OpenStaticFish/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: vendor critical bootstrap charts
Deploy Cluster / Terraform (push) Successful in 30s
Details
Deploy Cluster / Ansible (push) Failing after 20m0s
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-04-26 21:01:01 +00:00
parent 14462dd870
commit a2ed9555c0
175 changed files with 64772 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/charts/traefik/.helmignore
+2
View File
@@ -0,0 +1,2 @@
tests/
crds/kustomization.yaml
infrastructure/charts/traefik/.schema.yaml
+13
View File
@@ -0,0 +1,13 @@
# Required
values:
- values.yaml
draft: 2020
indent: 4
output: values.schema.json
schemaRoot:
id: https://traefik.io/traefik-helm-chart.schema.json
title: Traefik Proxy Helm Chart
description: The Cloud Native Application Proxy
additionalProperties: false
infrastructure/charts/traefik/Changelog.md
+12755
View File
File diff suppressed because it is too large Load Diff
infrastructure/charts/traefik/Chart.yaml
+31
View File
@@ -0,0 +1,31 @@
annotations:
artifacthub.io/changes: "- \"refactor(chart): clean output on Deployment & Daemonset\"\n-
\"fix(security)!: add support for request path options of Traefik 3.6.7+\"\n-
\"fix(ports)!: \U0001F41B entrypoints `http` options\"\n- \"feat(gateway-api):
add support for defaultScope experimental feature\"\n- \"feat(deps)!: update traefik
docker tag to v3.6.7\"\n- \"feat(chart): enforce schema\"\n- \"feat(CRDs)!: support
Traefik Hub v3.19.0\"\n- \"docs(values): avoid unbreakable lines in table output
of VALUES.md\"\n- \"chore(release): \U0001F680 publish traefik 39.0.0 and crds
1.14.0\"\n"
apiVersion: v2
appVersion: v3.6.7
description: A Traefik based Kubernetes ingress controller
home: https://traefik.io/
icon: https://raw.githubusercontent.com/traefik/traefik/master/docs/content/assets/img/traefik.logo.png
keywords:
- traefik
- ingress
- networking
kubeVersion: '>=1.22.0-0'
maintainers:
- email: michel.loiseleur@traefik.io
name: mloiseleur
- email: remi.buisson@traefik.io
name: darkweaver87
- name: jnoordsij
name: traefik
sources:
- https://github.com/traefik/traefik-helm-chart
- https://github.com/traefik/traefik
type: application
version: 39.0.0
infrastructure/charts/traefik/EXAMPLES.md
+1792
View File
File diff suppressed because it is too large Load Diff
infrastructure/charts/traefik/Guidelines.md
+34
View File
@@ -0,0 +1,34 @@
# Traefik Helm Chart Guidelines
This document outlines the guidelines for developing, managing and extending the Traefik helm chart.
This Helm Chart is documented using field description from comments with [helm-docs](https://github.com/norwoodj/helm-docs).
It comes with a JSON schema generated from values with [helm schema](https://github.com/losisin/helm-values-schema-json) plugin.
## Feature Example
```yaml
logs:
general:
# -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
```
Documention is on the first comment, starting with `# --`
Specific instructions for schema, when needed, are done with the inline comment starting with `# @schema`.
## Whitespace
Extra whitespace is to be avoided in templating. Conditionals should chomp whitespace:
```yaml
{{- if .Values }}
{{- end }}
```
There should be an empty commented line between each primary key in the values.yaml file to separate features from each other.
## Values YAML Design
The values.yaml file is designed to be user-friendly. It does not have to resemble the templated configuration if it is not conducive. Similarly, value names do not have to correspond to fields in the template if it is not conducive.
infrastructure/charts/traefik/LICENSE
+202
View File
@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2020 Containous
Copyright 2020 Traefik Labs
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
infrastructure/charts/traefik/README.md
+216
View File
@@ -0,0 +1,216 @@
# Traefik
[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
## Introduction
### Philosophy
The Traefik Helm chart is focused on Traefik deployment configuration.
To keep this Helm chart as generic as possible, we avoid integrating third-party solutions or targeting specific use cases.
If you want to customize the chart for your needs, you can:
1. Override the default Traefik configuration values (see [yaml file or CLI](https://helm.sh/docs/chart_template_guide/values_files/)).
2. Append your own configurations (for example, by running `kubectl apply -f myconf.yaml`).
[Examples](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md) of common usage are provided.
If you need to include additional Kubernetes objects or extend functionality, use [`extraObjects`](./traefik/tests/values/extra.yaml) or add this chart as a [subchart](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/).
### Major Changes
Starting with v28.x, this chart bootstraps Traefik Proxy version 3 as a Kubernetes ingress controller, using the [`IngressRoute`](https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/) Custom Resource.
To upgrade from chart versions prior to v28.x (which use Traefik Proxy version 2), see:
- [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/)
- Upgrade notes in the [`README` on the v27 branch](https://github.com/traefik/traefik-helm-chart/tree/v27)
Starting with v34.x, to work around [Helm caveats](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations), you can use an additional chart dedicated to CRDs: **traefik-crds**.
⚠️ This has been deprecated since v38.0.2.
### Support for Traefik Proxy v2
If you need to use this chart with Traefik Proxy v2, use chart version v27.x.
This chart's support policy aligns with the [upstream support policy](https://doc.traefik.io/traefik/deprecation/releases/) of Traefik Proxy.
For compatibility details, installation instructions, or previous upgrade notes, check the [`README` on the v27 branch](https://github.com/traefik/traefik-helm-chart/tree/v27).
## Installing
### Prerequisites
1. Kubernetes (server) version **v1.22.0 or higher**: `kubectl version`
1. Helm **v3.9.0 or higher** [installed](https://helm.sh/docs/using_helm/#installing-helm): `helm version`
1. Traefik's chart repository: `helm repo add traefik https://traefik.github.io/charts`
### Deploying
#### Standard Installation
To install the chart with default values:
```bash
helm install traefik traefik/traefik
```
or, to install from the OCI registry:
```bash
helm install traefik oci://ghcr.io/traefik/helm/traefik
```
To customize the installation, provide a custom `values` file:
```bash
helm install -f myvalues.yaml traefik traefik/traefik
```
To see example values files, refer to the provided [EXAMPLES](./EXAMPLES.md).
For complete documentation on all available parameters, check the [default values file](./traefik/values.yaml).
#### With Additional CRDs Chart (⚠️ deprecated)
> [!Caution]
> The `traefik-crds` chart is deprecated. It will be removed soon
To manage CRDs separately, use the optional CRDs chart. When using it, the CRDs from the regular Traefik chart are not required.
For more details, see [here](./CONTRIBUTING.md#about-crds).
To install with the CRDs chart:
```bash
helm install traefik-crds traefik/traefik-crds
helm install traefik traefik/traefik --skip-crds
helm list # should display two charts installed
```
## Verification
Starting with v37.0.0, chart releases are signed using *provenance files*.
To verify the chart, follow these steps:
### 1. Download the Public Signing Key
To download the official Traefik Helm chart signing key, run:
```shell
gpg --receive-keys --keyserver hkps://keys.openpgp.org 'B0FBA7678F685E9B7024B79FFD92BB57C5A71A99'
```
Example output:
```shell
gpg: key FD92BB57C5A71A99: public key "TraefikLabs Chart Signing Key <noreply@traefik.io>" imported
gpg: Total number processed: 1
gpg: imported: 1
```
### 2. Export the Signing Key
By default, GnuPG v2 stores keyrings in a format that is not compatible with Helm chart provenance verification. Before you can verify a Helm chart, you must convert your keyrings to the legacy format:
```shell
gpg --export --output $HOME/.gnupg/pubring.gpg 'B0FBA7678F685E9B7024B79FFD92BB57C5A71A99'
```
### 3. Verify the Chart
To verify the chart, use the appropriate command for your registry:
- OCI Registry
```shell
helm fetch --verify --keyring $HOME/.gnupg/traefik.pubring.gpg oci://ghcr.io/traefik/helm/traefik:<VERSION>
```
- Helm Registry (GitHub Pages)
```shell
helm fetch --verify --keyring $HOME/.gnupg/traefik.pubring.gpg traefik/traefik --version <VERSION>
```
## Upgrading
To see what has changed in each release, check the [Changelog](./traefik/Changelog.md).
A new major version indicates that there is an incompatible breaking change.
> [!WARNING]
> To avoid issues, **always read the release notes for this chart before upgrading**.
### Upgrade the Standalone Traefik Chart
If you use Helm's native CRD management, you **MUST** upgrade CRDs before running `helm upgrade`, since Helm does **not** update CRDs automatically. See [HIP-0011](https://github.com/helm/community/blob/main/hips/hip-0011.md) for details.
To upgrade the Traefik chart and its CRDs:
```bash
# Update the chart repository
helm repo update
# Check current chart & Traefik version
helm search repo traefik/traefik
# Update CRDs
helm show crds traefik/traefik | kubectl apply --server-side --force-conflicts -f -
# Upgrade Traefik release
helm upgrade traefik traefik/traefik
```
### Upgrade from the Standard Traefik Chart to Traefik + Opt-In CRDs Chart
> [!Caution]
> The `traefik-crds` chart is deprecated. It will be removed soon
> [!WARNING]
> To avoid conflicts, **you must change the ownership of CRDs before installing the CRDs chart**.
To migrate to the setup with the additional CRDs chart:
```bash
# Update the chart repository
helm repo update
# Update CRD ownership
kubectl get customresourcedefinitions.apiextensions.k8s.io -o name | grep traefik.io | \
xargs kubectl patch --type='json' -p='[{"op": "add", "path": "/metadata/labels", "value": {"app.kubernetes.io/managed-by":"Helm"}},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-name", "value":"traefik-crds"},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-namespace", "value":"default"}]'
# If you use gateway API, also change Gateway API ownership
kubectl get customresourcedefinitions.apiextensions.k8s.io -o name | grep gateway.networking.k8s.io | \
xargs kubectl patch --type='json' -p='[{"op": "add", "path": "/metadata/labels", "value": {"app.kubernetes.io/managed-by":"Helm"}},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-name", "value":"traefik-crds"},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-namespace", "value":"default"}]'
# Deploy the optional CRDs chart
helm install traefik-crds traefik/traefik-crds
# Upgrade Traefik release
helm upgrade traefik traefik/traefik
```
### Upgrade When Using Both Traefik and Opt-In CRDs Chart
> [!Caution]
> The `traefik-crds` chart is deprecated. It will be removed soon
To upgrade both Traefik and CRDs charts:
```bash
# Update the chart repository
helm repo update
# Check the current chart & Traefik version
helm search repo traefik/traefik
# Upgrade CRDs (Traefik Proxy v3 CRDs)
helm upgrade traefik-crds traefik/traefik
# Upgrade Traefik release
helm upgrade traefik traefik/traefik
```
## Contributing
To contribute to this chart, please read the [Contributing Guide](./CONTRIBUTING.md).
Thank you to everyone who has already contributed!
<a href="https://github.com/traefik/traefik-helm-chart/graphs/contributors">
<img src="https://contributors-img.web.app/image?repo=traefik/traefik-helm-chart" alt="Contributors"/>
</a>
infrastructure/charts/traefik/VALUES.md
+500
View File
@@ -0,0 +1,500 @@
# traefik
![Version: 39.0.0](https://img.shields.io/badge/Version-39.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.6.7](https://img.shields.io/badge/AppVersion-v3.6.7-informational?style=flat-square)
A Traefik based Kubernetes ingress controller
**Homepage:** <https://traefik.io/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| mloiseleur | <michel.loiseleur@traefik.io> | |
| darkweaver87 | <remi.buisson@traefik.io> | |
| jnoordsij | | |
## Source Code
* <https://github.com/traefik/traefik-helm-chart>
* <https://github.com/traefik/traefik>
## Requirements
Kubernetes: `>=1.22.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalArguments | list | `[]` | Additional arguments to be passed at Traefik's binary See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` |
| additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container |
| affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts |
| api.basePath | string | `""` | Configure API basePath |
| api.dashboard | bool | `true` | Enable the dashboard |
| autoscaling.behavior | object | `{}` | behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). |
| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. |
| autoscaling.maxReplicas | string | `nil` | maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas. |
| autoscaling.metrics | list | `[]` | metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). |
| autoscaling.minReplicas | string | `nil` | minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. |
| autoscaling.scaleTargetRef | object | Traefik Deployment | scaleTargetRef points to the target resource to scale, and is used for the pods for which metrics should be collected, as well as to actually change the replica count. |
| certificatesResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
| commonLabels | object | `{}` | Add additional label to all resources |
| core.defaultRuleSyntax | string | `""` | Can be used to use globally v2 router syntax. Deprecated since v3.4 /!\. See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes |
| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) |
| deployment.additionalVolumes | list | `[]` | Additional volumes available for use with initContainers and additionalContainers |
| deployment.annotations | object | `{}` | Additional deployment annotations (e.g. for jaeger-operator sidecar injection) |
| deployment.dnsConfig | object | `{}` | Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) |
| deployment.dnsPolicy | string | `""` | Custom pod DNS policy. Apply if `hostNetwork: true` |
| deployment.enabled | bool | `true` | Enable deployment |
| deployment.goMemLimitPercentage | float | `0.9` | only takes effect when resources.limits.memory is set |
| deployment.healthchecksHost | string | `""` | |
| deployment.healthchecksPort | string | `nil` | |
| deployment.healthchecksScheme | string | `nil` | |
| deployment.hostAliases | list | `[]` | Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) |
| deployment.imagePullSecrets | list | `[]` | Pull secret for fetching traefik container image |
| deployment.initContainers | list | `[]` | Additional initContainers (e.g. for setting file permission as shown below) |
| deployment.kind | string | `"Deployment"` | Deployment or DaemonSet |
| deployment.labels | object | `{}` | Additional deployment labels (e.g. for filtering deployment by custom labels) |
| deployment.lifecycle | object | `{}` | Pod lifecycle actions |
| deployment.livenessPath | string | `""` | Override the liveness path. Default: /ping |
| deployment.minReadySeconds | int | `0` | The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available |
| deployment.podAnnotations | object | `{}` | Additional pod annotations (e.g. for mesh injection or prometheus scraping) It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' |
| deployment.podLabels | object | `{}` | Additional Pod labels (e.g. for filtering Pod by custom labels) |
| deployment.readinessPath | string | `""` | |
| deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) |
| deployment.revisionHistoryLimit | string | `nil` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) |
| deployment.runtimeClassName | string | `""` | Set a runtimeClassName on pod |
| deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing |
| deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down |
| env | list | `[]` | Additional Environment variables to be passed to Traefik's binary |
| envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets |
| experimental.abortOnPluginFailure | bool | `false` | Defines whether all plugins must be loaded successfully for Traefik to start |
| experimental.fastProxy.debug | bool | `false` | Enable debug mode for the FastProxy implementation. |
| experimental.fastProxy.enabled | bool | `false` | Enables the FastProxy implementation. |
| experimental.knative | bool | `false` | Enable Knative provider experimental feature. |
| experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD |
| experimental.localPlugins | object | `{}` | Enable experimental local plugins |
| experimental.otlpLogs | bool | `false` | Enable OTLP logging experimental feature. |
| experimental.plugins | object | `{}` | Enable experimental plugins |
| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. |
| gateway.annotations | object | `{}` | Additional gateway annotations (e.g. for cert-manager.io/issuer) |
| gateway.defaultScope | string | `nil` | Configure this Gateway as a [Default Gateway](https://kubernetes.io/blog/2025/11/06/gateway-api-v1-4/#introducing-default-gateways) by setting the `defaultScope` field (e.g. `All` or `Namespace`). |
| gateway.enabled | bool | `true` | When providers.kubernetesGateway.enabled, deploy a default gateway |
| gateway.infrastructure | object | `{}` | [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels) |
| gateway.listeners.web.hostname | string | `""` | Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) |
| gateway.listeners.web.namespacePolicy | object | `nil` | Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces |
| gateway.listeners.web.port | int | `8000` | Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. The port must match a port declared in ports section. |
| gateway.listeners.web.protocol | string | `"HTTP"` | |
| gateway.name | string | `""` | Set a custom name to gateway |
| gateway.namespace | string | `""` | By default, Gateway is created in the same `Namespace` as Traefik. |
| gatewayClass.enabled | bool | `true` | When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass |
| gatewayClass.labels | object | `{}` | Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) |
| gatewayClass.name | string | `""` | Set a custom name to GatewayClass |
| global.azure | object | See _values.yaml_ | Required for Azure Marketplace integration. See https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-technical-assets-kubernetes?tabs=linux,linux2#update-the-helm-chart |
| global.checkNewVersion | bool | `true` | |
| global.sendAnonymousUsage | bool | `false` | Please take time to consider whether or not you wish to share anonymous data with us See https://doc.traefik.io/traefik/contributing/data-collection/ |
| hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulable pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. |
| hub.aigateway.enabled | bool | `false` | Set to true in order to enable AI Gateway. Requires a valid license token. |
| hub.aigateway.maxRequestBodySize | string | `nil` | Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB). |
| hub.apimanagement.admission.annotations | object | `{}` | Set custom annotations. |
| hub.apimanagement.admission.customWebhookCertificate | object | `{}` | Set custom certificate for the WebHook admission server. The certificate should be specified with _tls.crt_ and _tls.key_ in base64 encoding. |
| hub.apimanagement.admission.listenAddr | string | `""` | WebHook admission server listen address. Default: "0.0.0.0:9943". |
| hub.apimanagement.admission.restartOnCertificateChange | bool | `true` | Set it to false if you need to disable Traefik Hub pod restart when mutating webhook certificate is updated. It's done with a label update. |
| hub.apimanagement.admission.secretName | string | `"hub-agent-cert"` | Certificate name of the WebHook admission server. Default: "hub-agent-cert". |
| hub.apimanagement.admission.selfManagedCertificate | bool | `false` | By default, this chart handles directly the tls certificate required for the admission webhook. It's possible to disable this behavior and handle it outside of the chart. See EXAMPLES.md for more details. |
| hub.apimanagement.enabled | bool | `false` | Set to true in order to enable API Management. Requires a valid license token. |
| hub.apimanagement.openApi.validateRequestMethodAndPath | bool | `false` | When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification |
| hub.mcpgateway.enabled | bool | `false` | Set to true in order to enable AI MCP Gateway. Requires a valid license token. |
| hub.mcpgateway.maxRequestBodySize | string | `nil` | Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB). |
| hub.namespaces | list | `[]` | By default, Traefik Hub provider watches all namespaces. When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array. |
| hub.offline | string | `nil` | Disables all external network connections. |
| hub.pluginRegistry.sources | object | `{}` | |
| hub.providers.consulCatalogEnterprise.cache | bool | `false` | Use local agent caching for catalog reads. |
| hub.providers.consulCatalogEnterprise.connectAware | bool | `false` | Enable Consul Connect support. |
| hub.providers.consulCatalogEnterprise.connectByDefault | bool | `false` | Consider every service as Connect capable by default. |
| hub.providers.consulCatalogEnterprise.constraints | string | `""` | Constraints is an expression that Traefik matches against the container's labels |
| hub.providers.consulCatalogEnterprise.defaultRule | string | `"Host(`{{ normalize .Name }}`)"` | Default rule. |
| hub.providers.consulCatalogEnterprise.enabled | bool | `false` | Enable Consul Catalog Enterprise backend with default settings. |
| hub.providers.consulCatalogEnterprise.endpoint.address | string | `""` | The address of the Consul server |
| hub.providers.consulCatalogEnterprise.endpoint.datacenter | string | `""` | Data center to use. If not provided, the default agent data center is used |
| hub.providers.consulCatalogEnterprise.endpoint.endpointWaitTime | int | `0` | WaitTime limits how long a Watch will block. If not provided, the agent default |
| hub.providers.consulCatalogEnterprise.endpoint.httpauth.password | string | `""` | Basic Auth password |
| hub.providers.consulCatalogEnterprise.endpoint.httpauth.username | string | `""` | Basic Auth username |
| hub.providers.consulCatalogEnterprise.endpoint.scheme | string | `""` | The URI scheme for the Consul server |
| hub.providers.consulCatalogEnterprise.endpoint.tls.ca | string | `""` | TLS CA |
| hub.providers.consulCatalogEnterprise.endpoint.tls.cert | string | `""` | TLS cert |
| hub.providers.consulCatalogEnterprise.endpoint.tls.insecureSkipVerify | bool | `false` | TLS insecure skip verify |
| hub.providers.consulCatalogEnterprise.endpoint.tls.key | string | `""` | TLS key |
| hub.providers.consulCatalogEnterprise.endpoint.token | string | `""` | Token is used to provide a per-request ACL token which overrides the agent's |
| hub.providers.consulCatalogEnterprise.exposedByDefault | bool | `true` | Expose containers by default. |
| hub.providers.consulCatalogEnterprise.namespaces | string | `""` | Sets the namespaces used to discover services (Consul Enterprise only). |
| hub.providers.consulCatalogEnterprise.partition | string | `""` | Sets the partition used to discover services (Consul Enterprise only). |
| hub.providers.consulCatalogEnterprise.prefix | string | `"traefik"` | Prefix for consul service tags. |
| hub.providers.consulCatalogEnterprise.refreshInterval | int | `15` | Interval for checking Consul API. |
| hub.providers.consulCatalogEnterprise.requireConsistent | bool | `false` | Forces the read to be fully consistent. |
| hub.providers.consulCatalogEnterprise.serviceName | string | `"traefik"` | Name of the Traefik service in Consul Catalog (needs to be registered via the |
| hub.providers.consulCatalogEnterprise.stale | bool | `false` | Use stale consistency for catalog reads. |
| hub.providers.consulCatalogEnterprise.strictChecks | string | `"passing, warning"` | A list of service health statuses to allow taking traffic. |
| hub.providers.consulCatalogEnterprise.watch | bool | `false` | Watch Consul API events. |
| hub.providers.microcks.auth.clientId | string | `""` | Microcks API client ID. |
| hub.providers.microcks.auth.clientSecret | string | `""` | Microcks API client secret. |
| hub.providers.microcks.auth.endpoint | string | `""` | Microcks API endpoint. |
| hub.providers.microcks.auth.token | string | `""` | Microcks API token. |
| hub.providers.microcks.enabled | bool | `false` | Enable Microcks provider. |
| hub.providers.microcks.endpoint | string | `""` | Microcks API endpoint. |
| hub.providers.microcks.pollInterval | int | `30` | Polling interval for Microcks API. |
| hub.providers.microcks.pollTimeout | int | `5` | Polling timeout for Microcks API. |
| hub.providers.microcks.tls.ca | string | `""` | TLS CA |
| hub.providers.microcks.tls.cert | string | `""` | TLS cert |
| hub.providers.microcks.tls.insecureSkipVerify | bool | `false` | TLS insecure skip verify |
| hub.providers.microcks.tls.key | string | `""` | TLS key |
| hub.redis.cluster | string | `nil` | Enable Redis Cluster. Default: true. |
| hub.redis.database | string | `nil` | Database used to store information. Default: "0". |
| hub.redis.endpoints | string | `""` | Endpoints of the Redis instances to connect to. Default: "". |
| hub.redis.password | string | `""` | The password to use when connecting to Redis endpoints. Default: "". |
| hub.redis.sentinel.masterset | string | `""` | Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". |
| hub.redis.sentinel.password | string | `""` | Password to use for sentinel authentication (can be different from endpoint password). Default: "". |
| hub.redis.sentinel.username | string | `""` | Username to use for sentinel authentication (can be different from endpoint username). Default: "". |
| hub.redis.timeout | string | `""` | Timeout applied on connection with redis. Default: "0s". |
| hub.redis.tls.ca | string | `""` | Path to the certificate authority used for the secured connection. |
| hub.redis.tls.cert | string | `""` | Path to the public certificate used for the secure connection. |
| hub.redis.tls.insecureSkipVerify | bool | `false` | When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. |
| hub.redis.tls.key | string | `""` | Path to the private key used for the secure connection. |
| hub.redis.username | string | `""` | The username to use when connecting to Redis endpoints. Default: "". |
| hub.sendlogs | string | `nil` | |
| hub.token | string | `""` | Name of `Secret` with key 'token' set to a valid license token. It enables API Gateway. |
| hub.tracing.additionalTraceHeaders.enabled | bool | See below | Tracing headers to duplicate. To configure the following, tracing.otlp.enabled needs to be set to true. |
| hub.tracing.additionalTraceHeaders.traceContext.parentId | string | `""` | Name of the header that will contain the parent-id header copy. |
| hub.tracing.additionalTraceHeaders.traceContext.traceId | string | `""` | Name of the header that will contain the trace-id copy. |
| hub.tracing.additionalTraceHeaders.traceContext.traceParent | string | `""` | Name of the header that will contain the traceparent copy. |
| hub.tracing.additionalTraceHeaders.traceContext.traceState | string | `""` | Name of the header that will contain the tracestate copy. |
| image.pullPolicy | string | `"IfNotPresent"` | Traefik image pull policy |
| image.registry | string | `"docker.io"` | Traefik image host registry |
| image.repository | string | `"traefik"` | Traefik image repository |
| image.tag | string | `nil` | defaults to appVersion. It's used for version checking, even prefixed with experimental- or latest-. When a digest is required, `versionOverride` can be used to set the version. |
| ingressClass.enabled | bool | `true` | Create a default IngressClass for Traefik |
| ingressClass.isDefaultClass | bool | `true` | |
| ingressClass.name | string | `""` | |
| ingressRoute | object | See _values.yaml_ | Only dashboard & healthcheck IngressRoute are supported. It's recommended to create workloads CR outside of this Chart. |
| ingressRoute.dashboard.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) |
| ingressRoute.dashboard.enabled | bool | `false` | Create an IngressRoute for the dashboard |
| ingressRoute.dashboard.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. /!\ Do not expose your dashboard without any protection over the internet /!\ |
| ingressRoute.dashboard.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) |
| ingressRoute.dashboard.matchRule | string | `"PathPrefix(`/dashboard`) || PathPrefix(`/api`)"` | The router match rule used for the dashboard ingressRoute |
| ingressRoute.dashboard.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) |
| ingressRoute.dashboard.services | list | api@internal | The internal service used for the dashboard ingressRoute |
| ingressRoute.dashboard.tls | object | `{}` | TLS options (e.g. secret containing certificate) |
| ingressRoute.healthcheck.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) |
| ingressRoute.healthcheck.enabled | bool | `false` | Create an IngressRoute for the healthcheck probe |
| ingressRoute.healthcheck.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. |
| ingressRoute.healthcheck.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) |
| ingressRoute.healthcheck.matchRule | string | `"PathPrefix(`/ping`)"` | The router match rule used for the healthcheck ingressRoute |
| ingressRoute.healthcheck.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) |
| ingressRoute.healthcheck.services | list | ping@internal | The internal service used for the healthcheck ingressRoute |
| ingressRoute.healthcheck.tls | object | `{}` | TLS options (e.g. secret containing certificate) |
| instanceLabelOverride | string | `""` | This field overrides the default app.kubernetes.io/instance label for all Objects. |
| livenessProbe.failureThreshold | int | `3` | The number of consecutive failures allowed before considering the probe as failed. |
| livenessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
| livenessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
| livenessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
| livenessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
| logs.access.addInternals | bool | `false` | Enables accessLogs for internal resources. Default: false. |
| logs.access.bufferingSize | string | `nil` | Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) |
| logs.access.enabled | bool | `false` | To enable access logs |
| logs.access.fields.general.defaultmode | string | `"keep"` | Set default mode for fields.names |
| logs.access.fields.general.names | object | `{}` | Names of the fields to limit. |
| logs.access.fields.headers.defaultmode | string | `"drop"` | [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) |
| logs.access.fields.headers.names | object | `{}` | |
| logs.access.filters | object | See below | Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) |
| logs.access.filters.minduration | string | `""` | Set minDuration, to keep access logs when requests take longer than the specified duration |
| logs.access.filters.retryattempts | bool | `false` | Set retryAttempts, to keep the access logs when at least one retry has happened |
| logs.access.filters.statuscodes | string | `""` | Set statusCodes, to limit the access logs to requests with a status codes in the specified range |
| logs.access.format | string | `nil` | Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) |
| logs.access.otlp.enabled | bool | `false` | Set to true in order to enable OpenTelemetry on access logs. Note that experimental.otlpLogs needs to be enabled. |
| logs.access.otlp.grpc.enabled | bool | `false` | Set to true in order to send access logs to the OpenTelemetry Collector using gRPC |
| logs.access.otlp.grpc.endpoint | string | `""` | Format: <host>:<port>. Default: "localhost:4317" |
| logs.access.otlp.grpc.insecure | bool | `false` | Allows reporter to send access logs to the OpenTelemetry Collector without using a secured protocol. |
| logs.access.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| logs.access.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| logs.access.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| logs.access.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| logs.access.otlp.http.enabled | bool | `false` | Set to true in order to send access logs to the OpenTelemetry Collector using HTTP. |
| logs.access.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs |
| logs.access.otlp.http.headers | object | `{}` | Additional headers sent with access logs by the reporter to the OpenTelemetry Collector. |
| logs.access.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| logs.access.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| logs.access.otlp.http.tls.insecureSkipVerify | string | `nil` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| logs.access.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| logs.access.otlp.resourceAttributes | object | `{}` | Defines additional resource attributes to be sent to the collector. |
| logs.access.otlp.serviceName | string | `nil` | Service name used in OTLP backend. Default: traefik. |
| logs.access.timezone | string | `""` | Set [timezone](https://doc.traefik.io/traefik/observability/access-logs/#time-zones) |
| logs.general.filePath | string | `""` | To write the logs into a log file, use the filePath option. |
| logs.general.format | string | `nil` | Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) |
| logs.general.level | string | `"INFO"` | Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC. |
| logs.general.noColor | bool | `false` | When set to true and format is common, it disables the colorized output. |
| logs.general.otlp.enabled | bool | `false` | Set to true in order to enable OpenTelemetry on logs. Note that experimental.otlpLogs needs to be enabled. |
| logs.general.otlp.grpc.enabled | bool | `false` | Set to true in order to send logs to the OpenTelemetry Collector using gRPC |
| logs.general.otlp.grpc.endpoint | string | `""` | Format: <host>:<port>. Default: "localhost:4317" |
| logs.general.otlp.grpc.insecure | bool | `false` | Allows reporter to send logs to the OpenTelemetry Collector without using a secured protocol. |
| logs.general.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| logs.general.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| logs.general.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| logs.general.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| logs.general.otlp.http.enabled | bool | `false` | Set to true in order to send logs to the OpenTelemetry Collector using HTTP. |
| logs.general.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs |
| logs.general.otlp.http.headers | object | `{}` | Additional headers sent with logs by the reporter to the OpenTelemetry Collector. |
| logs.general.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| logs.general.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| logs.general.otlp.http.tls.insecureSkipVerify | string | `nil` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| logs.general.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| logs.general.otlp.resourceAttributes | object | `{}` | Defines additional resource attributes to be sent to the collector. |
| logs.general.otlp.serviceName | string | `nil` | Service name used in OTLP backend. Default: traefik. |
| metrics.addInternals | bool | `false` | Enable metrics for internal resources. Default: false |
| metrics.otlp.addEntryPointsLabels | string | `nil` | Enable metrics on entry points. Default: true |
| metrics.otlp.addRoutersLabels | string | `nil` | Enable metrics on routers. Default: false |
| metrics.otlp.addServicesLabels | string | `nil` | Enable metrics on services. Default: true |
| metrics.otlp.enabled | bool | `false` | Set to true in order to enable the OpenTelemetry metrics |
| metrics.otlp.explicitBoundaries | list | `[]` | Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] |
| metrics.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC |
| metrics.otlp.grpc.endpoint | string | `""` | Format: <host>:<port>. Default: "localhost:4317" |
| metrics.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. |
| metrics.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| metrics.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| metrics.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| metrics.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| metrics.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. |
| metrics.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/metrics |
| metrics.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. |
| metrics.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| metrics.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| metrics.otlp.http.tls.insecureSkipVerify | string | `nil` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| metrics.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| metrics.otlp.pushInterval | string | `""` | Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s |
| metrics.otlp.resourceAttributes | object | `{}` | Defines additional resource attributes to be sent to the collector. |
| metrics.otlp.serviceName | string | `nil` | Service name used in OTLP backend. Default: traefik. |
| metrics.prometheus.addEntryPointsLabels | string | `nil` | Enable metrics on entry points. Default: true |
| metrics.prometheus.addRoutersLabels | string | `nil` | Enable metrics on routers. Default: false |
| metrics.prometheus.addServicesLabels | string | `nil` | Enable metrics on services. Default: true |
| metrics.prometheus.buckets | string | `""` | Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" |
| metrics.prometheus.disableAPICheck | string | `nil` | When set to true, it won't check if Prometheus Operator CRDs are deployed |
| metrics.prometheus.entryPoint | string | `"metrics"` | Entry point used to expose metrics. |
| metrics.prometheus.headerLabels | object | `{}` | Add HTTP header labels to metrics. See EXAMPLES.md or upstream doc for usage. |
| metrics.prometheus.manualRouting | bool | `false` | When manualRouting is true, it disables the default internal router in # order to allow creating a custom router for prometheus@internal service. |
| metrics.prometheus.prometheusRule.additionalLabels | object | `{}` | |
| metrics.prometheus.prometheusRule.apiVersion | string | `"monitoring.coreos.com/v1"` | |
| metrics.prometheus.prometheusRule.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. |
| metrics.prometheus.prometheusRule.namespace | string | `""` | |
| metrics.prometheus.service.annotations | object | `{}` | |
| metrics.prometheus.service.enabled | bool | `false` | Create a dedicated metrics service to use with ServiceMonitor |
| metrics.prometheus.service.labels | object | `{}` | |
| metrics.prometheus.serviceMonitor.additionalLabels | object | `{}` | |
| metrics.prometheus.serviceMonitor.apiVersion | string | `"monitoring.coreos.com/v1"` | |
| metrics.prometheus.serviceMonitor.enableHttp2 | bool | `false` | |
| metrics.prometheus.serviceMonitor.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. |
| metrics.prometheus.serviceMonitor.followRedirects | bool | `false` | |
| metrics.prometheus.serviceMonitor.honorLabels | bool | `false` | |
| metrics.prometheus.serviceMonitor.honorTimestamps | bool | `false` | |
| metrics.prometheus.serviceMonitor.interval | string | `""` | |
| metrics.prometheus.serviceMonitor.jobLabel | string | `""` | |
| metrics.prometheus.serviceMonitor.metricRelabelings | list | `[]` | |
| metrics.prometheus.serviceMonitor.namespace | string | `""` | |
| metrics.prometheus.serviceMonitor.namespaceSelector | object | `{}` | |
| metrics.prometheus.serviceMonitor.relabelings | list | `[]` | |
| metrics.prometheus.serviceMonitor.scrapeTimeout | string | `""` | |
| namespaceOverride | string | `""` | This field overrides the default Release Namespace for Helm. It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` |
| nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. |
| oci_meta | object | See _values.yaml_ | Required for OCI Marketplace integration. See https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Marketplace/understanding-helm-charts.htm |
| oci_meta.enabled | bool | `false` | Enable specific values for Oracle Cloud Infrastructure |
| oci_meta.repo | string | `"traefik"` | It needs to be an ocir repo |
| ocsp.enabled | bool | `false` | Enable OCSP stapling support. See https://doc.traefik.io/traefik/https/ocsp/#overview |
| ocsp.responderOverrides | object | `{}` | Defines the OCSP responder URLs to use instead of the one provided by the certificate. |
| persistence.accessMode | string | `"ReadWriteOnce"` | |
| persistence.annotations | object | `{}` | |
| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/. It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option |
| persistence.existingClaim | string | `""` | |
| persistence.name | string | `"data"` | |
| persistence.path | string | `"/data"` | |
| persistence.size | string | `"128Mi"` | |
| persistence.storageClass | string | `nil` | |
| persistence.subPath | string | `""` | Only mount a subpath of the Volume into the pod |
| persistence.volumeName | string | `""` | |
| podDisruptionBudget | object | See _values.yaml_ | [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) |
| podSecurityContext | object | See _values.yaml_ | [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) |
| podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding |
| ports.metrics.expose | object | `{"default":false}` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
| ports.metrics.exposedPort | int | `9100` | The exposed port for this service |
| ports.metrics.observability.accessLogs | string | `nil` | Enables access-logs for this entryPoint. |
| ports.metrics.observability.metrics | string | `nil` | Enables metrics for this entryPoint. |
| ports.metrics.observability.traceVerbosity | string | `nil` | Defines the tracing verbosity level for this entryPoint. |
| ports.metrics.observability.tracing | string | `nil` | Enables tracing for this entryPoint. |
| ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
| ports.traefik.expose | object | `{"default":false}` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
| ports.traefik.exposedPort | int | `8080` | The exposed port for this service |
| ports.traefik.hostIP | string | `nil` | Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which means it's listening on all your interfaces and all your IPs. You may want to set this value if you need traefik to listen on specific interface only. |
| ports.traefik.hostPort | string | `nil` | Use hostPort if set. |
| ports.traefik.observability.accessLogs | string | `nil` | Defines whether a router attached to this EntryPoint produces access-logs by default. |
| ports.traefik.observability.metrics | string | `nil` | Defines whether a router attached to this EntryPoint produces metrics by default. |
| ports.traefik.observability.traceVerbosity | string | `nil` | Defines the tracing verbosity level for routers attached to this EntryPoint. |
| ports.traefik.observability.tracing | string | `nil` | Defines whether a router attached to this EntryPoint produces traces by default. |
| ports.traefik.port | int | `8080` | |
| ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
| ports.web.asDefault | string | `nil` | |
| ports.web.expose.default | bool | `true` | |
| ports.web.exposedPort | int | `80` | |
| ports.web.forwardedHeaders.insecure | bool | `false` | |
| ports.web.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
| ports.web.http.redirections.entryPoint | object | `{}` | Port Redirections Added in 2.2, one can make permanent redirects via entrypoints. Same sets of parameters: to, scheme, permanent and priority. https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#configuration-example |
| ports.web.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
| ports.web.observability.accessLogs | string | `nil` | Enables access-logs for this entryPoint. |
| ports.web.observability.metrics | string | `nil` | Enables metrics for this entryPoint. |
| ports.web.observability.traceVerbosity | string | `nil` | Defines the tracing verbosity level for this entryPoint. |
| ports.web.observability.tracing | string | `nil` | Enables tracing for this entryPoint. |
| ports.web.port | int | `8000` | |
| ports.web.protocol | string | `"TCP"` | |
| ports.web.proxyProtocol.insecure | bool | `false` | |
| ports.web.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
| ports.web.targetPort | string | `nil` | |
| ports.web.transport | object | nil | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport |
| ports.websecure.allowACMEByPass | bool | `false` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) |
| ports.websecure.appProtocol | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) |
| ports.websecure.containerPort | string | `nil` | |
| ports.websecure.expose.default | bool | `true` | |
| ports.websecure.exposedPort | int | `443` | |
| ports.websecure.forwardedHeaders.insecure | bool | `false` | |
| ports.websecure.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
| ports.websecure.hostPort | string | `nil` | |
| ports.websecure.http.encodedCharacters | object | nil | See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering) |
| ports.websecure.http.maxHeaderBytes | string | `nil` | Maximum size of request headers in bytes. Default: 1048576 (1 MB) |
| ports.websecure.http.middlewares | list | `[]` | See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#httpmiddlewares) |
| ports.websecure.http.sanitizePath | string | `nil` | See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#path-sanitization) |
| ports.websecure.http.tls.certResolver | string | `""` | |
| ports.websecure.http.tls.domains | list | `[]` | |
| ports.websecure.http.tls.enabled | bool | true | See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http-tls) |
| ports.websecure.http.tls.options | string | `""` | |
| ports.websecure.http3.advertisedPort | string | `nil` | |
| ports.websecure.http3.enabled | bool | `false` | |
| ports.websecure.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
| ports.websecure.observability.accessLogs | string | `nil` | Enables access-logs for this entryPoint. |
| ports.websecure.observability.metrics | string | `nil` | Enables metrics for this entryPoint. |
| ports.websecure.observability.traceVerbosity | string | `nil` | Defines the tracing verbosity level for this entryPoint. |
| ports.websecure.observability.tracing | string | `nil` | Enables tracing for this entryPoint. |
| ports.websecure.port | int | `8443` | |
| ports.websecure.protocol | string | `"TCP"` | |
| ports.websecure.proxyProtocol.insecure | bool | `false` | |
| ports.websecure.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
| ports.websecure.targetPort | string | `nil` | |
| ports.websecure.transport | object | nil | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) |
| priorityClassName | string | `""` | [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) |
| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) |
| providers.file.enabled | bool | `false` | Create a file provider |
| providers.file.watch | bool | `true` | Allows Traefik to automatically watch for file changes |
| providers.knative.enabled | bool | `false` | Enable Knative provider |
| providers.knative.labelSelector | string | `""` | Allow filtering Knative Ingress objects |
| providers.knative.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array. |
| providers.kubernetesCRD.allowCrossNamespace | bool | `false` | Allows IngressRoute to reference resources in namespace other than theirs |
| providers.kubernetesCRD.allowEmptyServices | bool | `true` | Allows to return 503 when there are no endpoints available |
| providers.kubernetesCRD.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in IngressRoute |
| providers.kubernetesCRD.enabled | bool | `true` | Load Kubernetes IngressRoute provider |
| providers.kubernetesCRD.ingressClass | string | `""` | When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. |
| providers.kubernetesCRD.labelSelector | string | `""` | See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-labelselector) |
| providers.kubernetesCRD.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array. |
| providers.kubernetesCRD.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
| providers.kubernetesGateway.enabled | bool | `false` | Enable Traefik Gateway provider for Gateway API |
| providers.kubernetesGateway.experimentalChannel | bool | `false` | Toggles support for the Experimental Channel resources (Gateway API release channels documentation). This option currently enables support for TCPRoute and TLSRoute. |
| providers.kubernetesGateway.labelSelector | string | `""` | A label selector can be defined to filter on specific GatewayClass objects only. |
| providers.kubernetesGateway.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array. |
| providers.kubernetesGateway.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
| providers.kubernetesGateway.statusAddress.hostname | string | `""` | This Hostname will get copied to the Gateway status.addresses. |
| providers.kubernetesGateway.statusAddress.ip | string | `""` | This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6). |
| providers.kubernetesGateway.statusAddress.service.enabled | bool | `true` | The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart. |
| providers.kubernetesGateway.statusAddress.service.name | string | `""` | |
| providers.kubernetesGateway.statusAddress.service.namespace | string | `""` | |
| providers.kubernetesIngress.allowEmptyServices | bool | `true` | Allows to return 503 when there are no endpoints available |
| providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress |
| providers.kubernetesIngress.disableIngressClassLookup | bool | `false` | Only for Traefik v3.0, Deprecated since v3.1. See [upstream documentation](https://doc.traefik.io/traefik/v3.0/providers/kubernetes-ingress/#disableingressclasslookup) |
| providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider |
| providers.kubernetesIngress.ingressClass | string | `nil` | When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. |
| providers.kubernetesIngress.labelSelector | string | `nil` | |
| providers.kubernetesIngress.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array. |
| providers.kubernetesIngress.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
| providers.kubernetesIngress.publishedService.enabled | bool | `true` | Enable [publishedService](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#publishedservice), usually with the Service provided by this Chart. It's possible to use it with an external Service using pathOverride. |
| providers.kubernetesIngress.publishedService.pathOverride | string | `""` | Override path of Kubernetes Service used to copy status from. Format: namespace/servicename. Default to Service deployed with this Chart. |
| providers.kubernetesIngress.strictPrefixMatching | bool | `false` | Defines whether to make prefix matching strictly comply with the Kubernetes Ingress specification. |
| providers.kubernetesIngressNginx.certAuthFilePath | string | `""` | Kubernetes certificate authority file path (not needed for in-cluster client) |
| providers.kubernetesIngressNginx.controllerClass | string | `"k8s.io/ingress-nginx"` | Ingress Class Controller value this controller satisfies |
| providers.kubernetesIngressNginx.defaultBackendService | string | `""` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name' |
| providers.kubernetesIngressNginx.disableSvcExternalName | bool | `false` | Disable support for Services of type ExternalName |
| providers.kubernetesIngressNginx.enabled | bool | `false` | Enable Kubernetes Ingress NGINX provider (experimental) |
| providers.kubernetesIngressNginx.endpoint | string | `""` | Kubernetes server endpoint (required for external cluster client) |
| providers.kubernetesIngressNginx.ingressClass | string | `"nginx"` | Name of the ingress class this controller satisfies |
| providers.kubernetesIngressNginx.ingressClassByName | bool | `false` | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class |
| providers.kubernetesIngressNginx.publishService.enabled | bool | `false` | Service fronting the Ingress controller. Takes the form 'namespace/name' |
| providers.kubernetesIngressNginx.publishService.pathOverride | string | `""` | |
| providers.kubernetesIngressNginx.publishStatusAddress | string | `""` | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies |
| providers.kubernetesIngressNginx.throttleDuration | string | `""` | Ingress refresh throttle duration |
| providers.kubernetesIngressNginx.token | string | `""` | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token |
| providers.kubernetesIngressNginx.watchIngressWithoutClass | bool | `false` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified |
| providers.kubernetesIngressNginx.watchNamespace | string | `""` | Namespace the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespaceSelector. |
| providers.kubernetesIngressNginx.watchNamespaceSelector | string | `""` | Select namespaces the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespace. |
| rbac.aggregateTo | list | `[]` | |
| rbac.enabled | bool | `true` | Whether Role Based Access Control objects like roles and rolebindings should be created |
| rbac.namespaced | bool | `false` | |
| rbac.secretResourceNames | list | `[]` | |
| readinessProbe.failureThreshold | int | `1` | The number of consecutive failures allowed before considering the probe as failed. |
| readinessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
| readinessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
| readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
| readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. |
| securityContext | object | See _values.yaml_ | [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) |
| service.additionalServices | object | `{}` | |
| service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) |
| service.annotationsTCP | object | `{}` | Additional annotations for TCP service only |
| service.annotationsUDP | object | `{}` | Additional annotations for UDP service only |
| service.enabled | bool | `true` | |
| service.externalIPs | list | `[]` | |
| service.labels | object | `{}` | Additional service labels (e.g. for filtering Service by custom labels) |
| service.loadBalancerSourceRanges | list | `[]` | |
| service.single | bool | `true` | |
| service.spec | object | `{}` | Cannot contain type, selector or ports entries. |
| service.type | string | `"LoadBalancer"` | |
| serviceAccount | object | `{"name":""}` | The service account the pods will use to interact with the Kubernetes API |
| serviceAccountAnnotations | object | `{}` | Additional serviceAccount annotations (e.g. for oidc authentication) |
| startupProbe | object | `{}` | Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) |
| tlsOptions | object | `{}` | TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) When using `labelSelector`, you'll need to set labels on tlsOption accordingly. See EXAMPLE.md for details. |
| tlsStore | object | `{}` | TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. |
| tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. |
| topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains. |
| tracing | object | See _values.yaml_ | https://doc.traefik.io/traefik/observability/tracing/overview/ |
| tracing.addInternals | bool | `false` | Enables tracing for internal resources. Default: false. |
| tracing.capturedRequestHeaders | list | `[]` | Defines the list of request headers to add as attributes. It applies to client and server kind spans. |
| tracing.capturedResponseHeaders | list | `[]` | Defines the list of response headers to add as attributes. It applies to client and server kind spans. |
| tracing.otlp.enabled | bool | `false` | See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ |
| tracing.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC |
| tracing.otlp.grpc.endpoint | string | `""` | Format: <host>:<port>. Default: "localhost:4317" |
| tracing.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. |
| tracing.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| tracing.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| tracing.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| tracing.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| tracing.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. |
| tracing.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/tracing |
| tracing.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. |
| tracing.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
| tracing.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
| tracing.otlp.http.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
| tracing.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
| tracing.resourceAttributes | object | `{}` | Defines additional resource attributes to be sent to the collector. |
| tracing.safeQueryParams | list | `[]` | By default, all query parameters are redacted. Defines the list of query parameters to not redact. |
| tracing.sampleRate | string | `nil` | The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0. |
| tracing.serviceName | string | `nil` | Service name used in selected backend. Default: traefik. |
| updateStrategy.rollingUpdate.maxSurge | int | `1` | |
| updateStrategy.rollingUpdate.maxUnavailable | int | `0` | |
| updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy of Deployment or DaemonSet |
| versionOverride | string | `""` | This field overrides the default version extracted from image.tag |
| volumes | list | `[]` | Add volumes to the traefik pod. The volume name will be passed to tpl. This can be used to mount a cert pair or a configmap that holds a config.toml file. After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: `additionalArguments: - "--providers.file.filename=/config/dynamic.toml" - "--ping" - "--ping.entrypoint=web"` |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
infrastructure/charts/traefik/crds/gateway-standard-install.yaml
+12030
View File
File diff suppressed because it is too large Load Diff
infrastructure/charts/traefik/crds/hub.traefik.io_accesscontrolpolicies.yaml
+368
View File
@@ -0,0 +1,368 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: accesscontrolpolicies.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: AccessControlPolicy
listKind: AccessControlPolicyList
plural: accesscontrolpolicies
singular: accesscontrolpolicy
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AccessControlPolicy defines an access control policy.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AccessControlPolicySpec configures an access control policy.
properties:
apiKey:
description: AccessControlPolicyAPIKey configure an APIKey control
policy.
properties:
forwardHeaders:
additionalProperties:
type: string
description: ForwardHeaders instructs the middleware to forward
key metadata as header values upon successful authentication.
type: object
keySource:
description: KeySource defines how to extract API keys from requests.
properties:
cookie:
description: Cookie is the name of a cookie.
type: string
header:
description: Header is the name of a header.
type: string
headerAuthScheme:
description: |-
HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
If set, this scheme is removed from the token, and all requests not including it are dropped.
type: string
query:
description: Query is the name of a query parameter.
type: string
type: object
keys:
description: Keys define the set of authorized keys to access
a protected resource.
items:
description: AccessControlPolicyAPIKeyKey defines an API key.
properties:
id:
description: ID is the unique identifier of the key.
type: string
metadata:
additionalProperties:
type: string
description: Metadata holds arbitrary metadata for this
key, can be used by ForwardHeaders.
type: object
value:
description: Value is the SHAKE-256 hash (using 64 bytes)
of the API key.
type: string
required:
- id
- value
type: object
type: array
required:
- keySource
type: object
basicAuth:
description: AccessControlPolicyBasicAuth holds the HTTP basic authentication
configuration.
properties:
forwardUsernameHeader:
type: string
realm:
type: string
stripAuthorizationHeader:
type: boolean
users:
items:
type: string
type: array
type: object
jwt:
description: AccessControlPolicyJWT configures a JWT access control
policy.
properties:
claims:
type: string
forwardHeaders:
additionalProperties:
type: string
type: object
jwksFile:
type: string
jwksUrl:
type: string
publicKey:
type: string
signingSecret:
type: string
signingSecretBase64Encoded:
type: boolean
stripAuthorizationHeader:
type: boolean
tokenQueryKey:
type: string
type: object
oAuthIntro:
description: AccessControlOAuthIntro configures an OAuth 2.0 Token
Introspection access control policy.
properties:
claims:
type: string
clientConfig:
description: AccessControlOAuthIntroClientConfig configures the
OAuth 2.0 client for issuing token introspection requests.
properties:
headers:
additionalProperties:
type: string
description: Headers to set when sending requests to the Authorization
Server.
type: object
maxRetries:
default: 3
description: MaxRetries defines the number of retries for
introspection requests.
type: integer
timeoutSeconds:
default: 5
description: TimeoutSeconds configures the maximum amount
of seconds to wait before giving up on requests.
type: integer
tls:
description: TLS configures TLS communication with the Authorization
Server.
properties:
ca:
description: CA sets the CA bundle used to sign the Authorization
Server certificate.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify skips the Authorization Server certificate validation.
For testing purposes only, do not use in production.
type: boolean
type: object
tokenTypeHint:
description: |-
TokenTypeHint is a hint to pass to the Authorization Server.
See https://tools.ietf.org/html/rfc7662#section-2.1 for more information.
type: string
url:
description: URL of the Authorization Server.
type: string
required:
- url
type: object
forwardHeaders:
additionalProperties:
type: string
type: object
tokenSource:
description: |-
TokenSource describes how to extract tokens from HTTP requests.
If multiple sources are set, the order is the following: header > query > cookie.
properties:
cookie:
description: Cookie is the name of a cookie.
type: string
header:
description: Header is the name of a header.
type: string
headerAuthScheme:
description: |-
HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
If set, this scheme is removed from the token, and all requests not including it are dropped.
type: string
query:
description: Query is the name of a query parameter.
type: string
type: object
required:
- clientConfig
- tokenSource
type: object
oidc:
description: AccessControlPolicyOIDC holds the OIDC authentication
configuration.
properties:
authParams:
additionalProperties:
type: string
type: object
claims:
type: string
clientId:
type: string
disableAuthRedirectionPaths:
items:
type: string
type: array
forwardHeaders:
additionalProperties:
type: string
type: object
issuer:
type: string
logoutUrl:
type: string
redirectUrl:
type: string
scopes:
items:
type: string
type: array
secret:
description: |-
SecretReference represents a Secret Reference. It has enough information to retrieve secret
in any namespace
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which the
secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
session:
description: Session holds session configuration.
properties:
domain:
type: string
path:
type: string
refresh:
type: boolean
sameSite:
type: string
secure:
type: boolean
type: object
stateCookie:
description: StateCookie holds state cookie configuration.
properties:
domain:
type: string
path:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
oidcGoogle:
description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication
configuration.
properties:
authParams:
additionalProperties:
type: string
type: object
clientId:
type: string
emails:
description: Emails are the allowed emails to connect.
items:
type: string
minItems: 1
type: array
forwardHeaders:
additionalProperties:
type: string
type: object
logoutUrl:
type: string
redirectUrl:
type: string
secret:
description: |-
SecretReference represents a Secret Reference. It has enough information to retrieve secret
in any namespace
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which the
secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
session:
description: Session holds session configuration.
properties:
domain:
type: string
path:
type: string
refresh:
type: boolean
sameSite:
type: string
secure:
type: boolean
type: object
stateCookie:
description: StateCookie holds state cookie configuration.
properties:
domain:
type: string
path:
type: string
sameSite:
type: string
secure:
type: boolean
type: object
type: object
type: object
status:
description: The current status of this access control policy.
properties:
specHash:
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/hub.traefik.io_aiservices.yaml
+340
View File
@@ -0,0 +1,340 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: aiservices.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: AIService
listKind: AIServiceList
plural: aiservices
singular: aiservice
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AIService is a Kubernetes-like Service to interact with a text-based
LLM provider. It defines the parameters and credentials required to interact
with various LLM providers.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this AIService.
properties:
anthropic:
description: Anthropic configures Anthropic backend.
properties:
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
token:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
type: object
azureOpenai:
description: AzureOpenAI configures AzureOpenAI.
properties:
apiKeySecret:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
baseUrl:
type: string
deploymentName:
type: string
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
required:
- baseUrl
- deploymentName
type: object
bedrock:
description: Bedrock configures Bedrock backend.
properties:
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
region:
type: string
systemMessage:
type: boolean
type: object
cohere:
description: Cohere configures Cohere backend.
properties:
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
token:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
type: object
deepSeek:
description: DeepSeek configures DeepSeek.
properties:
baseUrl:
type: string
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
token:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
type: object
gemini:
description: Gemini configures Gemini backend.
properties:
apiKey:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
type: object
mistral:
description: Mistral configures Mistral AI backend.
properties:
apiKey:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
type: object
ollama:
description: Ollama configures Ollama backend.
properties:
baseUrl:
type: string
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
required:
- baseUrl
type: object
openai:
description: OpenAI configures OpenAI.
properties:
baseUrl:
type: string
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
token:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
type: object
qWen:
description: QWen configures QWen.
properties:
baseUrl:
type: string
model:
type: string
params:
description: Params holds the LLM hyperparameters.
properties:
frequencyPenalty:
type: number
maxTokens:
type: integer
presencePenalty:
type: number
temperature:
type: number
topP:
type: number
type: object
token:
description: SecretReference references a kubernetes secret.
properties:
secretName:
maxLength: 253
type: string
required:
- secretName
type: object
type: object
type: object
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/hub.traefik.io_apiauths.yaml
+279
View File
@@ -0,0 +1,279 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apiauths.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIAuth
listKind: APIAuthList
plural: apiauths
singular: apiauth
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIAuth defines the authentication configuration for APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIAuth.
properties:
apiKey:
description: APIKey configures API key authentication.
type: object
x-kubernetes-preserve-unknown-fields: true
isDefault:
description: |-
IsDefault specifies if this APIAuth should be used as the default API authentication method for the namespace.
Only one APIAuth per namespace should have isDefault set to true.
type: boolean
jwt:
description: JWT configures JWT authentication.
properties:
appIdClaim:
description: |-
AppIDClaim is the name of the claim holding the identifier of the application.
This field is sometimes named `client_id`.
type: string
forwardHeaders:
additionalProperties:
type: string
description: ForwardHeaders specifies additional headers to forward
with the request.
type: object
jwksFile:
description: |-
JWKSFile contains the JWKS file content for JWT verification.
Mutually exclusive with SigningSecretName, PublicKey, JWKSURL, and TrustedIssuers.
type: string
jwksUrl:
description: |-
JWKSURL is the URL to fetch the JWKS for JWT verification.
Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and TrustedIssuers.
Deprecated: Use TrustedIssuers instead for more flexible JWKS configuration with issuer validation.
type: string
x-kubernetes-validations:
- message: must be a valid HTTPS URL
rule: isURL(self) && self.startsWith('https://')
publicKey:
description: |-
PublicKey is the PEM-encoded public key for JWT verification.
Mutually exclusive with SigningSecretName, JWKSFile, JWKSURL, and TrustedIssuers.
type: string
signingSecretName:
description: |-
SigningSecretName is the name of the Kubernetes Secret containing the signing secret.
The secret must be of type Opaque and contain a key named 'value'.
Mutually exclusive with PublicKey, JWKSFile, JWKSURL, and TrustedIssuers.
maxLength: 253
type: string
stripAuthorizationHeader:
description: StripAuthorizationHeader determines whether to strip
the Authorization header before forwarding the request.
type: boolean
tokenNameClaim:
description: |-
TokenNameClaim is the name of the claim holding the name of the token.
This name, if provided, will be used in the metrics.
type: string
tokenQueryKey:
description: TokenQueryKey specifies the query parameter name
for the JWT token.
type: string
trustedIssuers:
description: |-
TrustedIssuers defines multiple JWKS providers with optional issuer validation.
Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and JWKSURL.
items:
description: TrustedIssuer represents a trusted JWT issuer with
its associated JWKS endpoint for token verification.
properties:
issuer:
description: |-
Issuer is the expected value of the "iss" claim.
If specified, tokens must have this exact issuer to be validated against this JWKS.
The issuer value must match exactly, including trailing slashes and URL encoding.
If omitted, this JWKS acts as a fallback for any issuer.
type: string
jwksUrl:
description: JWKSURL is the URL to fetch the JWKS from.
type: string
x-kubernetes-validations:
- message: must be a valid HTTPS URL
rule: isURL(self) && self.startsWith('https://')
required:
- jwksUrl
type: object
maxItems: 100
minItems: 1
type: array
required:
- appIdClaim
type: object
x-kubernetes-validations:
- message: exactly one of signingSecretName, publicKey, jwksFile,
jwksUrl, or trustedIssuers must be specified
rule: '[has(self.signingSecretName), has(self.publicKey), has(self.jwksFile),
has(self.jwksUrl), has(self.trustedIssuers)].filter(x, x).size()
== 1'
- message: trustedIssuers must not be empty when specified
rule: '!has(self.trustedIssuers) || size(self.trustedIssuers) >
0'
- message: only one entry in trustedIssuers may omit the issuer field
rule: '!has(self.trustedIssuers) || self.trustedIssuers.filter(x,
!has(x.issuer) || x.issuer == "").size() <= 1'
ldap:
description: LDAP configures LDAP authentication.
properties:
attribute:
default: cn
description: |-
Attribute is the LDAP object attribute used to form a bind DN when sending bind queries.
The bind DN is formed as <Attribute>=<Username>,<BaseDN>.
type: string
baseDn:
description: BaseDN is the base domain name that should be used
for bind and search queries.
type: string
bindDn:
description: |-
BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode.
If empty, an anonymous bind will be done.
type: string
bindPasswordSecretName:
description: |-
BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN.
The secret must contain a key named 'password'.
maxLength: 253
type: string
certificateAuthority:
description: |-
CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the
connection uses TLS but that the certificate was signed by a custom Certificate Authority.
type: string
insecureSkipVerify:
description: InsecureSkipVerify controls whether the server's
certificate chain and host name is verified.
type: boolean
searchFilter:
description: |-
SearchFilter is used to filter LDAP search queries.
Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))
%s can be used as a placeholder for the username.
type: string
startTls:
description: StartTLS instructs the middleware to issue a StartTLS
request when initializing the connection with the LDAP server.
type: boolean
url:
description: URL is the URL of the LDAP server, including the
protocol (ldap or ldaps) and the port.
type: string
x-kubernetes-validations:
- message: must be a valid LDAP URL
rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://'))
required:
- baseDn
- url
type: object
required:
- isDefault
type: object
x-kubernetes-validations:
- message: exactly one authentication method must be specified
rule: '[has(self.apiKey), has(self.jwt), has(self.ldap)].filter(x, x).size()
== 1'
status:
description: The current status of this APIAuth.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APIAuth.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_apibundles.yaml
+217
View File
@@ -0,0 +1,217 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apibundles.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIBundle
listKind: APIBundleList
plural: apibundles
singular: apibundle
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIBundle defines a set of APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIBundle.
properties:
apiSelector:
description: |-
APISelector selects the APIs that will be accessible to the configured audience.
Multiple APIBundles can select the same set of APIs.
This field is optional and follows standard label selector semantics.
An empty APISelector matches any API.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
apis:
description: |-
APIs defines a set of APIs that will be accessible to the configured audience.
Multiple APIBundles can select the same APIs.
When combined with APISelector, this set of APIs is appended to the matching APIs.
items:
description: APIReference references an API.
properties:
name:
description: Name of the API.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apis
rule: self.all(x, self.exists_one(y, x.name == y.name))
title:
description: Title is the human-readable name of the APIBundle that
will be used on the portal.
maxLength: 253
type: string
type: object
status:
description: The current status of this APIBundle.
properties:
conditions:
description: Conditions is the list of status conditions.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APIBundle.
type: string
resolvedApis:
description: ResolvedAPIs is the list of APIs that were successfully
resolved.
items:
description: ResolvedAPIReference references a resolved API.
properties:
name:
description: Name of the API.
type: string
required:
- name
type: object
type: array
syncedAt:
format: date-time
type: string
unresolvedApis:
description: UnresolvedAPIs is the list of APIs that could not be
resolved.
items:
description: ResolvedAPIReference references a resolved API.
properties:
name:
description: Name of the API.
type: string
required:
- name
type: object
type: array
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_apicatalogitems.yaml
+274
View File
@@ -0,0 +1,274 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apicatalogitems.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APICatalogItem
listKind: APICatalogItemList
plural: apicatalogitems
singular: apicatalogitem
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APICatalogItem defines APIs that will be part of the API catalog
on the portal.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APICatalogItem.
properties:
apiBundles:
description: |-
APIBundles defines a set of APIBundle that will be visible to the configured audience.
Multiple APICatalogItem can select the same APIBundles.
items:
description: APIBundleReference references an APIBundle.
properties:
name:
description: Name of the APIBundle.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apiBundles
rule: self.all(x, self.exists_one(y, x.name == y.name))
apiPlan:
description: |-
APIPlan defines which APIPlan will be available.
If multiple APICatalogItem specify the same API with different APIPlan, the API consumer will be able to pick
a plan from this list.
properties:
name:
description: Name of the APIPlan.
maxLength: 253
type: string
required:
- name
type: object
apiSelector:
description: |-
APISelector selects the APIs that will be visible to the configured audience.
Multiple APICatalogItem can select the same set of APIs.
This field is optional and follows standard label selector semantics.
An empty APISelector matches any API.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
apis:
description: |-
APIs defines a set of APIs that will be visible to the configured audience.
Multiple APICatalogItem can select the same APIs.
When combined with APISelector, this set of APIs is appended to the matching APIs.
items:
description: APIReference references an API.
properties:
name:
description: Name of the API.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apis
rule: self.all(x, self.exists_one(y, x.name == y.name))
everyone:
description: Everyone indicates that all users will see these APIs.
type: boolean
groups:
description: Groups are the consumer groups that will see the APIs.
items:
type: string
type: array
operationFilter:
description: |-
OperationFilter specifies the visible operations on APIs and APIVersions.
If not set, all operations are available.
An empty OperationFilter prohibits all operations.
properties:
include:
description: Include defines the names of OperationSets that will
be accessible.
items:
type: string
maxItems: 100
type: array
type: object
type: object
x-kubernetes-validations:
- message: groups and everyone are mutually exclusive
rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
self.groups.size() > 0) : true'
- message: groups is required when everyone is false
rule: (has(self.everyone) && self.everyone) || (has(self.groups) &&
self.groups.size() > 0)
status:
description: The current status of this APICatalogItem.
properties:
conditions:
description: Conditions is the list of status conditions.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APICatalogItem.
type: string
resolvedApis:
description: ResolvedAPIs is the list of APIs that were successfully
resolved.
items:
description: ResolvedAPIReference references a resolved API.
properties:
name:
description: Name of the API.
type: string
required:
- name
type: object
type: array
syncedAt:
format: date-time
type: string
unresolvedApis:
description: UnresolvedAPIs is the list of APIs that could not be
resolved.
items:
description: ResolvedAPIReference references a resolved API.
properties:
name:
description: Name of the API.
type: string
required:
- name
type: object
type: array
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_apiplans.yaml
+182
View File
@@ -0,0 +1,182 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apiplans.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIPlan
listKind: APIPlanList
plural: apiplans
singular: apiplan
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIPlan defines API Plan policy.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIPlan.
properties:
description:
description: Description describes the plan.
type: string
quota:
description: Quota defines the quota policy.
properties:
bucket:
default: subscription
description: Bucket defines the bucket strategy for the quota.
enum:
- subscription
- application-api
- application
type: string
limit:
description: Limit is the maximum number of requests per sliding
Period.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
period:
description: Period is the unit of time for the Limit.
format: duration
type: string
x-kubernetes-validations:
- message: must be between 1s and 9999h
rule: self >= duration('1s') && self <= duration('9999h')
required:
- limit
type: object
rateLimit:
description: RateLimit defines the rate limit policy.
properties:
bucket:
default: subscription
description: Bucket defines the bucket strategy for the rate limit.
enum:
- subscription
- application-api
- application
type: string
limit:
description: |-
Limit is the number of requests per Period used to calculate the regeneration rate.
Traffic will converge to this rate over time by delaying requests when possible, and dropping them when throttling alone is not enough.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
period:
description: |-
Period is the time unit used to express the rate.
Combined with Limit, it defines the rate at which request capacity regenerates (Limit ÷ Period).
format: duration
type: string
x-kubernetes-validations:
- message: must be between 1s and 1h
rule: self >= duration('1s') && self <= duration('1h')
required:
- limit
type: object
title:
description: Title is the human-readable name of the plan.
type: string
required:
- title
type: object
status:
description: The current status of this APIPlan.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APIPlan.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_apiportalauths.yaml
+281
View File
@@ -0,0 +1,281 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apiportalauths.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIPortalAuth
listKind: APIPortalAuthList
plural: apiportalauths
singular: apiportalauth
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIPortalAuth defines the authentication configuration for an
APIPortal.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIPortalAuth.
properties:
ldap:
description: LDAP configures the LDAP authentication.
properties:
attribute:
default: cn
description: |-
Attribute is the LDAP object attribute used to form a bind DN when sending bind queries.
The bind DN is formed as <Attribute>=<Username>,<BaseDN>.
type: string
attributes:
description: Attributes configures LDAP attribute mappings for
user attributes.
properties:
company:
description: Company is the LDAP attribute for user company.
type: string
email:
description: Email is the LDAP attribute for user email.
type: string
firstname:
description: Firstname is the LDAP attribute for user first
name.
type: string
lastname:
description: Lastname is the LDAP attribute for user last
name.
type: string
userId:
description: UserID is the LDAP attribute for user ID mapping.
type: string
type: object
baseDn:
description: BaseDN is the base domain name that should be used
for bind and search queries.
type: string
bindDn:
description: |-
BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode.
If empty, an anonymous bind will be done.
type: string
bindPasswordSecretName:
description: |-
BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN.
The secret must contain a key named 'password'.
maxLength: 253
type: string
certificateAuthority:
description: |-
CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the
connection uses TLS but that the certificate was signed by a custom Certificate Authority.
type: string
groups:
description: Groups configures group extraction.
properties:
memberOfAttribute:
default: memberOf
description: MemberOfAttribute is the LDAP attribute containing
group memberships (e.g., "memberOf").
type: string
type: object
insecureSkipVerify:
description: InsecureSkipVerify controls whether the server's
certificate chain and host name is verified.
type: boolean
searchFilter:
description: |-
SearchFilter is used to filter LDAP search queries.
Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))
%s can be used as a placeholder for the username.
type: string
startTls:
description: StartTLS instructs the middleware to issue a StartTLS
request when initializing the connection with the LDAP server.
type: boolean
syncedAttributes:
description: SyncedAttributes are the user attributes to synchronize
with Hub platform.
items:
enum:
- groups
- userId
- firstname
- lastname
- email
- company
type: string
maxItems: 6
type: array
url:
description: URL is the URL of the LDAP server, including the
protocol (ldap or ldaps) and the port.
type: string
x-kubernetes-validations:
- message: must be a valid LDAP URL
rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://'))
required:
- baseDn
- url
type: object
oidc:
description: OIDC configures the OIDC authentication.
properties:
claims:
description: Claims configures JWT claim mappings for user attributes.
properties:
company:
description: Company is the JWT claim for user company.
type: string
email:
description: Email is the JWT claim for user email.
type: string
firstname:
description: Firstname is the JWT claim for user first name.
type: string
groups:
description: Groups is the JWT claim for user groups. This
field is required for authorization.
type: string
lastname:
description: Lastname is the JWT claim for user last name.
type: string
userId:
description: UserID is the JWT claim for user ID mapping.
type: string
required:
- groups
type: object
issuerUrl:
description: IssuerURL is the OIDC provider issuer URL.
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
scopes:
description: Scopes is a list of OAuth2 scopes.
items:
type: string
type: array
secretName:
description: SecretName is the name of the Kubernetes Secret containing
clientId and clientSecret keys.
maxLength: 253
type: string
syncedAttributes:
description: SyncedAttributes are the user attributes to synchronize
with Hub platform.
items:
enum:
- groups
- userId
- firstname
- lastname
- email
- company
type: string
maxItems: 6
type: array
required:
- claims
- issuerUrl
- secretName
type: object
type: object
x-kubernetes-validations:
- message: exactly one of oidc or ldap must be specified
rule: '[has(self.oidc), has(self.ldap)].filter(x, x).size() == 1'
status:
description: The current status of this APIPortalAuth.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APIPortalAuth.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_apiportals.yaml
+208
View File
@@ -0,0 +1,208 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apiportals.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIPortal
listKind: APIPortalList
plural: apiportals
singular: apiportal
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIPortal defines a developer portal for accessing the documentation
of APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIPortal.
properties:
auth:
description: Auth references the APIPortalAuth resource for authentication
configuration.
properties:
name:
description: Name is the name of the APIPortalAuth resource.
maxLength: 253
type: string
required:
- name
type: object
description:
description: Description of the APIPortal.
type: string
title:
description: Title is the public facing name of the APIPortal.
type: string
trustedUrls:
description: TrustedURLs are the urls that are trusted by the OAuth
2.0 authorization server.
items:
type: string
maxItems: 1
minItems: 1
type: array
x-kubernetes-validations:
- message: must be a valid URLs
rule: self.all(x, isURL(x))
ui:
description: UI holds the UI customization options.
properties:
logoUrl:
description: LogoURL is the public URL of the logo.
type: string
type: object
required:
- trustedUrls
type: object
status:
description: The current status of this APIPortal.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APIPortal.
type: string
oidc:
description: OIDC is the OIDC configuration for accessing the exposed
APIPortal WebUI.
properties:
clientId:
description: ClientID is the OIDC ClientID for accessing the exposed
APIPortal WebUI.
type: string
companyClaim:
description: CompanyClaim is the name of the JWT claim containing
the user company.
type: string
emailClaim:
description: EmailClaim is the name of the JWT claim containing
the user email.
type: string
firstnameClaim:
description: FirstnameClaim is the name of the JWT claim containing
the user firstname.
type: string
generic:
description: Generic indicates whether or not the APIPortal authentication
relies on Generic OIDC.
type: boolean
groupsClaim:
description: GroupsClaim is the name of the JWT claim containing
the user groups.
type: string
issuer:
description: Issuer is the OIDC issuer for accessing the exposed
APIPortal WebUI.
type: string
lastnameClaim:
description: LastnameClaim is the name of the JWT claim containing
the user lastname.
type: string
scopes:
description: Scopes is the OIDC scopes for getting user attributes
during the authentication to the exposed APIPortal WebUI.
type: string
secretName:
description: SecretName is the name of the secret containing the
OIDC ClientSecret for accessing the exposed APIPortal WebUI.
type: string
syncedAttributes:
description: SyncedAttributes configure the user attributes to
sync.
items:
type: string
type: array
userIdClaim:
description: UserIDClaim is the name of the JWT claim containing
the user ID.
type: string
type: object
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_apiratelimits.yaml
+168
View File
@@ -0,0 +1,168 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apiratelimits.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIRateLimit
listKind: APIRateLimitList
plural: apiratelimits
singular: apiratelimit
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIRateLimit defines how group of consumers are rate limited
on a set of APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIRateLimit.
properties:
apiSelector:
description: |-
APISelector selects the APIs that will be rate limited.
Multiple APIRateLimits can select the same set of APIs.
This field is optional and follows standard label selector semantics.
An empty APISelector matches any API.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
apis:
description: |-
APIs defines a set of APIs that will be rate limited.
Multiple APIRateLimits can select the same APIs.
When combined with APISelector, this set of APIs is appended to the matching APIs.
items:
description: APIReference references an API.
properties:
name:
description: Name of the API.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apis
rule: self.all(x, self.exists_one(y, x.name == y.name))
everyone:
description: |-
Everyone indicates that all users will, by default, be rate limited with this configuration.
If an APIRateLimit explicitly target a group, the default rate limit will be ignored.
type: boolean
groups:
description: |-
Groups are the consumer groups that will be rate limited.
Multiple APIRateLimits can target the same set of consumer groups, the most restrictive one applies.
When a consumer belongs to multiple groups, the least restrictive APIRateLimit applies.
items:
type: string
type: array
limit:
description: Limit is the maximum number of token in the bucket.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
period:
description: Period is the unit of time for the Limit.
format: duration
type: string
x-kubernetes-validations:
- message: must be between 1s and 1h
rule: self >= duration('1s') && self <= duration('1h')
strategy:
description: |-
Strategy defines how the bucket state will be synchronized between the different Traefik Hub instances.
It can be, either "local" or "distributed".
enum:
- local
- distributed
type: string
required:
- limit
type: object
x-kubernetes-validations:
- message: groups and everyone are mutually exclusive
rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
self.groups.size() > 0) : true'
status:
description: The current status of this APIRateLimit.
properties:
hash:
description: Hash is a hash representing the APIRateLimit.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/hub.traefik.io_apis.yaml
+308
View File
@@ -0,0 +1,308 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apis.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: API
listKind: APIList
plural: apis
singular: api
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
API defines an HTTP interface that is exposed to external clients. It specifies the supported versions
and provides instructions for accessing its documentation. Once instantiated, an API object is associated
with an Ingress, IngressRoute, or HTTPRoute resource, enabling the exposure of the described API to the outside world.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: APISpec describes the API.
properties:
cors:
description: Cors defines the Cross-Origin Resource Sharing configuration.
properties:
addVaryHeader:
description: AddVaryHeader defines whether the Vary header is
automatically added/updated when the AllowOriginsList is set.
type: boolean
allowCredentials:
description: AllowCredentials defines whether the request can
include user credentials.
type: boolean
allowHeadersList:
description: AllowHeadersList defines the Access-Control-Request-Headers
values sent in preflight response.
items:
type: string
type: array
allowMethodsList:
description: AllowMethodsList defines the Access-Control-Request-Method
values sent in preflight response.
items:
type: string
type: array
allowOriginListRegex:
description: AllowOriginListRegex is a list of allowable origins
written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
items:
type: string
type: array
allowOriginsList:
description: AllowOriginsList is a list of allowable origins.
Can also be a wildcard origin "*".
items:
type: string
type: array
exposeHeadersList:
description: ExposeHeadersList defines the Access-Control-Expose-Headers
values sent in preflight response.
items:
type: string
type: array
maxAge:
description: MaxAge defines the time that a preflight request
may be cached.
format: int64
type: integer
type: object
description:
description: Description explains what the API does.
type: string
openApiSpec:
description: OpenAPISpec defines the API contract as an OpenAPI specification.
properties:
operationSets:
description: OperationSets defines the sets of operations to be
referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
items:
description: |-
OperationSet gives a name to a set of matching OpenAPI operations.
This set of operations can then be referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
properties:
matchers:
description: Matchers defines a list of alternative rules
for matching OpenAPI operations.
items:
description: OperationMatcher defines criteria for matching
an OpenAPI operation.
minProperties: 1
properties:
methods:
description: Methods specifies the HTTP methods to
be included for selection.
items:
type: string
maxItems: 10
type: array
path:
description: Path specifies the exact path of the
operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathPrefix:
description: PathPrefix specifies the path prefix
of the operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathRegex:
description: PathRegex specifies a regular expression
pattern for matching operations based on their paths.
type: string
type: object
x-kubernetes-validations:
- message: path, pathPrefix and pathRegex are mutually
exclusive
rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
x).size() <= 1'
maxItems: 100
minItems: 1
type: array
name:
description: Name is the name of the OperationSet to reference
in APICatalogItems or ManagedSubscriptions.
maxLength: 253
type: string
required:
- matchers
- name
type: object
maxItems: 100
type: array
override:
description: Override holds data used to override OpenAPI specification.
properties:
servers:
items:
properties:
url:
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
required:
- url
type: object
maxItems: 100
minItems: 1
type: array
required:
- servers
type: object
path:
description: |-
Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
url:
description: |-
URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
validateRequestMethodAndPath:
description: |-
ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
This option overrides the default behavior configured in the static configuration.
type: boolean
type: object
x-kubernetes-validations:
- message: path or url must be defined
rule: has(self.path) || has(self.url)
title:
description: Title is the human-readable name of the API that will
be used on the portal.
maxLength: 253
type: string
versions:
description: Versions are the different APIVersions available.
items:
description: APIVersionRef references an APIVersion.
properties:
name:
description: Name of the APIVersion.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
minItems: 1
type: array
type: object
status:
description: The current status of this API.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the API.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_apiversions.yaml
+306
View File
@@ -0,0 +1,306 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apiversions.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIVersion
listKind: APIVersionList
plural: apiversions
singular: apiversion
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.title
name: Title
type: string
- jsonPath: .spec.release
name: Release
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: APIVersion defines a version of an API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIVersion.
properties:
cors:
description: Cors defines the Cross-Origin Resource Sharing configuration.
properties:
addVaryHeader:
description: AddVaryHeader defines whether the Vary header is
automatically added/updated when the AllowOriginsList is set.
type: boolean
allowCredentials:
description: AllowCredentials defines whether the request can
include user credentials.
type: boolean
allowHeadersList:
description: AllowHeadersList defines the Access-Control-Request-Headers
values sent in preflight response.
items:
type: string
type: array
allowMethodsList:
description: AllowMethodsList defines the Access-Control-Request-Method
values sent in preflight response.
items:
type: string
type: array
allowOriginListRegex:
description: AllowOriginListRegex is a list of allowable origins
written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
items:
type: string
type: array
allowOriginsList:
description: AllowOriginsList is a list of allowable origins.
Can also be a wildcard origin "*".
items:
type: string
type: array
exposeHeadersList:
description: ExposeHeadersList defines the Access-Control-Expose-Headers
values sent in preflight response.
items:
type: string
type: array
maxAge:
description: MaxAge defines the time that a preflight request
may be cached.
format: int64
type: integer
type: object
description:
description: Description explains what the APIVersion does.
type: string
openApiSpec:
description: OpenAPISpec defines the API contract as an OpenAPI specification.
properties:
operationSets:
description: OperationSets defines the sets of operations to be
referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
items:
description: |-
OperationSet gives a name to a set of matching OpenAPI operations.
This set of operations can then be referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
properties:
matchers:
description: Matchers defines a list of alternative rules
for matching OpenAPI operations.
items:
description: OperationMatcher defines criteria for matching
an OpenAPI operation.
minProperties: 1
properties:
methods:
description: Methods specifies the HTTP methods to
be included for selection.
items:
type: string
maxItems: 10
type: array
path:
description: Path specifies the exact path of the
operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathPrefix:
description: PathPrefix specifies the path prefix
of the operations to select.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
pathRegex:
description: PathRegex specifies a regular expression
pattern for matching operations based on their paths.
type: string
type: object
x-kubernetes-validations:
- message: path, pathPrefix and pathRegex are mutually
exclusive
rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
x).size() <= 1'
maxItems: 100
minItems: 1
type: array
name:
description: Name is the name of the OperationSet to reference
in APICatalogItems or ManagedSubscriptions.
maxLength: 253
type: string
required:
- matchers
- name
type: object
maxItems: 100
type: array
override:
description: Override holds data used to override OpenAPI specification.
properties:
servers:
items:
properties:
url:
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
required:
- url
type: object
maxItems: 100
minItems: 1
type: array
required:
- servers
type: object
path:
description: |-
Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
maxLength: 255
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
- message: cannot contains '../'
rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
url:
description: |-
URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
validateRequestMethodAndPath:
description: |-
ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
This option overrides the default behavior configured in the static configuration.
type: boolean
type: object
x-kubernetes-validations:
- message: path or url must be defined
rule: has(self.path) || has(self.url)
release:
description: |-
Release is the version number of the API.
This value must follow the SemVer format: https://semver.org/
maxLength: 100
type: string
x-kubernetes-validations:
- message: must be a valid semver version
rule: self.matches(r"""^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$""")
title:
description: Title is the public facing name of the APIVersion.
type: string
required:
- release
type: object
status:
description: The current status of this APIVersion.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APIVersion.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_managedapplications.yaml
+166
View File
@@ -0,0 +1,166 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: managedapplications.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: ManagedApplication
listKind: ManagedApplicationList
plural: managedapplications
singular: managedapplication
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ManagedApplication represents a managed application.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ManagedApplicationSpec describes the ManagedApplication.
properties:
apiKeys:
description: APIKeys references the API keys used to authenticate
the application when calling APIs.
items:
description: APIKey describes an API key used to authenticate the
application when calling APIs.
properties:
secretName:
description: SecretName references the name of the secret containing
the API key.
maxLength: 253
type: string
suspended:
type: boolean
title:
type: string
value:
description: Value is the API key value.
maxLength: 4096
type: string
type: object
x-kubernetes-validations:
- message: secretName and value are mutually exclusive
rule: '[has(self.secretName), has(self.value)].filter(x, x).size()
<= 1'
maxItems: 100
type: array
appId:
description: |-
AppID is the identifier of the ManagedApplication.
It should be unique.
maxLength: 253
type: string
notes:
description: Notes contains notes about application.
type: string
owner:
description: |-
Owner represents the owner of the ManagedApplication.
It should be:
- `sub` when using OIDC
- `externalID` when using external IDP
maxLength: 253
type: string
required:
- appId
- owner
type: object
status:
description: The current status of this ManagedApplication.
properties:
apiKeyVersions:
additionalProperties:
type: string
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the ManagedApplication.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/hub.traefik.io_managedsubscriptions.yaml
+310
View File
@@ -0,0 +1,310 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: managedsubscriptions.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: ManagedSubscription
listKind: ManagedSubscriptionList
plural: managedsubscriptions
singular: managedsubscription
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ManagedSubscription defines a Subscription managed by the API manager as the result of a pre-negotiation with its
API consumers. This subscription grant consuming access to a set of APIs to a set of Applications.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this ManagedSubscription.
properties:
apiBundles:
description: |-
APIBundles defines a set of APIBundle that will be accessible.
Multiple ManagedSubscriptions can select the same APIBundles.
items:
description: APIBundleReference references an APIBundle.
properties:
name:
description: Name of the APIBundle.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apiBundles
rule: self.all(x, self.exists_one(y, x.name == y.name))
apiPlan:
description: APIPlan defines which APIPlan will be used.
properties:
name:
description: Name of the APIPlan.
maxLength: 253
type: string
required:
- name
type: object
apiSelector:
description: |-
APISelector selects the APIs that will be accessible.
Multiple ManagedSubscriptions can select the same set of APIs.
This field is optional and follows standard label selector semantics.
An empty APISelector matches any API.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
apis:
description: |-
APIs defines a set of APIs that will be accessible.
Multiple ManagedSubscriptions can select the same APIs.
When combined with APISelector, this set of APIs is appended to the matching APIs.
items:
description: APIReference references an API.
properties:
name:
description: Name of the API.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated apis
rule: self.all(x, self.exists_one(y, x.name == y.name))
applications:
description: |-
Applications references the Applications that will gain access to the specified APIs.
Multiple ManagedSubscriptions can select the same AppID.
Deprecated: Use ManagedApplications instead.
items:
description: ApplicationReference references an Application.
properties:
appId:
description: |-
AppID is the public identifier of the application.
In the case of OIDC, it corresponds to the clientId.
maxLength: 253
type: string
required:
- appId
type: object
maxItems: 100
type: array
claims:
description: Claims specifies an expression that validate claims in
order to authorize the request.
type: string
managedApplications:
description: |-
ManagedApplications references the ManagedApplications that will gain access to the specified APIs.
Multiple ManagedSubscriptions can select the same ManagedApplication.
items:
description: ManagedApplicationReference references a ManagedApplication.
properties:
name:
description: Name is the name of the ManagedApplication.
maxLength: 253
type: string
required:
- name
type: object
maxItems: 100
type: array
x-kubernetes-validations:
- message: duplicated managed applications
rule: self.all(x, self.exists_one(y, x.name == y.name))
operationFilter:
description: |-
OperationFilter specifies the allowed operations on APIs and APIVersions.
If not set, all operations are available.
An empty OperationFilter prohibits all operations.
properties:
include:
description: Include defines the names of OperationSets that will
be accessible.
items:
type: string
maxItems: 100
type: array
type: object
weight:
description: |-
Weight specifies the evaluation order of the APIPlan.
When multiple ManagedSubscriptions targets the same API and Application with different APIPlan,
the APIPlan with the highest weight will be enforced. If weights are equal, alphabetical order is used.
type: integer
x-kubernetes-validations:
- message: must be a positive number
rule: self >= 0
required:
- apiPlan
type: object
status:
description: The current status of this ManagedSubscription.
properties:
conditions:
description: Conditions is the list of status conditions.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the ManagedSubscription.
type: string
resolvedApis:
description: ResolvedAPIs is the list of APIs that were successfully
resolved.
items:
description: ResolvedAPIReference references a resolved API.
properties:
name:
description: Name of the API.
type: string
required:
- name
type: object
type: array
syncedAt:
format: date-time
type: string
unresolvedApis:
description: UnresolvedAPIs is the list of APIs that could not be
resolved.
items:
description: ResolvedAPIReference references a resolved API.
properties:
name:
description: Name of the API.
type: string
required:
- name
type: object
type: array
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
infrastructure/charts/traefik/crds/traefik.io_ingressroutes.yaml
+462
View File
@@ -0,0 +1,462 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: ingressroutes.traefik.io
spec:
group: traefik.io
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressRouteSpec defines the desired state of IngressRoute.
properties:
entryPoints:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
Default: all.
items:
type: string
type: array
parentRefs:
description: |-
ParentRefs defines references to parent IngressRoute resources for multi-layer routing.
When set, this IngressRoute's routers will be children of the referenced parent IngressRoute's routers.
More info: https://doc.traefik.io/traefik/v3.6/routing/routers/#parentrefs
items:
description: IngressRouteRef is a reference to an IngressRoute resource.
properties:
name:
description: Name defines the name of the referenced IngressRoute
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
IngressRoute resource.
type: string
required:
- name
type: object
type: array
routes:
description: Routes defines the list of routes.
items:
description: Route holds the HTTP route configuration.
properties:
kind:
description: |-
Kind defines the kind of the route.
Rule is the only supported kind.
If not defined, defaults to Rule.
enum:
- Rule
type: string
match:
description: |-
Match defines the router's rule.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/
type: string
middlewares:
description: |-
Middlewares defines the list of references to Middleware resources.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/middleware/
items:
description: MiddlewareRef is a reference to a Middleware
resource.
properties:
name:
description: Name defines the name of the referenced Middleware
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Middleware resource.
type: string
required:
- name
type: object
type: array
observability:
description: |-
Observability defines the observability configuration for a router.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/observability/
properties:
accessLogs:
description: AccessLogs enables access logs for this router.
type: boolean
metrics:
description: Metrics enables metrics for this router.
type: boolean
traceVerbosity:
default: minimal
description: TraceVerbosity defines the verbosity level
of the tracing for this router.
enum:
- minimal
- detailed
type: string
tracing:
description: Tracing enables tracing for this router.
type: boolean
type: object
priority:
description: |-
Priority defines the router's priority.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#priority
maximum: 9223372036854775000
type: integer
services:
description: |-
Services defines the list of Service.
It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
items:
description: Service defines an upstream HTTP service to proxy
traffic to.
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
services.
properties:
followRedirects:
description: |-
FollowRedirects defines whether redirects should be followed during the health check calls.
Default: true
type: boolean
headers:
additionalProperties:
type: string
description: Headers defines custom headers to be
sent to the health check endpoint.
type: object
hostname:
description: Hostname defines the value of hostname
in the Host header of the health check request.
type: string
interval:
anyOf:
- type: integer
- type: string
description: |-
Interval defines the frequency of the health check calls for healthy targets.
Default: 30s
x-kubernetes-int-or-string: true
method:
description: Method defines the healthcheck method.
type: string
mode:
description: |-
Mode defines the health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Default: http
type: string
path:
description: Path defines the server URL path for
the health check endpoint.
type: string
port:
description: Port defines the server URL port for
the health check endpoint.
type: integer
scheme:
description: Scheme replaces the server URL scheme
for the health check endpoint.
type: string
status:
description: Status defines the expected HTTP status
code of the response to the health check request.
type: integer
timeout:
anyOf:
- type: integer
- type: string
description: |-
Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
Default: 5s
x-kubernetes-int-or-string: true
unhealthyInterval:
anyOf:
- type: integer
- type: string
description: |-
UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
When UnhealthyInterval is not defined, it defaults to the Interval value.
Default: 30s
x-kubernetes-int-or-string: true
type: object
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
name:
description: |-
Name defines the name of the referenced Kubernetes Service or TraefikService.
The differentiation between the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
passHostHeader:
description: |-
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health
checks for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window
during which the failed attempts must occur for
the server to be marked as unhealthy. It also defines
for how long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards
the response from the upstream Kubernetes Service to
the client.
properties:
flushInterval:
description: |-
FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms
type: string
type: object
scheme:
description: |-
Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
It defaults to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: |-
ServersTransport defines the name of ServersTransport resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as
JavaScript.
type: boolean
maxAge:
description: |-
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie
can only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- leasttime
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
type: object
type: array
syntax:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
type: string
required:
- match
type: object
type: array
tls:
description: |-
TLS defines the TLS configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/router/#tls
properties:
certResolver:
description: |-
CertResolver defines the name of the certificate resolver to use.
Cert resolvers have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
type: string
domains:
description: |-
Domains defines the list of domains that will be used to issue certificates.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#domains
items:
description: Domain holds a domain name with SANs.
properties:
main:
description: Main defines the main domain name.
type: string
sans:
description: SANs defines the subject alternative domain
names.
items:
type: string
type: array
type: object
type: array
options:
description: |-
Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
If not defined, the `default` TLSOption is used.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-options/
properties:
name:
description: |-
Name defines the name of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
type: string
namespace:
description: |-
Namespace defines the namespace of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
type: string
required:
- name
type: object
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
store:
description: |-
Store defines the reference to the TLSStore, that will be used to store certificates.
Please note that only `default` TLSStore can be used.
properties:
name:
description: |-
Name defines the name of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
type: string
namespace:
description: |-
Namespace defines the namespace of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
type: string
required:
- name
type: object
type: object
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_ingressroutetcps.yaml
+256
View File
@@ -0,0 +1,256 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: ingressroutetcps.traefik.io
spec:
group: traefik.io
names:
kind: IngressRouteTCP
listKind: IngressRouteTCPList
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
properties:
entryPoints:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
Default: all.
items:
type: string
type: array
routes:
description: Routes defines the list of routes.
items:
description: RouteTCP holds the TCP route configuration.
properties:
match:
description: |-
Match defines the router's rule.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/
type: string
middlewares:
description: Middlewares defines the list of references to MiddlewareTCP
resources.
items:
description: ObjectReference is a generic reference to a Traefik
resource.
properties:
name:
description: Name defines the name of the referenced Traefik
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string
required:
- name
type: object
type: array
priority:
description: |-
Priority defines the router's priority.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
maximum: 9223372036854775000
type: integer
services:
description: Services defines the list of TCP services.
items:
description: ServiceTCP defines an upstream TCP service to
proxy traffic to.
properties:
name:
description: Name defines the name of the referenced Kubernetes
Service.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
proxyProtocol:
description: |-
ProxyProtocol defines the PROXY protocol configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
properties:
version:
description: Version defines the PROXY Protocol version
to use.
maximum: 2
minimum: 1
type: integer
type: object
serversTransport:
description: |-
ServersTransport defines the name of ServersTransportTCP resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
terminationDelay:
description: |-
TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
it has closed the writing capability of its connection, to close the reading capability as well,
hence fully terminating the connection.
It is a duration in milliseconds, defaulting to 100.
A negative value means an infinite deadline (i.e. the reading capability is never closed).
Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
type: integer
tls:
description: TLS determines whether to use TLS when dialing
with the backend.
type: boolean
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
minimum: 0
type: integer
required:
- name
- port
type: object
type: array
syntax:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
enum:
- v3
- v2
type: string
required:
- match
type: object
type: array
tls:
description: |-
TLS defines the TLS configuration on a layer 4 / TCP Route.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/router/#tls
properties:
certResolver:
description: |-
CertResolver defines the name of the certificate resolver to use.
Cert resolvers have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
type: string
domains:
description: |-
Domains defines the list of domains that will be used to issue certificates.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#domains
items:
description: Domain holds a domain name with SANs.
properties:
main:
description: Main defines the main domain name.
type: string
sans:
description: SANs defines the subject alternative domain
names.
items:
type: string
type: array
type: object
type: array
options:
description: |-
Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
If not defined, the `default` TLSOption is used.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#tls-options
properties:
name:
description: Name defines the name of the referenced Traefik
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string
required:
- name
type: object
passthrough:
description: Passthrough defines whether a TLS router will terminate
the TLS connection.
type: boolean
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
store:
description: |-
Store defines the reference to the TLSStore, that will be used to store certificates.
Please note that only `default` TLSStore can be used.
properties:
name:
description: Name defines the name of the referenced Traefik
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string
required:
- name
type: object
type: object
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_ingressrouteudps.yaml
+112
View File
@@ -0,0 +1,112 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: ingressrouteudps.traefik.io
spec:
group: traefik.io
names:
kind: IngressRouteUDP
listKind: IngressRouteUDPList
plural: ingressrouteudps
singular: ingressrouteudp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
properties:
entryPoints:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
Default: all.
items:
type: string
type: array
routes:
description: Routes defines the list of routes.
items:
description: RouteUDP holds the UDP route configuration.
properties:
services:
description: Services defines the list of UDP services.
items:
description: ServiceUDP defines an upstream UDP service to
proxy traffic to.
properties:
name:
description: Name defines the name of the referenced Kubernetes
Service.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
minimum: 0
type: integer
required:
- name
- port
type: object
type: array
type: object
type: array
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_middlewares.yaml
+1313
View File
File diff suppressed because it is too large Load Diff
infrastructure/charts/traefik/crds/traefik.io_middlewaretcps.yaml
+88
View File
@@ -0,0 +1,88 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: middlewaretcps.traefik.io
spec:
group: traefik.io
names:
kind: MiddlewareTCP
listKind: MiddlewareTCPList
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/overview/
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
properties:
inFlightConn:
description: InFlightConn defines the InFlightConn middleware configuration.
properties:
amount:
description: |-
Amount defines the maximum amount of allowed simultaneous connections.
The middleware closes the connection if there are already amount connections opened.
format: int64
minimum: 0
type: integer
type: object
ipAllowList:
description: |-
IPAllowList defines the IPAllowList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipallowlist/
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
ipWhiteList:
description: |-
IPWhiteList defines the IPWhiteList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
Deprecated: please use IPAllowList instead.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_serverstransports.yaml
+169
View File
@@ -0,0 +1,169 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: serverstransports.traefik.io
spec:
group: traefik.io
names:
kind: ServersTransport
listKind: ServersTransportList
plural: serverstransports
singular: serverstransport
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ServersTransport is the CRD implementation of a ServersTransport.
If no serversTransport is specified, the default@internal will be used.
The default@internal serversTransport is created from the static configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/serverstransport/
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServersTransportSpec defines the desired state of a ServersTransport.
properties:
certificatesSecrets:
description: CertificatesSecrets defines a list of secret storing
client certificates for mTLS.
items:
type: string
type: array
disableHTTP2:
description: DisableHTTP2 disables HTTP/2 for connections with backend
servers.
type: boolean
forwardingTimeouts:
description: ForwardingTimeouts defines the timeouts for requests
forwarded to the backend servers.
properties:
dialTimeout:
anyOf:
- type: integer
- type: string
description: DialTimeout is the amount of time to wait until a
connection to a backend server can be established.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
idleConnTimeout:
anyOf:
- type: integer
- type: string
description: IdleConnTimeout is the maximum period for which an
idle HTTP keep-alive connection will remain open before closing
itself.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
pingTimeout:
anyOf:
- type: integer
- type: string
description: PingTimeout is the timeout after which the HTTP/2
connection will be closed if a response to ping is not received.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
readIdleTimeout:
anyOf:
- type: integer
- type: string
description: ReadIdleTimeout is the timeout after which a health
check using ping frame will be carried out if no frame is received
on the HTTP/2 connection.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
responseHeaderTimeout:
anyOf:
- type: integer
- type: string
description: ResponseHeaderTimeout is the amount of time to wait
for a server's response headers after fully writing the request
(including its body, if any).
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
type: object
insecureSkipVerify:
description: InsecureSkipVerify disables SSL certificate verification.
type: boolean
maxIdleConnsPerHost:
description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
to keep per-host.
minimum: -1
type: integer
peerCertURI:
description: PeerCertURI defines the peer cert URI used to match against
SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets or ConfigMaps
used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: '!has(self.secret) || !has(self.configMap)'
type: array
rootCAsSecrets:
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array
serverName:
description: ServerName defines the server name used to contact the
server.
type: string
spiffe:
description: Spiffe defines the SPIFFE configuration.
properties:
ids:
description: IDs defines the allowed SPIFFE IDs (takes precedence
over the SPIFFE TrustDomain).
items:
type: string
type: array
trustDomain:
description: TrustDomain defines the allowed SPIFFE trust domain.
type: string
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_serverstransporttcps.yaml
+156
View File
@@ -0,0 +1,156 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: serverstransporttcps.traefik.io
spec:
group: traefik.io
names:
kind: ServersTransportTCP
listKind: ServersTransportTCPList
plural: serverstransporttcps
singular: serverstransporttcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ServersTransportTCP is the CRD implementation of a TCPServersTransport.
If no tcpServersTransport is specified, a default one named default@internal will be used.
The default@internal tcpServersTransport can be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/serverstransport/
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
properties:
dialKeepAlive:
anyOf:
- type: integer
- type: string
description: DialKeepAlive is the interval between keep-alive probes
for an active network connection. If zero, keep-alive probes are
sent with a default value (currently 15 seconds), if supported by
the protocol and operating system. Network protocols or operating
systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
dialTimeout:
anyOf:
- type: integer
- type: string
description: DialTimeout is the amount of time to wait until a connection
to a backend server can be established.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
proxyProtocol:
description: ProxyProtocol holds the PROXY Protocol configuration.
properties:
version:
description: Version defines the PROXY Protocol version to use.
maximum: 2
minimum: 1
type: integer
type: object
terminationDelay:
anyOf:
- type: integer
- type: string
description: TerminationDelay defines the delay to wait before fully
terminating the connection, after one connected peer has closed
its writing capability.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
tls:
description: TLS defines the TLS configuration
properties:
certificatesSecrets:
description: CertificatesSecrets defines a list of secret storing
client certificates for mTLS.
items:
type: string
type: array
insecureSkipVerify:
description: InsecureSkipVerify disables TLS certificate verification.
type: boolean
peerCertURI:
description: |-
MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets
or ConfigMaps used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: '!has(self.secret) || !has(self.configMap)'
type: array
rootCAsSecrets:
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array
serverName:
description: ServerName defines the server name used to contact
the server.
type: string
spiffe:
description: Spiffe defines the SPIFFE configuration.
properties:
ids:
description: IDs defines the allowed SPIFFE IDs (takes precedence
over the SPIFFE TrustDomain).
items:
type: string
type: array
trustDomain:
description: TrustDomain defines the allowed SPIFFE trust
domain.
type: string
type: object
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_tlsoptions.yaml
+118
View File
@@ -0,0 +1,118 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: tlsoptions.traefik.io
spec:
group: traefik.io
names:
kind: TLSOption
listKind: TLSOptionList
plural: tlsoptions
singular: tlsoption
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TLSOptionSpec defines the desired state of a TLSOption.
properties:
alpnProtocols:
description: |-
ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
items:
type: string
type: array
cipherSuites:
description: |-
CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
items:
type: string
type: array
clientAuth:
description: ClientAuth defines the server's policy for TLS Client
Authentication.
properties:
clientAuthType:
description: ClientAuthType defines the client authentication
type to apply.
enum:
- NoClientCert
- RequestClientCert
- RequireAnyClientCert
- VerifyClientCertIfGiven
- RequireAndVerifyClientCert
type: string
secretNames:
description: SecretNames defines the names of the referenced Kubernetes
Secret storing certificate details.
items:
type: string
type: array
type: object
curvePreferences:
description: |-
CurvePreferences defines the preferred elliptic curves.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
items:
type: string
type: array
disableSessionTickets:
description: DisableSessionTickets disables TLS session resumption
via session tickets.
type: boolean
maxVersion:
description: |-
MaxVersion defines the maximum TLS version that Traefik will accept.
Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
Default: None.
type: string
minVersion:
description: |-
MinVersion defines the minimum TLS version that Traefik will accept.
Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
Default: VersionTLS10.
type: string
preferServerCipherSuites:
description: |-
PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
It is enabled automatically when minVersion or maxVersion is set.
Deprecated: https://github.com/golang/go/issues/45430
type: boolean
sniStrict:
description: SniStrict defines whether Traefik allows connections
from clients connections that do not specify a server_name extension.
type: boolean
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_tlsstores.yaml
+97
View File
@@ -0,0 +1,97 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: tlsstores.traefik.io
spec:
group: traefik.io
names:
kind: TLSStore
listKind: TLSStoreList
plural: tlsstores
singular: tlsstore
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
TLSStore is the CRD implementation of a Traefik TLS Store.
For the time being, only the TLSStore named default is supported.
This means that you cannot have two stores that are named default in different Kubernetes namespaces.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TLSStoreSpec defines the desired state of a TLSStore.
properties:
certificates:
description: Certificates is a list of secret names, each secret holding
a key/certificate pair to add to the store.
items:
description: Certificate holds a secret name for the TLSStore resource.
properties:
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
required:
- secretName
type: object
type: array
defaultCertificate:
description: DefaultCertificate defines the default certificate configuration.
properties:
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
required:
- secretName
type: object
defaultGeneratedCert:
description: DefaultGeneratedCert defines the default generated certificate
configuration.
properties:
domain:
description: Domain is the domain definition for the DefaultCertificate.
properties:
main:
description: Main defines the main domain name.
type: string
sans:
description: SANs defines the subject alternative domain names.
items:
type: string
type: array
type: object
resolver:
description: Resolver is the name of the resolver that will be
used to issue the DefaultCertificate.
type: string
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
infrastructure/charts/traefik/crds/traefik.io_traefikservices.yaml
+1050
View File
File diff suppressed because it is too large Load Diff
infrastructure/charts/traefik/templates/NOTES.txt
+116
View File
@@ -0,0 +1,116 @@
{{/* Print release information */}}
{{- printf "\n\n" -}}
{{ .Release.Name }} with {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} has been deployed successfully on {{ template "traefik.namespace" . }} namespace!
{{- printf "\n" -}}
{{/* Warn about potential permission issue with persistence */}}
{{- if .Values.persistence -}}
{{- if and .Values.persistence.enabled (empty .Values.deployment.initContainers) -}}
{{- printf "\n" -}}
🚨 When enabling persistence for certificates, permissions on acme.json can be
lost when Traefik restarts. You can ensure correct permissions with an
initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager
for more info. 🚨
{{- printf "\n" -}}
{{- end -}}
{{- end -}}
{{/* Warn about non-matching potential labelSelector mismatch for CRD provider */}}
{{- with .Values.providers.kubernetesCRD.labelSelector -}}
{{- $labelsApplied := include "traefik.labels" $ -}}
{{- $labelSelectors := regexSplit "," . -1 }}
{{- range $labelSelectors -}}
{{- $labelSelectorRaw := regexSplit "=" . -1 -}}
{{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) -}}
{{- if not (contains $labelSelector $labelsApplied) -}}
{{- printf "\n" -}}
🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesCRD provider. 🚨
{{- printf "\n" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Warn about non-matching potential labelSelector mismatch for Ingress provider */}}
{{- with .Values.providers.kubernetesIngress.labelSelector -}}
{{- $labelsApplied := include "traefik.labels" $ -}}
{{- $labelSelectors := regexSplit "," . -1 -}}
{{- range $labelSelectors -}}
{{- $labelSelectorRaw := regexSplit "=" . -1 -}}
{{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) -}}
{{- if not (contains $labelSelector $labelsApplied) -}}
{{- printf "\n" -}}
🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesIngress provider. 🚨
{{- printf "\n" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Warn about renamed ports */}}
{{- range $name, $config := .Values.ports -}}
{{- $sanitizedPortName := include "traefik.portname" $name -}}
{{- if (ne $sanitizedPortName $name) -}}
{{- printf "\n" -}}
🚨 Port name `{{ $name }}` does not comply with Kubernetes standards and will be renamed to `{{ $sanitizedPortName }}` in services. 🚨
️ See the "traefik.portname" helper in this chart for additional details.
{{- printf "\n" -}}
{{- end -}}
{{- end -}}
{{/* Warn about hub not watching namespaces configured in providers */}}
{{- if and .Values.hub.token (and .Values.rbac.enabled .Values.rbac.namespaced) }}
{{- if .Values.hub.namespaces -}}
{{- range (list "kubernetesCRD" "kubernetesGateway" "kubernetesIngress") }}
{{- $provider := . -}}
{{- $providerNamespaces := get (get $.Values.providers .) "namespaces" -}}
{{- $providerEnabled := get (get $.Values.providers .) "enabled" -}}
{{- if $providerEnabled -}}
{{- if $providerNamespaces -}}
{{- $difference := (include "list.difference" (dict "a" $providerNamespaces "b" $.Values.hub.namespaces)) | fromYamlArray }}
{{- if $difference }}
{{- printf "WARNING: %s provider is configured to watch namespaces %s but those ones are not watched by Hub provider.\n" $provider $difference -}}
{{- end -}}
{{- else -}}
{{- printf "WARNING: %s provider is configured to watch all namespaces but Hub provider only watches %s.\n" $provider $.Values.hub.namespaces -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Warn about deprecated localPlugins */}}
{{- if include "traefik.hasDeprecatedLocalPlugins" . }}
{{- printf "\n" -}}
⚠️ DEPRECATION WARNING: You are using the deprecated legacy 'hostPath' configuration.
Please migrate to the new structured 'type.hostPathPlugin' configuration within localPlugins.
The legacy root-level hostPath configuration will be removed in the next major version.
Migration example:
experimental:
localPlugins:
your-plugin:
moduleName: github.com/example/yourplugin
mountPath: /plugins-local/src/github.com/example/yourplugin
# Choose one of the following types:
type: inlinePlugin # Recommended for small/medium plugins: secure ConfigMap-based
source: # Required for inlinePlugin
# your plugin files here
# type: hostPath # Use with caution for security reasons
# hostPath: /path/to/plugin
# type: localPath # Advanced: Uses additionalVolumes, can be used with PVC, CSI drivers (s3-csi-driver, FUSE), etc.
# volumeName: plugin-storage
{{- printf "\n" -}}
{{- end -}}
{{/* Warn about missing secret when enabling managed certificate with Hub admission controller */}}
{{- if and .Values.hub.token .Values.hub.apimanagement.enabled .Values.hub.apimanagement.admission.selfManagedCertificate }}
{{- $cert := lookup "v1" "Secret" (include "traefik.namespace" .) $.Values.hub.apimanagement.admission.secretName -}}
{{- if not $cert }}
{{- printf "\nWARNING: webhook secret %s for Traefik hub is self managed and was not found in %s namespace.\n" $.Values.hub.apimanagement.admission.secretName (include "traefik.namespace" .) -}}
{{- end -}}
{{- end -}}
infrastructure/charts/traefik/templates/_helpers.tpl
+455
View File
@@ -0,0 +1,455 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "traefik.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "traefik.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the chart image name.
*/}}
{{- define "traefik.image-name" -}}
{{- if .Values.oci_meta.enabled -}}
{{- if .Values.hub.token -}}
{{- printf "%s/%s:%s" .Values.oci_meta.repo .Values.oci_meta.images.hub.image .Values.oci_meta.images.hub.tag }}
{{- else -}}
{{- printf "%s/%s:%s" .Values.oci_meta.repo .Values.oci_meta.images.proxy.image .Values.oci_meta.images.proxy.tag }}
{{- end -}}
{{- else if .Values.global.azure.enabled -}}
{{- if .Values.hub.token -}}
{{- printf "%s/%s:%s" .Values.global.azure.images.hub.registry .Values.global.azure.images.hub.image .Values.global.azure.images.hub.tag }}
{{- else -}}
{{- printf "%s/%s:%s" .Values.global.azure.images.proxy.registry .Values.global.azure.images.proxy.image .Values.global.azure.images.proxy.tag }}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (.Values.image.tag | default .Chart.AppVersion) }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "traefik.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Allow customization of the instance label value.
*/}}
{{- define "traefik.instance-name" -}}
{{- default (printf "%s-%s" .Release.Name (include "traefik.namespace" .)) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Shared labels used for selector*/}}
{{/* This is an immutable field: this should not change between upgrade */}}
{{- define "traefik.labelselector" -}}
app.kubernetes.io/name: {{ template "traefik.name" . }}
app.kubernetes.io/instance: {{ template "traefik.instance-name" . }}
{{- end }}
{{/* Shared labels used in metada */}}
{{- define "traefik.labels" -}}
{{ include "traefik.labelselector" . }}
helm.sh/chart: {{ template "traefik.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Construct the namespace for all namespaced resources
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
Preserve the default behavior of the Release namespace if no override is provided
*/}}
{{- define "traefik.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
The name of the service account to use
*/}}
{{- define "traefik.serviceAccountName" -}}
{{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}}
{{- end -}}
{{/*
The name of the ClusterRole and ClusterRoleBinding to use.
Adds the namespace to name to prevent duplicate resource names when there
are multiple namespaced releases with the same release name.
*/}}
{{- define "traefik.clusterRoleName" -}}
{{- (printf "%s-%s" (include "traefik.fullname" .) (include "traefik.namespace" .)) | trunc 63 | trimSuffix "-" }}
{{- end -}}
{{/*
Change input to a valid name for a port.
This is a best effort to convert input to a valid port name for Kubernetes,
which per RFC 6335 only allows lowercase alphanumeric characters and '-',
and additionally imposes a limit of 15 characters on the length of the name.
See also https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services
and https://www.rfc-editor.org/rfc/rfc6335#section-5.1.
*/}}
{{- define "traefik.portname" -}}
{{- $portName := . -}}
{{- $portName = $portName | lower -}}
{{- $portName = $portName | trimPrefix "-" | trunc 15 | trimSuffix "-" -}}
{{- print $portName -}}
{{- end -}}
{{/*
Change input to a valid port reference.
See also the traefik.portname helper.
*/}}
{{- define "traefik.portreference" -}}
{{- if kindIs "string" . -}}
{{- print (include "traefik.portname" .) -}}
{{- else -}}
{{- print . -}}
{{- end -}}
{{- end -}}
{{/*
Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice.
By convention this will simply use the <namespace>/<service-name> to match the name of the
service generated.
Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride`
*/}}
{{- define "providers.kubernetesIngress.publishedServicePath" -}}
{{- $defServiceName := printf "%s/%s" (include "traefik.namespace" .) (include "traefik.fullname" .) -}}
{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{- define "providers.kubernetesIngressNginx.publishServicePath" -}}
{{- $defServiceName := printf "%s/%s" (include "traefik.namespace" .) (include "traefik.fullname" .) -}}
{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngressNginx.publishService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct a comma-separated list of whitelisted namespaces
*/}}
{{- define "providers.kubernetesCRD.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }}
{{- end -}}
{{- define "providers.kubernetesGateway.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesGateway.namespaces) }}
{{- end -}}
{{- define "providers.kubernetesIngress.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }}
{{- end -}}
{{- define "providers.kubernetesIngressNginx.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngressNginx.watchNamespace) }}
{{- end -}}
{{- define "providers.knative.namespaces" -}}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.knative.namespaces) }}
{{- end -}}
{{/*
Renders a complete tree, even values that contains template.
*/}}
{{- define "traefik.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{ else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{/*
This is a hack to avoid too much complexity when proxyVersion is required on Hub.
It requires a dict with "Version" and "Hub".
*/}}
{{- define "traefik.proxyVersionFromHub" -}}
{{- $version := .Version -}}
{{- if .Hub -}}
{{- $hubProxyVersion := "v3.6.7" }}
{{- if regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $version) }}
{{- if semverCompare "<v3.19.0-0" $version }}
{{- $hubProxyVersion = "v3.6.3" }}
{{- end -}}
{{- end -}}
{{- $hubProxyVersion }}
{{- else -}}
{{- $version }}
{{- end -}}
{{- end -}}
{{/*
The version can comes many sources: appVersion, image.tag, override, marketplace.
*/}}
{{- define "traefik.proxyVersion" -}}
{{- if $.Values.versionOverride }}
{{- include "traefik.proxyVersionFromHub" (dict "Version" $.Values.versionOverride "Hub" $.Values.hub.token) }}
{{- else if $.Values.hub.token -}}
{{- $version := ($.Values.oci_meta.enabled | ternary $.Values.oci_meta.images.hub.tag $.Values.image.tag) -}}
{{- $version = ($.Values.global.azure.enabled | ternary $.Values.global.azure.images.hub.tag $version) -}}
{{- include "traefik.proxyVersionFromHub" (dict "Version" $version "Hub" true) }}
{{- else -}}
{{- $imageVersion := ($.Values.oci_meta.enabled | ternary $.Values.oci_meta.images.proxy.tag $.Values.image.tag) -}}
{{- $imageVersion = ($.Values.global.azure.enabled | ternary $.Values.global.azure.images.proxy.tag $imageVersion) -}}
{{- (split "@" (default $.Chart.AppVersion $imageVersion))._0 | replace "latest-" "" | replace "experimental-" "" }}
{{- end -}}
{{- end -}}
{{/* Generate/load self-signed certificate for admission webhooks */}}
{{- define "traefik-hub.webhook_cert" -}}
{{- if $.Values.hub.apimanagement.admission.customWebhookCertificate }}
Cert: {{ index $.Values.hub.apimanagement.admission.customWebhookCertificate "tls.crt" }}
Key: {{ index $.Values.hub.apimanagement.admission.customWebhookCertificate "tls.key" }}
Hash: {{ sha1sum (index $.Values.hub.apimanagement.admission.customWebhookCertificate "tls.crt") }}
{{- else -}}
{{- $cert := lookup "v1" "Secret" (include "traefik.namespace" .) $.Values.hub.apimanagement.admission.secretName -}}
{{- if $cert }}
{{ if or (not (hasKey $cert.data "tls.crt")) (not (hasKey $cert.data "tls.key")) -}}
{{- fail (printf "ERROR: secret %s/%s exists but doesn't contain any certificate data. Please remove it or change hub.apimanagement.admission.secretName." (include "traefik.namespace" .) $.Values.hub.apimanagement.admission.secretName) }}
{{- end -}}
{{/* reusing value of existing cert */}}
Cert: {{ index $cert.data "tls.crt" }}
Key: {{ index $cert.data "tls.key" }}
Hash: {{ sha1sum (index $cert.data "tls.crt") }}
{{- else if not $.Values.hub.apimanagement.admission.selfManagedCertificate -}}
{{/* generate a new one */}}
{{- $altNames := list ( printf "admission.%s.svc" (include "traefik.namespace" .) ) -}}
{{- $cert := genSelfSignedCert ( printf "admission.%s.svc" (include "traefik.namespace" .) ) (list) $altNames 3650 -}}
Cert: {{ $cert.Cert | b64enc }}
Key: {{ $cert.Key | b64enc }}
Hash: {{ sha1sum ($cert.Cert | b64enc) }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "traefik.yaml2CommandLineArgsRec" -}}
{{- $path := .path -}}
{{- range $key, $value := .content -}}
{{- if kindIs "map" $value }}
{{- include "traefik.yaml2CommandLineArgsRec" (dict "path" (printf "%s.%s" $path $key) "content" $value) -}}
{{- else if ne $value nil }}
--{{ join "." (list $path $key)}}={{ if kindIs "slice" $value }}{{ join "," $value }}{{ else }}{{ $value }}{{ end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "traefik.yaml2CommandLineArgs" -}}
{{- range ((regexSplit "\n" ((include "traefik.yaml2CommandLineArgsRec" (dict "path" .path "content" .content)) | trim) -1) | compact) -}}
{{ printf "- \"%s\"\n" . }}
{{- end -}}
{{- end -}}
{{- define "traefik.localPluginCmName" -}}
{{ include "traefik.fullname" .context }}-local-plugin-{{ .pluginName | replace "." "-" }}
{{- end -}}
{{- define "traefik.hasPluginsVolume" -}}
{{- $found := false -}}
{{- range . -}}
{{- if eq .name "plugins" -}}
{{ $found = true }}
{{- end -}}
{{- end -}}
{{- $found -}}
{{- end -}}
{{/*
Validate localPlugin configuration and determine plugin type
Returns: hostPath, inline, or localPath
*/}}
{{- define "traefik.getLocalPluginType" -}}
{{- $plugin := .plugin -}}
{{- if $plugin.type -}}
{{- if eq $plugin.type "hostPath" -}}
{{- printf "hostPath" -}}
{{- else if eq $plugin.type "inlinePlugin" -}}
{{- printf "inlinePlugin" -}}
{{- else if eq $plugin.type "localPath" -}}
{{- printf "localPath" -}}
{{- else -}}
{{- fail (printf "ERROR: localPlugin %s has invalid type configuration. Must specify one of: hostPath, inlinePlugin, localPath" .pluginName) -}}
{{- end -}}
{{- else if $plugin.hostPath -}}
{{- printf "hostPath" -}}
{{- else -}}
{{- fail (printf "ERROR: localPlugin %s must specify either legacy hostPath configuration or new type configuration!" .pluginName) -}}
{{- end -}}
{{- end -}}
{{/*
Get hostPath for a plugin (handles both old and new structure)
*/}}
{{- define "traefik.getLocalPluginHostPath" -}}
{{- $plugin := .plugin -}}
{{- if $plugin.type -}}
{{- if eq $plugin.type "hostPath" -}}
{{- $plugin.hostPath -}}
{{- end -}}
{{- else -}}
{{- $plugin.hostPath -}}
{{- end -}}
{{- end -}}
{{/*
Get inline plugin files (new structure only)
*/}}
{{- define "traefik.getLocalPluginInlineFiles" -}}
{{- $plugin := .plugin -}}
{{- if eq $plugin.type "inlinePlugin" -}}
{{- required (printf "ERROR: localPlugin %s with type inlinePlugin must have a source field!" .pluginName) $plugin.source | toYaml -}}
{{- end -}}
{{- end -}}
{{/*
Get localPath plugin configuration (new structure only)
*/}}
{{- define "traefik.getLocalPluginLocalPath" -}}
{{- $plugin := .plugin -}}
{{- if eq $plugin.type "localPath" -}}
{{- $localPathConfig := dict -}}
{{- range $key, $value := $plugin -}}
{{- if and (ne $key "type") (ne $key "moduleName") (ne $key "mountPath") -}}
{{- $_ := set $localPathConfig $key $value -}}
{{- end -}}
{{- end -}}
{{- toYaml $localPathConfig -}}
{{- end -}}
{{- end -}}
{{/*
Check if a volume name exists in additionalVolumes
*/}}
{{- define "traefik.volumeExistsInAdditionalVolumes" -}}
{{- $volumeName := .volumeName -}}
{{- $additionalVolumes := .additionalVolumes -}}
{{- $found := false -}}
{{- range $additionalVolumes -}}
{{- if eq .name $volumeName -}}
{{- $found = true -}}
{{- end -}}
{{- end -}}
{{- $found -}}
{{- end -}}
{{/*
Check if using old localPlugin hostPath structure (for deprecation warning)
*/}}
{{- define "traefik.hasDeprecatedLocalPlugins" -}}
{{- if .Values.experimental.localPlugins -}}
{{- range $pluginName, $plugin := .Values.experimental.localPlugins -}}
{{- if $plugin.hostPath -}}
{{- printf "true" -}}
{{- break -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "list.difference" -}}
{{- $a := .a }}
{{- $b := .b }}
{{- $diff := list }}
{{- range $a }}
{{- if not (has . $b) }}
{{- $diff = append $diff . }}
{{- end }}
{{- end }}
{{- toYaml $diff }}
{{- end }}
{{/*
This helper converts the input value of memory to Bytes.
Input needs to be a valid value as supported by k8s memory resource field.
This function aims to handle SI, IEC prefixes or no prefixes (cf. https://github.com/kubeflow/crd-validation/blob/master/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go#L44).
SI prefixes use power of 10 (e.g. 1e18 = 1 x 10^18) (m | "" | k | M | G | T | P | E).
IEC prefixes use power of 2 (e.g. 0x1p60 = 2^60) (Ki | Mi | Gi | Ti | Pi | Ei).
*/}}
{{- define "traefik.convertMemToBytes" }}
{{- $mem := lower . -}}
{{- if hasSuffix "e" $mem -}}
{{- $mem = mulf (trimSuffix "e" $mem | float64) 1e18 -}}
{{- else if hasSuffix "ei" $mem -}}
{{- $mem = mulf (trimSuffix "e" $mem | float64) 0x1p60 -}}
{{- else if hasSuffix "p" $mem -}}
{{- $mem = mulf (trimSuffix "p" $mem | float64) 1e15 -}}
{{- else if hasSuffix "pi" $mem -}}
{{- $mem = mulf (trimSuffix "pi" $mem | float64) 0x1p50 -}}
{{- else if hasSuffix "t" $mem -}}
{{- $mem = mulf (trimSuffix "t" $mem | float64) 1e12 -}}
{{- else if hasSuffix "ti" $mem -}}
{{- $mem = mulf (trimSuffix "ti" $mem | float64) 0x1p40 -}}
{{- else if hasSuffix "g" $mem -}}
{{- $mem = mulf (trimSuffix "g" $mem | float64) 1e9 -}}
{{- else if hasSuffix "gi" $mem -}}
{{- $mem = mulf (trimSuffix "gi" $mem | float64) 0x1p30 -}}
{{- else if hasSuffix "m" . -}}
{{- $mem = divf (trimSuffix "m" $mem | float64) 1e3 -}}
{{- else if hasSuffix "M" . -}}
{{- $mem = mulf (trimSuffix "m" $mem | float64) 1e6 -}}
{{- else if hasSuffix "mi" $mem -}}
{{- $mem = mulf (trimSuffix "mi" $mem | float64) 0x1p20 -}}
{{- else if hasSuffix "k" $mem -}}
{{- $mem = mulf (trimSuffix "k" $mem | float64) 1e3 -}}
{{- else if hasSuffix "ki" $mem -}}
{{- $mem = mulf (trimSuffix "ki" $mem | float64) 0x1p10 -}}
{{- end }}
{{- $mem }}
{{- end }}
{{- define "traefik.gomemlimit" }}
{{- $percentage := .percentage -}}
{{- $memlimitBytes := include "traefik.convertMemToBytes" .memory | mulf $percentage -}}
{{- printf "%dMiB" (divf $memlimitBytes 0x1p20 | floor | int64) -}}
{{- end }}
{{- define "traefik.oltpCommonParams" }}
{{- $path := .path -}}
{{- $otlpConfig := .oltp -}}
{{- if $otlpConfig.enabled }}
- "--{{$path}}=true"
{{- with $otlpConfig.http }}
{{- if .enabled }}
- "--{{$path}}.http=true"
{{ println }}
{{- include "traefik.yaml2CommandLineArgs" (dict "path" (printf "%s.http" $path) "content" (omit . "enabled")) | nindent 2 }}
{{- end }}
{{- end }}
{{- with $otlpConfig.grpc }}
{{- if .enabled }}
- "--{{$path}}.grpc=true"
{{ println }}
{{- include "traefik.yaml2CommandLineArgs" (dict "path" (printf "%s.grpc" $path) "content" (omit . "enabled")) | nindent 2 }}
{{- end }}
{{- end }}
{{- with $otlpConfig.serviceName }}
- "--{{$path}}.serviceName={{.}}"
{{- end }}
{{- range $name, $value := $otlpConfig.resourceAttributes }}
- "--{{$path}}.resourceAttributes.{{ $name }}={{ $value }}"
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/_podtemplate.tpl
+1045
View File
File diff suppressed because it is too large Load Diff
infrastructure/charts/traefik/templates/_service-metrics.tpl
+25
View File
@@ -0,0 +1,25 @@
{{- define "traefik.metrics-service-metadata" }}
labels:
{{- include "traefik.metricsservicelabels" . | nindent 4 -}}
{{- with .Values.metrics.prometheus.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{/* Labels used for metrics-relevant selector*/}}
{{/* This is an immutable field: this should not change between upgrade */}}
{{- define "traefik.metricslabelselector" -}}
{{- include "traefik.labelselector" . }}
app.kubernetes.io/component: metrics
{{- end }}
{{/* Shared labels used in metadata of metrics-service and servicemonitor */}}
{{- define "traefik.metricsservicelabels" -}}
{{ include "traefik.metricslabelselector" . }}
helm.sh/chart: {{ template "traefik.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/_service.tpl
+85
View File
@@ -0,0 +1,85 @@
{{- define "traefik.service-name" -}}
{{- $fullname := printf "%s-%s" (include "traefik.fullname" .root) .name -}}
{{- if eq .name "default" -}}
{{- $fullname = include "traefik.fullname" .root -}}
{{- end -}}
{{- if ge (len $fullname) 60 -}} # 64 - 4 (udp-postfix) = 60
{{- fail "ERROR: Cannot create a service whose full name contains more than 60 characters" -}}
{{- end -}}
{{- $fullname -}}
{{- end -}}
{{- define "traefik.service-metadata" }}
labels:
{{- include "traefik.labels" .root | nindent 4 -}}
{{- with .service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- define "traefik.service-spec" -}}
{{- $type := default "LoadBalancer" .service.type }}
type: {{ $type }}
{{- with .service.loadBalancerClass }}
loadBalancerClass: {{ . }}
{{- end}}
{{- with .service.spec }}
{{- toYaml . | nindent 2 }}
{{- end }}
selector:
{{- include "traefik.labelselector" .root | nindent 4 }}
{{- if eq $type "LoadBalancer" }}
{{- with .service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- end -}}
{{- with .service.externalIPs }}
externalIPs:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- with .service.ipFamilyPolicy }}
ipFamilyPolicy: {{ . }}
{{- end }}
{{- with .service.ipFamilies }}
ipFamilies:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- end }}
{{- define "traefik.service-ports" }}
{{- range $portName, $config := .ports }}
{{- $name := $portName | lower -}}
{{- if (index (default dict $config.expose) $.serviceName) }}
{{- $port := default $config.port $config.exposedPort }}
{{- if empty $port }}
{{- fail (print "ERROR: Cannot create " (trim $name) " port on Service without .port or .exposedPort") }}
{{- end }}
- port: {{ $port }}
name: {{ include "traefik.portname" $name }}
targetPort: {{ default $name $config.targetPort | include "traefik.portreference" }}
protocol: {{ default "TCP" $config.protocol }}
{{- if $config.nodePort }}
nodePort: {{ $config.nodePort }}
{{- end }}
{{- if $config.appProtocol }}
appProtocol: {{ $config.appProtocol }}
{{- end }}
{{- if and ($config.http3).enabled ($config.single) }}
{{- $http3Port := default $config.exposedPort $config.http3.advertisedPort }}
- port: {{ $http3Port }}
name: {{ printf "%s-http3" $name | include "traefik.portname" }}
targetPort: {{ default $name $config.targetPort | include "traefik.portreference" }}
protocol: UDP
{{- if $config.nodePort }}
nodePort: {{ $config.nodePort }}
{{- end }}
{{- if $config.appProtocol }}
appProtocol: {{ $config.appProtocol }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/daemonset.yaml
+59
View File
@@ -0,0 +1,59 @@
{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "DaemonSet") -}}
{{- with .Values.additionalArguments -}}
{{- range . -}}
{{- if contains ".acme." . -}}
{{- fail (printf "ACME functionality is not supported when running Traefik as a DaemonSet") -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }}
{{- fail "\n\n ERROR: latest tag should not be used" }}
{{- end }}
{{- with .Values.updateStrategy }}
{{- if and (eq (.type) "RollingUpdate") (.rollingUpdate) }}
{{- if not (contains "%" (toString .rollingUpdate.maxUnavailable)) }}
{{- if and ($.Values.hostNetwork) (lt (float64 .rollingUpdate.maxUnavailable) 1.0) }}
{{- fail "maxUnavailable should be greater than 0 when using hostNetwork." }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }}
checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }}
{{- end }}
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "traefik.labelselector" . | nindent 6 }}
{{- with .Values.updateStrategy }}
updateStrategy:
type: {{ .type }}
{{- if (eq .type "RollingUpdate") }}
rollingUpdate:
maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
maxSurge: {{ .rollingUpdate.maxSurge }}
{{- end }}
{{- end }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- if .Values.deployment.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
{{- end }}
{{/* This dual conversion is used to remove all spurious newlines */}}
template: {{ include "traefik.podTemplate" . | fromYaml | toYaml | nindent 4 }}
{{- end -}}
infrastructure/charts/traefik/templates/deployment.yaml
+67
View File
@@ -0,0 +1,67 @@
{{/* check helm version */}}
{{- if (semverCompare "<v3.9.0" (.Capabilities.HelmVersion.Version | default "v3.0.0")) -}}
{{- fail "ERROR: Helm >= 3.9.0 is required" -}}
{{- end -}}
{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "Deployment") -}}
{{- if gt (int .Values.deployment.replicas) 1 -}}
{{- with .Values.additionalArguments -}}
{{- range . -}}
{{- if contains ".acme." . -}}
{{- fail (printf "You can not enable acme if you set more than one traefik replica") -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }}
{{- fail "\n\n ERROR: latest tag should not be used" }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }}
checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }}
{{- end }}
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ default 1 .Values.deployment.replicas }}
{{- else if and
.Values.autoscaling.scaleTargetRef
(not (and
(eq .Values.autoscaling.scaleTargetRef.apiVersion "apps/v1")
(eq .Values.autoscaling.scaleTargetRef.kind "Deployment")
))
}}
replicas: {{ default 0 .Values.deployment.replicas }}
{{- end }}
{{- if ne .Values.deployment.revisionHistoryLimit nil }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
{{- end }}
selector:
matchLabels:
{{- include "traefik.labelselector" . | nindent 6 }}
{{- with .Values.updateStrategy }}
strategy:
type: {{ .type }}
{{- if (eq .type "RollingUpdate") }}
rollingUpdate:
maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
maxSurge: {{ .rollingUpdate.maxSurge }}
{{- end }}
{{- end }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{/* This dual conversion is used to remove all spurious newlines */}}
template: {{ include "traefik.podTemplate" . | fromYaml | toYaml | nindent 4 }}
{{- end -}}
infrastructure/charts/traefik/templates/extra-objects.yaml
+4
View File
@@ -0,0 +1,4 @@
{{- range .Values.extraObjects }}
---
{{ include "traefik.render" (dict "value" . "context" $) }}
{{- end }}
infrastructure/charts/traefik/templates/gateway.yaml
+65
View File
@@ -0,0 +1,65 @@
{{- if and (.Values.gateway).enabled (.Values.providers.kubernetesGateway).enabled }}
{{- if not .Values.gateway.listeners }}
{{- fail "ERROR: gateway must have at least one listener or should be disabled" }}
{{- end }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: {{ default "traefik-gateway" .Values.gateway.name }}
namespace: {{ default ( include "traefik.namespace" . ) .Values.gateway.namespace }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.gateway.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
gatewayClassName: {{ default "traefik" .Values.gatewayClass.name }}
{{- with .Values.gateway.infrastructure }}
infrastructure:
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.gateway.defaultScope }}
defaultScope: {{ . }}
{{- end }}
listeners:
{{- range $name, $config := .Values.gateway.listeners }}
- name: {{ $name }}
{{ if not .port }}
{{- fail "ERROR: port needs to be specified" }}
{{- end -}}
{{ $found := false }}
{{- range $portName, $portConfig := $.Values.ports -}}
{{- if eq $portConfig.port $config.port -}}
{{ $found = true }}
{{- end -}}
{{- end -}}
{{ if not $found }}
{{- fail (printf "ERROR: port %0.f is not declared in ports" .port ) }}
{{- end -}}
port: {{ .port }}
protocol: {{ .protocol }}
{{- with .hostname }}
hostname: {{ . | toYaml }}
{{- end }}
{{- with .namespacePolicy }}
allowedRoutes:
namespaces:
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if and (eq .protocol "HTTPS") (not .certificateRefs) }}
{{- fail "ERROR: certificateRefs needs to be specified using HTTPS" }}
{{- end }}
{{ if or .certificateRefs .mode }}
tls:
{{ with .mode }}
mode: {{ . }}
{{- end }}
{{ with .certificateRefs }}
certificateRefs:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/gatewayclass.yaml
+14
View File
@@ -0,0 +1,14 @@
{{- if and (.Values.gatewayClass).enabled (.Values.providers.kubernetesGateway).enabled }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: {{ default "traefik" .Values.gatewayClass.name }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.gatewayClass.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
controllerName: traefik.io/gateway-controller
{{- end }}
infrastructure/charts/traefik/templates/hpa.yaml
+35
View File
@@ -0,0 +1,35 @@
{{- if .Values.autoscaling.enabled }}
{{- if not .Values.autoscaling.maxReplicas }}
{{- fail "ERROR: maxReplicas is required on HPA" }}
{{- end }}
{{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }}
apiVersion: autoscaling/v2
{{- else }}
apiVersion: autoscaling/v2beta2
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: {{ .Values.autoscaling.scaleTargetRef.apiVersion }}
kind: {{ .Values.autoscaling.scaleTargetRef.kind }}
name: {{ tpl .Values.autoscaling.scaleTargetRef.name . }}
{{- if .Values.autoscaling.minReplicas }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
{{- end }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
{{- if .Values.autoscaling.metrics }}
metrics:
{{ toYaml .Values.autoscaling.metrics | indent 4 }}
{{- end }}
{{- if .Values.autoscaling.behavior }}
behavior:
{{ toYaml .Values.autoscaling.behavior | indent 4 }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/hub-admission-controller.yaml
+123
View File
@@ -0,0 +1,123 @@
{{- if .Values.hub.token -}}
{{- if and .Values.hub.apimanagement.enabled (not .Values.hub.offline) }}
{{- $cert := include "traefik-hub.webhook_cert" . | fromYaml }}
{{- if or (not .Values.hub.apimanagement.admission.selfManagedCertificate) .Values.hub.apimanagement.admission.customWebhookCertificate}}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: {{ .Values.hub.apimanagement.admission.secretName }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
data:
tls.crt: {{ $cert.Cert }}
tls.key: {{ $cert.Key }}
{{- end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: hub-acp-{{ template "traefik.instance-name" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
annotations:
{{- with .Values.hub.apimanagement.admission.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
- name: admission.traefik.svc
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" . }}
path: /acp
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- accesscontrolpolicies
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: hub-api-{{ template "traefik.instance-name" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
annotations:
{{- with .Values.hub.apimanagement.admission.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- $resources := list
(dict "name" "hub-agent.traefik.api" "endpoint" "/api" "resource" "apis")
(dict "name" "hub-agent.traefik.bundle" "endpoint" "/api-bundle" "resource" "apibundles")
(dict "name" "hub-agent.traefik.catalog-item" "endpoint" "/api-catalog-item" "resource" "apicatalogitems")
(dict "name" "hub-agent.traefik.managed-subscription" "endpoint" "/managed-subscription" "resource" "managedsubscriptions")
(dict "name" "hub-agent.traefik.plan" "endpoint" "/api-plan" "resource" "apiplans")
(dict "name" "hub-agent.traefik.portal" "endpoint" "/api-portal" "resource" "apiportals")
(dict "name" "hub-agent.traefik.version" "endpoint" "/api-version" "resource" "apiversions")
}}
{{- range $resources }}
- name: hub-agent.traefik.{{ .name }}
clientConfig:
service:
name: admission
namespace: {{ template "traefik.namespace" $ }}
path: {{ .endpoint }}
caBundle: {{ $cert.Cert }}
sideEffects: None
admissionReviewVersions:
- v1
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- hub.traefik.io
apiVersions:
- v1alpha1
resources:
- {{ .resource }}
{{- if $.Values.hub.namespaces }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
{{- toYaml (uniq (concat (include "traefik.namespace" $ | list) $.Values.hub.namespaces)) | nindent 12 }}
{{- end }}
{{- end }}
---
apiVersion: v1
kind: Service
metadata:
name: admission
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
ports:
- name: https
port: 443
targetPort: admission
selector:
{{- include "traefik.labelselector" . | nindent 4 }}
{{- end -}}
{{- end -}}
infrastructure/charts/traefik/templates/hub-apiportal.yaml
+19
View File
@@ -0,0 +1,19 @@
{{- if .Values.hub.apimanagement.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: apiportal
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
ports:
- name: apiportal
port: 9903
protocol: TCP
targetPort: apiportal
selector:
{{- include "traefik.labelselector" . | nindent 4 }}
{{- end -}}
infrastructure/charts/traefik/templates/hub-license.yaml
+11
View File
@@ -0,0 +1,11 @@
{{- if ge (len .Values.hub.token) 65 }}
---
apiVersion: v1
kind: Secret
metadata:
name: traefik-hub-license
namespace: {{ template "traefik.namespace" . }}
type: Opaque
data:
token: {{ .Values.hub.token | b64enc }}
{{- end }}
infrastructure/charts/traefik/templates/ingressclass.yaml
+12
View File
@@ -0,0 +1,12 @@
{{- if .Values.ingressClass.enabled -}}
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
annotations:
ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
name: {{ .Values.ingressClass.name | default (include "traefik.fullname" .) }}
spec:
controller: traefik.io/ingress-controller
{{- end -}}
infrastructure/charts/traefik/templates/ingressroute.yaml
+45
View File
@@ -0,0 +1,45 @@
{{ range $name, $config := .Values.ingressRoute }}
{{ if $config.enabled }}
{{ $ingressClassAnnotations := dict }}
{{- if and $.Values.ingressClass.enabled $.Values.providers.kubernetesCRD.enabled $.Values.providers.kubernetesCRD.ingressClass }}
{{ $ingressClassAnnotations = dict "kubernetes.io/ingress.class" $.Values.providers.kubernetesCRD.ingressClass }}
{{- end }}
{{ $annotations := merge $ingressClassAnnotations (default $config.annotations dict) }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ $.Release.Name }}-{{ $name }}
namespace: {{ template "traefik.namespace" $ }}
{{- with $annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
{{- with $config.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
entryPoints:
{{- range $config.entryPoints }}
- {{ . }}
{{- end }}
routes:
- match: {{ $config.matchRule }}
kind: Rule
{{- with $config.services }}
services:
{{- toYaml . | nindent 6 }}
{{- end -}}
{{- with $config.middlewares }}
middlewares:
{{- toYaml . | nindent 6 }}
{{- end -}}
{{- with $config.tls }}
tls:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{ end }}
infrastructure/charts/traefik/templates/local-plugins-cm.yaml
+21
View File
@@ -0,0 +1,21 @@
{{- if .Values.experimental.localPlugins }}
{{- range $localPluginName, $localPlugin := .Values.experimental.localPlugins }}
{{- $pluginType := include "traefik.getLocalPluginType" (dict "plugin" $localPlugin "pluginName" $localPluginName) }}
{{- if eq $pluginType "inlinePlugin" }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "traefik.localPluginCmName" (dict "context" $ "pluginName" $localPluginName) }}
namespace: {{ template "traefik.namespace" $ }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
data:
{{- $inlineFiles := include "traefik.getLocalPluginInlineFiles" (dict "plugin" $localPlugin "pluginName" $localPluginName) | fromYaml }}
{{- range $fileName, $fileContent := $inlineFiles }}
{{ $fileName }}: |
{{- $fileContent | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/poddisruptionbudget.yaml
+23
View File
@@ -0,0 +1,23 @@
{{- if .Values.podDisruptionBudget.enabled -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "traefik.labelselector" . | nindent 6 }}
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end -}}
infrastructure/charts/traefik/templates/prometheusrules.yaml
+28
View File
@@ -0,0 +1,28 @@
{{- if .Values.metrics.prometheus }}
{{- if (.Values.metrics.prometheus.prometheusRule).enabled }}
{{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }}
{{- if (not (.Values.metrics.prometheus.disableAPICheck)) }}
{{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }}
{{- end }}
{{- end }}
apiVersion: {{ .Values.metrics.prometheus.prometheusRule.apiVersion | default "monitoring.coreos.com/v1" }}
kind: PrometheusRule
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ .Values.metrics.prometheus.prometheusRule.namespace | default (include "traefik.namespace" .) }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- with .Values.metrics.prometheus.prometheusRule.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.metrics.prometheus.prometheusRule.rules }}
groups:
- name: {{ template "traefik.name" $ }}
rules:
{{- with .Values.metrics.prometheus.prometheusRule.rules }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/provider-file-cm.yaml
+12
View File
@@ -0,0 +1,12 @@
{{- if .Values.providers.file.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "traefik.fullname" . }}-file-provider
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
data:
config.yml:
{{ toYaml .Values.providers.file.content | nindent 4 }}
{{- end -}}
infrastructure/charts/traefik/templates/pvc.yaml
+26
View File
@@ -0,0 +1,26 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
annotations:
{{- with .Values.persistence.annotations }}
{{ toYaml . | nindent 4 }}
{{- end }}
helm.sh/resource-policy: keep
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if ne .Values.persistence.storageClass nil }}
storageClassName: {{ .Values.persistence.storageClass | quote }}
{{- end }}
{{- if .Values.persistence.volumeName }}
volumeName: {{ .Values.persistence.volumeName | quote }}
{{- end }}
{{- end -}}
infrastructure/charts/traefik/templates/rbac/clusterrole.yaml
+326
View File
@@ -0,0 +1,326 @@
{{- $version := include "traefik.proxyVersion" $ }}
{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.clusterRoleName" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- range .Values.rbac.aggregateTo }}
rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
{{- end }}
rules:
{{- if (semverCompare "<v3.1.0-0" $version) }}
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- get
- list
- watch
{{- if $.Values.hub.token }}
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
{{- end }}
{{- else }}
- apiGroups:
- ""
resources:
{{- if and .Values.providers.kubernetesCRD.enabled (semverCompare ">=v3.4.0-0" $version) }}
- configmaps
{{- end }}
- nodes
- services
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
{{- end }}
{{- if (semverCompare ">=v3.5.0-0" $version) }}
- apiGroups:
- ""
resources:
- pods
verbs:
- get
{{- end }}
- apiGroups:
- ""
resources:
- secrets
{{- with .Values.rbac.secretResourceNames }}
resourceNames: {{ toYaml . | nindent 6 }}
{{- end }}
verbs:
- get
- list
- watch
{{- if and .Values.hub.token }}
- update
- create
- delete
- deletecollection
{{- end }}
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups:
- policy
resourceNames:
- {{ template "traefik.fullname" . }}
resources:
- podsecuritypolicies
verbs:
- use
{{- end -}}
{{- if or .Values.providers.kubernetesIngress.enabled .Values.providers.kubernetesIngressNginx.enabled }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingressclasses
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
{{- end -}}
{{- if .Values.providers.kubernetesCRD.enabled }}
{{- if not .Values.providers.kubernetesIngress.enabled }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
{{- end }}
- apiGroups:
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- serverstransports
- serverstransporttcps
- tlsoptions
- tlsstores
- traefikservices
verbs:
- get
- list
- watch
{{- end -}}
{{- if (.Values.providers.kubernetesGateway).enabled }}
- apiGroups:
- ""
resources:
- namespaces
{{- if (semverCompare "<v3.1.0-0" $version) }}
- endpoints
{{- end }}
- secrets
{{- if semverCompare ">=v3.2.0-0" $version }}
- configmaps
{{- end }}
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
{{- if semverCompare ">=v3.2.0-0" $version }}
- backendtlspolicies
{{- end }}
- gatewayclasses
- gateways
{{- if semverCompare ">=v3.2.0-0" $version }}
- grpcroutes
{{- end }}
- httproutes
- referencegrants
- tcproutes
- tlsroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
{{- if semverCompare ">=v3.2.0-0" $version }}
- backendtlspolicies/status
{{- end }}
- gatewayclasses/status
- gateways/status
{{- if semverCompare ">=v3.2.0-0" $version }}
- grpcroutes/status
{{- end }}
- httproutes/status
- tcproutes/status
- tlsroutes/status
verbs:
- update
{{- end }}
{{- if (.Values.providers.knative).enabled }}
- apiGroups:
- networking.internal.knative.dev
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.internal.knative.dev
resources:
- ingresses/status
verbs:
- update
{{- end }}
{{- if .Values.hub.token }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- hub.traefik.io
resources:
- aiservices
verbs:
- list
- watch
- get
{{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
- apiGroups:
- ""
resources:
- endpoints
verbs:
- list
- watch
{{- end }}
- apiGroups:
- ""
resources:
- namespaces
{{- if .Values.hub.apimanagement.enabled }}
- pods
{{- end }}
verbs:
- get
- list
{{- if .Values.hub.apimanagement.enabled }}
- watch
{{- end }}
{{- if .Values.hub.apimanagement.enabled }}
- apiGroups:
- hub.traefik.io
resources:
- accesscontrolpolicies
- apiauths
- apiportals
- apiportalauths
- apiratelimits
- apis
- apiversions
- apibundles
- apiplans
- apicatalogitems
- managedsubscriptions
- managedapplications
verbs:
- get
- list
- watch
{{- if not .Values.hub.offline }}
- create
- update
- patch
- delete
{{- end }}
- apiGroups:
- hub.traefik.io
resources:
- apiauths/status
- apiportals/status
- apiportalauths/status
- apis/status
- apiversions/status
- apibundles/status
- apiplans/status
- apicatalogitems/status
- managedsubscriptions/status
- managedapplications/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
{{- if (semverCompare "<v3.1.0-0" $version) }}
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
{{- end -}}
{{- end -}}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/rbac/clusterrolebinding.yaml
+17
View File
@@ -0,0 +1,17 @@
{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.clusterRoleName" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "traefik.clusterRoleName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "traefik.serviceAccountName" . }}
namespace: {{ template "traefik.namespace" . }}
{{- end -}}
infrastructure/charts/traefik/templates/rbac/podsecuritypolicy.yaml
+68
View File
@@ -0,0 +1,68 @@
{{- if .Values.podSecurityPolicy.enabled }}
{{- if semverCompare ">=v1.25.0-0" .Capabilities.KubeVersion.Version }}
{{- fail "ERROR: PodSecurityPolicy has been removed in Kubernetes v1.25+" }}
{{- end }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
name: {{ template "traefik.fullname" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
{{- if not .Values.securityContext.runAsNonRoot }}
allowedCapabilities:
- NET_BIND_SERVICE
{{- end }}
hostNetwork: {{ .Values.hostNetwork }}
hostIPC: false
hostPID: false
fsGroup:
{{- if .Values.securityContext.runAsNonRoot }}
ranges:
- max: 65535
min: 1
rule: MustRunAs
{{- else }}
rule: RunAsAny
{{- end }}
{{- if .Values.hostNetwork }}
hostPorts:
- max: 65535
min: 1
{{- end }}
readOnlyRootFilesystem: true
runAsUser:
{{- if .Values.securityContext.runAsNonRoot }}
rule: MustRunAsNonRoot
{{- else }}
rule: RunAsAny
{{- end }}
seLinux:
rule: RunAsAny
supplementalGroups:
{{- if .Values.securityContext.runAsNonRoot }}
ranges:
- max: 65535
min: 1
rule: MustRunAs
{{- else }}
rule: RunAsAny
{{- end }}
volumes:
- configMap
- downwardAPI
- secret
- emptyDir
- projected
{{- if .Values.persistence.enabled }}
- persistentVolumeClaim
{{- end -}}
{{- end -}}
infrastructure/charts/traefik/templates/rbac/role.yaml
+257
View File
@@ -0,0 +1,257 @@
{{- $version := include "traefik.proxyVersion" $ }}
{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
{{- $knativeNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.knative.namespaces -}}
{{- $hubNamespaces := concat (include "traefik.namespace" . | list) .Values.hub.namespaces -}}
{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces $hubNamespaces $knativeNamespaces)) -}}
{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
{{- range $allNamespaces }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.fullname" $ }}
namespace: {{ . }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
rules:
{{- if (semverCompare "<v3.1.0-0" $version) }}
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- get
- list
- watch
{{- else }}
- apiGroups:
- ""
resources:
{{- if and $.Values.providers.kubernetesCRD.enabled (semverCompare ">=v3.4.0-0" $version) }}
- configmaps
{{- end }}
- services
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
{{- end }}
{{- if (semverCompare ">=v3.5.0-0" $version) }}
- apiGroups:
- ""
resources:
- pods
verbs:
- get
{{- end }}
# Required while https://github.com/traefik/traefik/issues/7097#issuecomment-1983581843
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- apiGroups:
- ""
resources:
- secrets
{{- if gt (len $.Values.rbac.secretResourceNames) 0 }}
resourceNames: {{ $.Values.rbac.secretResourceNames }}
{{- end }}
verbs:
- get
- list
- watch
{{- if or (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) ($.Values.providers.kubernetesIngressNginx.enabled) }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
{{- end -}}
{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }}
- apiGroups:
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
{{- end -}}
{{- if (and (has . $knativeNamespaces) $.Values.providers.knative.enabled) }}
- apiGroups:
- networking.internal.knative.dev
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.internal.knative.dev
resources:
- ingresses/status
verbs:
- update
{{- end }}
{{- if $.Values.podSecurityPolicy.enabled }}
- apiGroups:
- extensions
resourceNames:
- {{ template "traefik.fullname" $ }}
resources:
- podsecuritypolicies
verbs:
- use
{{- end -}}
{{- if (and (has . $hubNamespaces) $.Values.hub.token) }}
- apiGroups:
- ""
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- update
- create
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- hub.traefik.io
resources:
- aiservices
verbs:
- get
- list
- watch
{{- if $.Values.hub.apimanagement.enabled }}
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- traefik.io
resources:
- ingressroutes
- traefikservices
verbs:
- get
- list
- watch
- apiGroups:
- hub.traefik.io
resources:
- apiauths
- apiportals
- apiportalauths
- apis
- apiversions
- apibundles
- apiplans
- apicatalogitems
- apiaccesses
- managedsubscriptions
- managedapplications
verbs:
- get
- list
- watch
{{- if not $.Values.hub.offline }}
- create
- update
- patch
- delete
{{- end }}
- apiGroups:
- hub.traefik.io
resources:
- apiauths/status
- apiportals/status
- apiportalauths/status
- apis/status
- apiversions/status
- apibundles/status
- apiplans/status
- apicatalogitems/status
- managedsubscriptions/status
- managedapplications/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
infrastructure/charts/traefik/templates/rbac/rolebinding.yaml
+27
View File
@@ -0,0 +1,27 @@
{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
{{- $gatewayNamespaces := concat (include "traefik.namespace" . | list) ((.Values.providers.kubernetesGateway).namespaces) -}}
{{- $knativeNamespaces := concat (include "traefik.namespace" . | list) ((.Values.providers.knative).namespaces) -}}
{{- $hubNamespaces := concat (include "traefik.namespace" . | list) .Values.hub.namespaces -}}
{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces $gatewayNamespaces $knativeNamespaces $hubNamespaces)) -}}
{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
{{- range $allNamespaces }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.fullname" $ }}
namespace: {{ . }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "traefik.fullname" $ }}
subjects:
- kind: ServiceAccount
name: {{ include "traefik.serviceAccountName" $ }}
namespace: {{ template "traefik.namespace" $ }}
{{- end -}}
{{- end -}}
infrastructure/charts/traefik/templates/rbac/serviceaccount.yaml
+14
View File
@@ -0,0 +1,14 @@
{{- if not .Values.serviceAccount.name -}}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ include "traefik.serviceAccountName" . }}
namespace: {{ template "traefik.namespace" . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
annotations:
{{- with .Values.serviceAccountAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}
infrastructure/charts/traefik/templates/requirements.yaml
+135
View File
@@ -0,0 +1,135 @@
{{- $version := include "traefik.proxyVersion" $ }}
{{- if (ne $version "experimental-v3.0") }}
{{- if (semverCompare "<v3.0.0-0" $version) }}
{{- fail "ERROR: This version of the Chart only supports Traefik Proxy v3" -}}
{{- end }}
{{- end }}
{{- if and .Values.hub.enabled (not (contains "traefik-hub" .Values.image.repository)) }}
{{- fail "ERROR: traefik-hub image is required when enabling Traefik Hub" -}}
{{- end }}
{{- if and (.Values.providers.kubernetesGateway).enabled (and (semverCompare "<v3.1.0-rc3" $version) (not .Values.experimental.kubernetesGateway.enabled)) }}
{{- fail "ERROR: Before traefik v3.1.0-rc3, kubernetesGateway is experimental. Enable it by setting experimental.kubernetesGateway.enabled to true" -}}
{{- end }}
{{- if and (.Values.providers.knative).enabled (not .Values.experimental.knative) }}
{{- fail "ERROR: Knative is experimental. Enable it by setting experimental.knative to true" -}}
{{- end }}
{{- if and (.Values.providers.kubernetesGateway.enabled) (.Values.gateway.defaultScope) (not .Values.providers.kubernetesGateway.experimentalChannel) }}
{{- fail "ERROR: The Gateway 'defaultScope' field is experimental. Enable it by setting providers.kubernetesGateway.experimentalChannel=true" }}
{{- end }}
{{- if .Values.rbac.namespaced }}
{{- if .Values.providers.kubernetesGateway.enabled }}
{{- fail "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced." }}
{{- end }}
{{- if and (not .Values.providers.kubernetesIngress.enabled) (not .Values.providers.kubernetesCRD.enabled) }}
{{- fail "ERROR: namespaced rbac requires Kubernetes CRD or Kubernetes Ingress provider." }}
{{- end }}
{{- end }}
{{- if and (semverCompare "<v3.2.0-0" $version) (.Values.experimental.fastProxy.enabled)}}
{{- fail "ERROR: fastProxy is an experimental feature only available for traefik >= v3.2.0." }}
{{- end }}
{{- if and (semverCompare "<v3.3.0-0" $version) (.Values.experimental.abortOnPluginFailure)}}
{{- fail "ERROR: abortOnPluginFailure is an experimental feature only available for traefik >= v3.3.0." }}
{{- end }}
{{- if and (semverCompare "<v3.6.0-0" $version) (.Values.experimental.knative)}}
{{- fail "ERROR: Knative provider is an experimental feature only available for traefik >= v3.6.0." }}
{{- end }}
{{- if and (semverCompare "<v3.6.2-0" $version) (.Values.providers.kubernetesIngressNginx).enabled}}
{{- fail "ERROR: Kubernetes Ingress NGINX provider is only available for traefik >= v3.6.2." }}
{{- end }}
{{- if and (semverCompare "<3.2.0-0" $version) (.Values.providers.kubernetesGateway.nativeLBByDefault)}}
{{- fail "ERROR: nativeLBByDefault has been introduced in Kubernetes Gateway provider in v3.2.0" }}
{{- end }}
{{- if and (semverCompare "<3.5.0-0" $version) (.Values.providers.kubernetesIngress.strictPrefixMatching)}}
{{- fail "ERROR: strictPrefixMatching is a feature only available for traefik >= v3.5.0." }}
{{- end }}
{{- if and (semverCompare "<3.5.2-0" $version) (eq .Values.logs.access.format "genericCLF")}}
{{- fail "ERROR: genericCLF is an accesslog format option only available for traefik >= v3.5.2." }}
{{- end }}
{{- if and (semverCompare "<v3.2.0-0" $version) (.Values.metrics.otlp.serviceName)}}
{{- fail "ERROR: serviceName is a feature only available for traefik >= v3.2.0." }}
{{- end }}
{{- if and (semverCompare "<v3.5.3-0" $version) (.Values.metrics.otlp.resourceAttributes)}}
{{- fail "ERROR: resourceAttributes with otlp on metrics is a feature only available for traefik >= v3.5.3." }}
{{- end }}
{{- if and (not .Values.experimental.otlpLogs) (or (.Values.logs.general.otlp.enabled) (.Values.logs.access.otlp.enabled))}}
{{- fail "ERROR: otlp on logs or access logs is an experimental feature and needs experimental.otlpLogs=true." }}
{{- end }}
{{- if and (semverCompare "<v3.3.0-0" $version) (.Values.logs.general.otlp.enabled)}}
{{- fail "ERROR: otlp on logs is a feature only available for traefik >= v3.3.0." }}
{{- end }}
{{- if and (semverCompare "<v3.3.0-0" $version) (.Values.logs.access.otlp.enabled)}}
{{- fail "ERROR: otlp on access logs is a feature only available for traefik >= v3.3.0." }}
{{- end }}
{{- if and (semverCompare "<v3.1.0-0" $version) .Values.tracing.safeQueryParams }}
{{ fail "ERROR: safeQueryParams is a feature only available for traefik >= v3.1.0."}}
{{- end }}
{{- range $portName, $config := .Values.ports }}
{{- if and (semverCompare "<v3.3.0-0" $version) (or (ne $config.observability.accessLogs nil) (ne $config.observability.metrics nil) (ne $config.observability.tracing nil) (ne $config.observability.tracingVerbosity nil)) }}
{{ fail "ERROR: per entrypoint observability is a feature only available for traefik >= v3.3.0."}}
{{- end }}
{{- if and (semverCompare "<v3.5.0-0" $version) (ne $config.observability.traceVerbosity nil) }}
{{ fail "ERROR: traceVerbosity is a feature only available for traefik >= v3.5.0."}}
{{- end }}
{{- end }}
{{- if and (semverCompare "<v3.6.4-0" $version) (or
(eq .Values.ports.websecure.http.sanitizePath false)
.Values.ports.websecure.http.encodedCharacters.allowEncodedSlash
.Values.ports.websecure.http.encodedCharacters.allowEncodedBackSlash
.Values.ports.websecure.http.encodedCharacters.allowEncodedNullCharacter
.Values.ports.websecure.http.encodedCharacters.allowEncodedSemicolon
.Values.ports.websecure.http.encodedCharacters.allowEncodedPercent
.Values.ports.websecure.http.encodedCharacters.allowEncodedQuestionMark
.Values.ports.websecure.http.encodedCharacters.allowEncodedHash )}}
{{- fail "ERROR: request path security options are only available for traefik >= v3.6.4." }}
{{- end }}
{{- if $.Values.hub.token -}}
{{ $hubVersion := $.Values.oci_meta.enabled | ternary $.Values.oci_meta.images.hub.tag $.Values.image.tag }}
{{ $hubVersion = ($.Values.global.azure.enabled | ternary $.Values.global.azure.images.hub.tag $hubVersion) }}
{{ if not $hubVersion }}
{{ fail "When using Traefik Hub image tag needs to be specified!" }}
{{- end -}}
{{ $hubVersion = (split "@" (default "v3" $hubVersion))._0 }}
{{/* Consider non semver versions as latest one */}}
{{- if not (regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $hubVersion)) -}}
{{ $hubVersion = "v3.99" }}
{{- end }}
{{- if semverCompare "<v3.19.0-0" $hubVersion }}
{{ fail "ERROR: this Chart supports *only* Traefik Hub >= v3.19.0."}}
{{- end }}
{{- if and (not $.Values.tracing.otlp.enabled) .Values.hub.tracing.additionalTraceHeaders.enabled }}
{{ fail "ERROR: additionalTraceHeaders needs tracing.otlp to be enabled."}}
{{- end }}
{{- with .Values.hub.pluginRegistry.sources }}
{{- range $pluginName, $pluginConf := . }}
{{- if not (hasKey $.Values.experimental.plugins $pluginName) }}
{{ fail (printf "ERROR: pluginRegistry source %s is not used in exprimental.plugins." $pluginName) }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/service-metrics.yaml
+33
View File
@@ -0,0 +1,33 @@
{{- if .Values.metrics.prometheus }}
{{- if .Values.metrics.prometheus.service }}
{{- if (.Values.metrics.prometheus.service).enabled -}}
{{- $fullname := include "traefik.fullname" . }}
{{- if ge (len $fullname) 50 }}
{{- fail "ERROR: Cannot create a metrics service when name contains more than 50 characters" }}
{{- end }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "traefik.service-name" (dict "root" . "name" "metrics") }}
namespace: {{ template "traefik.namespace" . }}
{{- template "traefik.metrics-service-metadata" . }}
annotations:
{{- with .Values.metrics.prometheus.service.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
selector:
{{- include "traefik.labelselector" . | nindent 4 }}
ports:
- port: {{ .Values.ports.metrics.port }}
name: metrics
targetPort: metrics
protocol: TCP
{{- if .Values.ports.metrics.nodePort }}
nodePort: {{ .Values.ports.metrics.nodePort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/service.yaml
+86
View File
@@ -0,0 +1,86 @@
{{- $services := .Values.service.additionalServices -}}
{{- $services = set $services "default" (omit .Values.service "additionalServices") }}
{{- range $name, $service := $services -}}
{{- if ne $service.enabled false -}}
{{- $fullname := include "traefik.service-name" (dict "root" $ "name" $name) }}
{{- $tcpPorts := dict -}}
{{- $udpPorts := dict -}}
{{- $exposedPorts := false -}}
{{- range $portName, $config := $.Values.ports -}}
{{- if $config -}}
{{- if ($config.http3).enabled -}}
{{- if (not ($config.http).tls.enabled) -}}
{{- fail "ERROR: You cannot enable http3 without enabling tls" -}}
{{- end -}}
{{ $udpConfig := deepCopy $config -}}
{{ $_ := set $udpConfig "protocol" "UDP" -}}
{{ $_ := set $udpConfig "exposedPort" (default $config.exposedPort $config.http3.advertisedPort) -}}
{{- if (not $service.single) }}
{{ $_ := set $udpPorts (printf "%s-http3" $portName) $udpConfig -}}
{{- else }}
{{ $_ := set $tcpPorts (printf "%s-http3" $portName) $udpConfig -}}
{{- end }}
{{- end -}}
{{- if eq (toString $config.protocol) "UDP" -}}
{{ $_ := set $udpPorts $portName $config -}}
{{- end -}}
{{- if eq (toString (default "TCP" $config.protocol)) "TCP" -}}
{{ $_ := set $tcpPorts $portName $config -}}
{{- end -}}
{{- if (index (default dict $config.expose) $name) -}}
{{- $exposedPorts = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if (eq $exposedPorts false) -}}
{{- fail (printf "ERROR: Cannot create Service %s without ports" $fullname) -}}
{{- end -}}
{{- if and $exposedPorts (or $tcpPorts $service.single) }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $fullname }}
namespace: {{ template "traefik.namespace" $ }}
{{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
annotations:
{{- with (merge dict (default dict $service.annotationsTCP) (default dict $service.annotations)) }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
ports:
{{- template "traefik.service-ports" (dict "ports" $tcpPorts "serviceName" $name) }}
{{- if $service.single }}
{{- template "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
{{- end }}
{{- end }}
{{- if and $exposedPorts (and $udpPorts (not $service.single)) }}
{{- $ports := include "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
{{- if not (empty $ports) }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $fullname }}-udp
namespace: {{ template "traefik.namespace" $ }}
{{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
annotations:
{{- with (merge dict (default dict $service.annotationsUDP) (default dict $service.annotations)) }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
ports:
{{- $ports }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
infrastructure/charts/traefik/templates/servicemonitor.yaml
+69
View File
@@ -0,0 +1,69 @@
{{- if .Values.metrics.prometheus }}
{{- if (.Values.metrics.prometheus.serviceMonitor).enabled }}
{{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }}
{{- if (not (.Values.metrics.prometheus.disableAPICheck)) }}
{{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }}
{{- end }}
{{- end }}
apiVersion: {{ .Values.metrics.prometheus.serviceMonitor.apiVersion | default "monitoring.coreos.com/v1" }}
kind: ServiceMonitor
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ .Values.metrics.prometheus.serviceMonitor.namespace | default (include "traefik.namespace" .) }}
labels:
{{- if (.Values.metrics.prometheus.service).enabled }}
{{- include "traefik.metricsservicelabels" . | nindent 4 }}
{{- else }}
{{- include "traefik.labels" . | nindent 4 }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.prometheus.serviceMonitor.jobLabel | default .Release.Name }}
endpoints:
- targetPort: metrics
path: /{{ .Values.metrics.prometheus.entryPoint }}
{{- with .Values.metrics.prometheus.serviceMonitor.honorLabels }}
honorLabels: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.honorTimestamps }}
honorTimestamps: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.enableHttp2 }}
enableHttp2: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.followRedirects }}
followRedirects: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.prometheus.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
{{- if .Values.metrics.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{ tpl (toYaml .Values.metrics.prometheus.serviceMonitor.metricRelabelings | indent 6) . }}
{{- end }}
{{- if .Values.metrics.prometheus.serviceMonitor.relabelings }}
relabelings:
{{ toYaml .Values.metrics.prometheus.serviceMonitor.relabelings | indent 6 }}
{{- end }}
{{- if .Values.metrics.prometheus.serviceMonitor.namespaceSelector }}
namespaceSelector:
{{ toYaml .Values.metrics.prometheus.serviceMonitor.namespaceSelector | indent 4 -}}
{{ else }}
namespaceSelector:
matchNames:
- {{ template "traefik.namespace" . }}
{{- end }}
selector:
matchLabels:
{{- if (.Values.metrics.prometheus.service).enabled }}
{{- include "traefik.metricslabelselector" . | nindent 6 }}
{{- else }}
{{- include "traefik.labelselector" . | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
infrastructure/charts/traefik/templates/tlsoption.yaml
+46
View File
@@ -0,0 +1,46 @@
{{- range $name, $config := .Values.tlsOptions }}
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: {{ $name }}
namespace: {{ template "traefik.namespace" $ }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
{{- with $config.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with $config.alpnProtocols }}
alpnProtocols:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.cipherSuites }}
cipherSuites:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.clientAuth }}
clientAuth:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.curvePreferences }}
curvePreferences:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $config.disableSessionTickets }}
{{- $version := include "traefik.proxyVersion" $ }}
{{- if semverCompare "<v3.4.0-0" $version }}
{{- fail "ERROR: disableSessionTickets is a feature only available for traefik >= v3.4.0." }}
{{- end }}
disableSessionTickets: {{ . }}
{{- end }}
{{- with $config.maxVersion }}
maxVersion: {{ . }}
{{- end }}
{{- with $config.minVersion }}
minVersion: {{ . }}
{{- end }}
{{- with $config.sniStrict }}
sniStrict: {{ . }}
{{- end }}
---
{{- end -}}
infrastructure/charts/traefik/templates/tlsstore.yaml
+12
View File
@@ -0,0 +1,12 @@
{{- range $name, $config := .Values.tlsStore }}
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: {{ $name }}
namespace: {{ template "traefik.namespace" $ }}
labels:
{{- include "traefik.labels" $ | nindent 4 }}
spec:
{{- toYaml $config | nindent 2 }}
---
{{- end -}}
infrastructure/charts/traefik/values.schema.json
+2348
View File
File diff suppressed because it is too large Load Diff
infrastructure/charts/traefik/values.yaml
+1385
View File
File diff suppressed because it is too large Load Diff