enabled: false
# -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation).
# This option currently enables support for TCPRoute and TLSRoute.
experimentalChannel: false
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
namespaces: []
# -- A label selector can be defined to filter on specific GatewayClass objects only.
labelselector: ""
statusAddress:
# -- This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6).
ip: ""
# -- This Hostname will get copied to the Gateway status.addresses.
hostname: ""
# -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
service:
name: "{{ (include \"traefik.fullname\" .) }}"
namespace: "{{ .Release.Namespace }}"
file:
# -- Create a file provider
enabled: false
# -- Allows Traefik to automatically watch for file changes
watch: true
# -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/)
content: ""
# -- Add volumes to the traefik pod. The volume name will be passed to tpl.
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
# `additionalArguments:
# - "--providers.file.filename=/config/dynamic.toml"
# - "--ping"
# - "--ping.entrypoint=web"`
volumes: []
# - name: public-cert
# mountPath: "/certs"
# type: secret
# - name: '{{ printf "%s-configs" .Release.Name }}'
# mountPath: "/config"
# type: configMap
# -- Additional volumeMounts to add to the Traefik container
additionalVolumeMounts: []
# -- For instance when using a logshipper for access logs
# - name: traefik-logs
# mountPath: /var/log/traefik
logs:
general:
# -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
# By default, the level is set to INFO.
# -- Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC.
level: "INFO" # @schema enum:[TRACE,DEBUG,INFO,WARN,ERROR,FATAL,PANIC]; default: "INFO"
# -- To write the logs into a log file, use the filePath option.
filePath: ""
# -- When set to true and format is common, it disables the colorized output.
noColor: false
access:
# -- To enable access logs
enabled: false
# -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format)
format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
# filePath: "/var/log/traefik/access.log
# -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize)
bufferingSize: # @schema type:[integer, null]
# -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering)
filters: # @schema additionalProperties: false
# -- Set statusCodes, to limit the access logs to requests with a status codes in the specified range
statuscodes: ""
# -- Set retryAttempts, to keep the access logs when at least one retry has happened
retryattempts: false
# -- Set minDuration, to keep access logs when requests take longer than the specified duration
minduration: ""
# -- Enables accessLogs for internal resources. Default: false.
addInternals: false
fields:
general:
# -- Set default mode for fields.names
defaultmode: keep # @schema enum:[keep, drop, redact]; default: keep
# -- Names of the fields to limit.
names: {}
# -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers)
headers:
# -- Set default mode for fields.headers
defaultmode: drop # @schema enum:[keep, drop, redact]; default: drop
names: {}
metrics:
## -- Enable metrics for internal resources. Default: false
addInternals: false
## -- Prometheus is enabled by default.
## -- It can be disabled by setting "prometheus: null"
prometheus:
# -- Entry point used to expose metrics.
entryPoint: metrics
## Enable metrics on entry points. Default: true
addEntryPointsLabels: # @schema type:[boolean, null]
## Enable metrics on routers. Default: false
addRoutersLabels: # @schema type:[boolean, null]
## Enable metrics on services. Default: true
addServicesLabels: # @schema type:[boolean, null]
## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0"
buckets: ""
## When manualRouting is true, it disables the default internal router in
## order to allow creating a custom router for prometheus@internal service.
manualRouting: false
service:
# -- Create a dedicated metrics service to use with ServiceMonitor
enabled: false
labels: {}
annotations: {}
# -- When set to true, it won't check if Prometheus Operator CRDs are deployed
disableAPICheck: # @schema type:[boolean, null]
serviceMonitor:
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
enabled: false
metricRelabelings: []
relabelings: []
jobLabel: ""
interval: ""
honorLabels: false
scrapeTimeout: ""
honorTimestamps: false
enableHttp2: false
followRedirects: false
additionalLabels: {}
namespace: ""
namespaceSelector: {}
prometheusRule:
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
enabled: false
additionalLabels: {}
namespace: ""
# datadog:
# ## Address instructs exporter to send metrics to datadog-agent at this address.
# address: "127.0.0.1:8125"
# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s
# # pushInterval: 30s
# ## The prefix to use for metrics collection. Default="traefik"
# # prefix: traefik
# ## Enable metrics on entry points. Default=true
# # addEntryPointsLabels: false
# ## Enable metrics on routers. Default=false
# # addRoutersLabels: true
# ## Enable metrics on services. Default=true
# # addServicesLabels: false
# influxdb2:
# ## Address instructs exporter to send metrics to influxdb v2 at this address.
# address: localhost:8086
# ## Token with which to connect to InfluxDB v2.
# token: xxx
# ## Organisation where metrics will be stored.
# org: ""
# ## Bucket where metrics will be stored.
# bucket: ""
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
# # pushInterval: 30s
# ## Additional labels (influxdb tags) on all metrics.
# # additionalLabels:
# # env: production
# # foo: bar
# ## Enable metrics on entry points. Default=true
# # addEntryPointsLabels: false
# ## Enable metrics on routers. Default=false
# # addRoutersLabels: true
# ## Enable metrics on services. Default=true
# # addServicesLabels: false
# statsd:
# ## Address instructs exporter to send metrics to statsd at this address.
# address: localhost:8125
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
# # pushInterval: 30s
# ## The prefix to use for metrics collection. Default="traefik"
# # prefix: traefik
# ## Enable metrics on entry points. Default=true
# # addEntryPointsLabels: false
# ## Enable metrics on routers. Default=false
# # addRoutersLabels: true
# ## Enable metrics on services. Default=true
# # addServicesLabels: false
otlp:
# -- Set to true in order to enable the OpenTelemetry metrics
enabled: false
# -- Enable metrics on entry points. Default: true
addEntryPointsLabels: # @schema type:[boolean, null]
# -- Enable metrics on routers. Default: false
addRoutersLabels: # @schema type:[boolean, null]
# -- Enable metrics on services. Default: true
addServicesLabels: # @schema type:[boolean, null]
# -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]
explicitBoundaries: []
# -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s
pushInterval: ""
http:
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
enabled: false
# -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
endpoint: ""
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
headers: {}
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
tls:
# -- The path to the certificate authority, it defaults to the system bundle.
ca: ""
# -- The path to the public certificate. When using this option, setting the key option is required.
cert: ""
# -- The path to the private key. When using this option, setting the cert option is required.
key: ""
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
insecureSkipVerify: # @schema type:[boolean, null]
grpc:
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
enabled: false
# -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
endpoint: ""
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
insecure: false
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
tls:
# -- The path to the certificate authority, it defaults to the system bundle.
ca: ""
# -- The path to the public certificate. When using this option, setting the key option is required.
cert: ""
# -- The path to the private key. When using this option, setting the cert option is required.
key: ""
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
insecureSkipVerify: false
## Tracing
# -- https://doc.traefik.io/traefik/observability/tracing/overview/
tracing: # @schema additionalProperties: false
# -- Enables tracing for internal resources. Default: false.
addInternals: false
otlp:
# -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/
enabled: false
http:
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
enabled: false
# -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
endpoint: ""
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
headers: {}
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
tls:
# -- The path to the certificate authority, it defaults to the system bundle.
ca: ""
# -- The path to the public certificate. When using this option, setting the key option is required.
cert: ""
# -- The path to the private key. When using this option, setting the cert option is required.
key: ""
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
insecureSkipVerify: false
grpc:
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
enabled: false
# -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
endpoint: ""
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
insecure: false
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
tls:
# -- The path to the certificate authority, it defaults to the system bundle.
ca: ""
# -- The path to the public certificate. When using this option, setting the key option is required.
cert: ""
# -- The path to the private key. When using this option, setting the cert option is required.
key: ""
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
insecureSkipVerify: false
# -- Global command arguments to be passed to all traefik's pods
globalArguments:
- "--global.checknewversion"
- "--global.sendanonymoususage"
# -- Additional arguments to be passed at Traefik's binary
# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)
# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
additionalArguments: []
# - "--providers.kubernetesingress.ingressclass=traefik-internal"
# - "--log.level=DEBUG"
# -- Additional Environment variables to be passed to Traefik's binary
# @default -- See _values.yaml_
env: []
# -- Environment variables to be passed to Traefik's binary from configMaps or secrets
envFrom: []
ports:
traefik:
port: 8080
# -- Use hostPort if set.
hostPort: # @schema type:[integer, null]; minimum:0
# -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
# means it's listening on all your interfaces and all your IPs. You may want
# to set this value if you need traefik to listen on specific interface
# only.
hostIP: # @schema type:[string, null]
# Defines whether the port is exposed if service.type is LoadBalancer or
# NodePort.
#
# -- You SHOULD NOT expose the traefik port on production deployments.
# If you want to access it from outside your cluster,
# use `kubectl port-forward` or create a secure ingress
expose:
default: false
# -- The exposed port for this service
exposedPort: 8080
# -- The port protocol (TCP/UDP)
protocol: TCP
web:
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
# asDefault: true
port: 8000
# hostPort: 8000
# containerPort: 8000
expose:
default: true
exposedPort: 80
## -- Different target traefik port on the cluster, useful for IP type LB
targetPort: # @schema type:[string, integer, null]; minimum:0
# The port protocol (TCP/UDP)
protocol: TCP
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
nodePort: # @schema type:[integer, null]; minimum:0
# Port Redirections
# Added in 2.2, you can make permanent redirects via entrypoints.
# https://docs.traefik.io/routing/entrypoints/#redirection
redirectTo: {}
forwardedHeaders:
# -- Trust forwarded headers information (X-Forwarded-*).
trustedIPs: []
insecure: false
proxyProtocol:
# -- Enable the Proxy Protocol header parsing for the entry point
trustedIPs: []
insecure: false
# -- Set transport settings for the entrypoint; see also
# https://doc.traefik.io/traefik/routing/entrypoints/#transport
transport:
respondingTimeouts:
readTimeout: # @schema type:[string, integer, null]
writeTimeout: # @schema type:[string, integer, null]
idleTimeout: # @schema type:[string, integer, null]
lifeCycle:
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
graceTimeOut: # @schema type:[string, integer, null]
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
keepAliveMaxTime: # @schema type:[string, integer, null]
websecure:
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
# asDefault: true
port: 8443
hostPort: # @schema type:[integer, null]; minimum:0
containerPort: # @schema type:[integer, null]; minimum:0
expose:
default: true
exposedPort: 443
## -- Different target traefik port on the cluster, useful for IP type LB
targetPort: # @schema type:[string, integer, null]; minimum:0
## -- The port protocol (TCP/UDP)
protocol: TCP
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
nodePort: # @schema type:[integer, null]; minimum:0
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)
appProtocol: # @schema type:[string, null]
# -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass)
allowACMEByPass: false
http3:
## -- Enable HTTP/3 on the entrypoint
## Enabling it will also enable http3 experimental feature
## https://doc.traefik.io/traefik/routing/entrypoints/#http3
## There are known limitations when trying to listen on same ports for
## TCP & UDP (Http3). There is a workaround in this chart using dual Service.
## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741
enabled: false
advertisedPort: # @schema type:[integer, null]; minimum:0
forwardedHeaders:
# -- Trust forwarded headers information (X-Forwarded-*).
trustedIPs: []
insecure: false
proxyProtocol:
# -- Enable the Proxy Protocol header parsing for the entry point
trustedIPs: []
insecure: false
# -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport)
transport:
respondingTimeouts:
readTimeout: # @schema type:[string, integer, null]
writeTimeout: # @schema type:[string, integer, null]
idleTimeout: # @schema type:[string, integer, null]
lifeCycle:
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
graceTimeOut: # @schema type:[string, integer, null]
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
keepAliveMaxTime: # @schema type:[string, integer, null]
# -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls)
tls:
enabled: true
options: ""
certResolver: ""
domains: []
# -- One can apply Middlewares on an entrypoint
# https://doc.traefik.io/traefik/middlewares/overview/
# https://doc.traefik.io/traefik/routing/entrypoints/#middlewares
# -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\
# It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace
# - namespace-name1@kubernetescrd
# - namespace-name2@kubernetescrd
middlewares: []
metrics:
# -- When using hostNetwork, use another port to avoid conflict with node exporter:
# https://github.com/prometheus/prometheus/wiki/Default-port-allocations
port: 9100
# -- You may not want to expose the metrics port on production deployments.
# If you want to access it from outside your cluster,
# use `kubectl port-forward` or create a secure ingress
expose:
default: false
# -- The exposed port for this service
exposedPort: 9100
# -- The port protocol (TCP/UDP)
protocol: TCP
# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options)
# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
# See EXAMPLE.md for details.
tlsOptions: {}
# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details.
tlsStore: {}
service:
enabled: true
## -- Single service is using `MixedProtocolLBService` feature gate.
## -- When set to false, it will create two Service, one for TCP and one for UDP.
single: true
type: LoadBalancer
# -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
annotations: {}
# -- Additional annotations for TCP service only
annotationsTCP: {}
# -- Additional annotations for UDP service only
annotationsUDP: {}
# -- Additional service labels (e.g. for filtering Service by custom labels)
labels: {}
# -- Additional entries here will be added to the service spec.
# -- Cannot contain type, selector or ports entries.
spec: {}
# externalTrafficPolicy: Cluster
# loadBalancerIP: "1.2.3.4"
# clusterIP: "2.3.4.5"
loadBalancerSourceRanges: []
# - 192.168.0.1/32
# - 172.16.0.0/16
## -- Class of the load balancer implementation
# loadBalancerClass: service.k8s.aws/nlb
externalIPs: []
# - 1.2.3.4
## One of SingleStack, PreferDualStack, or RequireDualStack.
# ipFamilyPolicy: SingleStack
## List of IP families (e.g. IPv4 and/or IPv6).
## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
# ipFamilies:
# - IPv4
# - IPv6
##
additionalServices: {}
## -- An additional and optional internal Service.
## Same parameters as external Service
# internal:
# type: ClusterIP
# # labels: {}
# # annotations: {}
# # spec: {}
# # loadBalancerSourceRanges: []
# # externalIPs: []
# # ipFamilies: [ "IPv4","IPv6" ]
autoscaling:
# -- Create HorizontalPodAutoscaler object.
# See EXAMPLES.md for more details.
enabled: false
persistence:
# -- Enable persistence using Persistent Volume Claims
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.
# It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option
enabled: false
name: data
existingClaim: ""
accessMode: ReadWriteOnce
size: 128Mi
storageClass: ""
volumeName: ""
path: /data
annotations: {}
# -- Only mount a subpath of the Volume into the pod
subPath: ""
# -- Certificates resolvers configuration.
# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
# See EXAMPLES.md for more details.
certificatesResolvers: {}
# -- If hostNetwork is true, runs traefik in the host network namespace
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
# and replicas>1, a pod anti-affinity is recommended and will be set if the
# affinity is left as default.
hostNetwork: false
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
rbac: # @schema additionalProperties: false
enabled: true
# When set to true:
# 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`.
# 2. It adds `disableIngressClassLookup` on Kubernetes Ingress with Traefik Proxy v3 until v3.1.4
# 3. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers with Traefik Proxy v3.1.2+
# **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC.
# See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details.
namespaced: false
# Enable user-facing roles
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
aggregateTo: []
# List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret.
secretResourceNames: []
# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
podSecurityPolicy:
enabled: false
# -- The service account the pods will use to interact with the Kubernetes API
serviceAccount: # @schema additionalProperties: false
# If set, an existing service account is used
# If not set, a service account is created automatically using the fullname template
name: ""
# -- Additional serviceAccount annotations (e.g. for oidc authentication)
serviceAccountAnnotations: {}
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
resources: {}
# -- This example pod anti-affinity forces the scheduler to put traefik pods
# -- on nodes where no other traefik pods are scheduled.
# It should be used when hostNetwork: true to prevent port conflicts
affinity: {}
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchLabels:
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
# topologyKey: kubernetes.io/hostname
# -- nodeSelector is the simplest recommended form of node selection constraint.
nodeSelector: {}
# -- Tolerations allow the scheduler to schedule pods with matching taints.
tolerations: []
# -- You can use topology spread constraints to control
# how Pods are spread across your cluster among failure-domains.
topologySpreadConstraints: []
# This example topologySpreadConstraints forces the scheduler to put traefik pods
# on nodes where no other traefik pods are scheduled.
# - labelSelector:
# matchLabels:
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
# maxSkew: 1
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: DoNotSchedule
# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
priorityClassName: ""
# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
# @default -- See _values.yaml_
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
# @default -- See _values.yaml_
podSecurityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
#
# -- Extra objects to deploy (value evaluated as a template)
#
# In some cases, it can avoid the need for additional, extended or adhoc deployments.
# See #595 for more details and traefik/tests/values/extra.yaml for example.
extraObjects: []
# -- This field override the default Release Namespace for Helm.
# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
namespaceOverride: ""
## -- This field override the default app.kubernetes.io/instance label for all Objects.
instanceLabelOverride: ""
# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
hub:
# -- Name of `Secret` with key 'token' set to a valid license token.
# It enables API Gateway.
token: ""
apimanagement:
# -- Set to true in order to enable API Management. Requires a valid license token.
enabled: false
admission:
# -- WebHook admission server listen address. Default: "0.0.0.0:9943".
listenAddr: ""
# -- Certificate of the WebHook admission server. Default: "hub-agent-cert".
secretName: ""
redis:
# -- Enable Redis Cluster. Default: true.
cluster: # @schema type:[boolean, null]
# -- Database used to store information. Default: "0".
database: # @schema type:[string, null]
# -- Endpoints of the Redis instances to connect to. Default: "".
endpoints: ""
# -- The username to use when connecting to Redis endpoints. Default: "".
username: ""
# -- The password to use when connecting to Redis endpoints. Default: "".
password: ""
sentinel:
# -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".
masterset: ""
# -- Username to use for sentinel authentication (can be different from endpoint username). Default: "".
username: ""
# -- Password to use for sentinel authentication (can be different from endpoint password). Default: "".
password: ""
# -- Timeout applied on connection with redis. Default: "0s".
timeout: ""
tls:
# -- Path to the certificate authority used for the secured connection.
ca: ""
# -- Path to the public certificate used for the secure connection.
cert: ""
# -- Path to the private key used for the secure connection.
key: ""
# -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.
insecureSkipVerify: false
# Enable export of errors logs to the platform. Default: true.
sendlogs: # @schema type:[boolean, null]

15
opencloud/dev-values.yaml Normal file
View File

@ -0,0 +1,15 @@
openldap:
enabled: false
traefik:
enabled: true
service:
type: NodePort
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`localhost`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`)
entryPoints: [web]
ports:
web:
nodePort: 30950

0
opencloud/templates/traefik.yaml Normal file
View File

5
uninstall_development.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
RELEASE_NAME=dev
RELEASE_NAMESPACE=dev
helm uninstall ${RELEASE_NAME} -n ${RELEASE_NAMESPACE}