traefik

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

# Default values for Traefik

# This is a YAML-formatted file.

# Declare variables to be passed into templates

image: # @schema additionalProperties: false

# -- Traefik image host registry. Defaults to `docker.io` for Traefik Proxy and `ghcr.io` for Traefik Hub (when `hub.token` is set).

registry: cgr.dev # @schema type:[string, null]

# -- Traefik image repository. Defaults to `traefik` for Traefik Proxy and `traefik/traefik-hub` for Traefik Hub (when `hub.token` is set).

repository: chainguard-private/traefik # @schema type:[string, null]

# -- defaults to appVersion. It's used for version checking, even prefixed with experimental- or latest-.

# To pin by digest, prefer `image.digest`. A `<version>@<digest>` combo is also accepted here; in that case the digest is what Kubernetes verifies and the version is informational (and can drift from the underlying image).

tag: latest@sha256:04967295ecef8cee1269d17455b459cd3e4c999d8d62f3aa09f536c2b1cdf7bd # @schema type:[string, null]

# -- Traefik image digest (e.g. `sha256:abc...`). When set, takes precedence over `tag`. Set `versionOverride` alongside it so the chart's version-checking logic knows the version (it cannot be derived from the digest).

digest: # @schema type:[string, null]; pattern:^sha256:[a-f0-9]{64}$

# -- Traefik image pull policy

pullPolicy: IfNotPresent

# -- Add additional label to all resources

commonLabels: {}

deployment:

# -- Enable deployment

enabled: true

# -- Deployment or DaemonSet

kind: Deployment

# -- Number of pods of the deployment (only applies when kind == Deployment).

# Set to null to omit spec.replicas, e.g. when an external controller (HPA/KEDA) owns scaling.

replicas: 1 # @schema type:[integer, null];minimum:0

# -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)

revisionHistoryLimit: # @schema type:[integer, null];minimum:0

# -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down

terminationGracePeriodSeconds: 60

# -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available

minReadySeconds: 0

## -- Override the liveness/readiness port. This is useful to integrate traefik

## with an external Load Balancer that performs healthchecks.

## Default: ports.traefik.port

healthchecksPort: # @schema type:[integer, null];minimum:0

## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint.

## Default: ports.traefik.hostIP if set, otherwise Pod IP

healthchecksHost: ""

## -- Override the liveness/readiness scheme. Useful for getting ping to

## respond on websecure entryPoint.

healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP

## -- Override the readiness path.

## Default: /ping

readinessPath: ""

# -- Override the liveness path.

# Default: /ping

livenessPath: ""

# -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection)

annotations: {}

# -- Additional deployment labels (e.g. for filtering deployment by custom labels)

labels: {}

# -- Additional pod annotations (e.g. for mesh injection or prometheus scraping)

# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'

podAnnotations: {}

# -- Additional Pod labels (e.g. for filtering Pod by custom labels)

# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'

podLabels: {}

# -- Additional containers (e.g. for metric offloading sidecars)

additionalContainers: []

# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host

# - name: socat-proxy

# image: alpine/socat:1.0.5

# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]

# volumeMounts:

# - name: dsdsocket

# mountPath: /socket

# -- Additional volumes available for use with initContainers and additionalContainers

additionalVolumes: []

# - name: dsdsocket

# hostPath:

# path: /var/run/statsd-exporter

# -- Additional initContainers (e.g. for setting file permission as shown below)

initContainers: []

# The "volume-permissions" init container is required if you run into permission issues.

# Related issue: https://github.com/traefik/traefik-helm-chart/issues/396

# - name: volume-permissions

# image: busybox:latest

# command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]

# volumeMounts:

# - name: data

# mountPath: /data

# -- Use process namespace sharing

shareProcessNamespace: false

# @schema type: [boolean, null]

# -- Whether to use the host user namespace. Setting this to false enables user namespaces,

# which can improve security by isolating the pod's users from the host.

# See https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/

# @default -- unset (inherits cluster default)

hostUsers:

# -- Custom pod DNS policy. Apply if `hostNetwork: true`

dnsPolicy: ""

# -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core)

dnsConfig: {}

# -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)

hostAliases: []

# -- Pull secret for fetching traefik container image

imagePullSecrets: []

# -- Pod lifecycle actions

100

lifecycle: {}

101

# preStop:

102

# sleep:

103

# seconds: 20

104

# postStart:

105

# httpGet:

106

# path: /ping

107

# port: 8080

108

# host: localhost

109

# scheme: HTTP

110

# -- Set a runtimeClassName on pod

111

runtimeClassName: ""

112

# -- Percentage of memory limit to set for GOMEMLIMIT, set as decimal (0.9 = 90%, 0.95 = 95% etc). Only takes effect when resources.limits.memory is set. Set to 0 to disable (e.g. when using VPA or setting it via env)

113

goMemLimitPercentage: 0.9

114

# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)

115

# @default -- See _values.yaml_

116

podDisruptionBudget: # @schema additionalProperties: false

117

enabled: false

118

maxUnavailable: # @schema type:[string, integer, null];minimum:0

119

minAvailable: # @schema type:[string, integer, null];minimum:0

120

ingressClass: # @schema additionalProperties: false

121

# -- Create a default IngressClass for Traefik

122

enabled: true

123

isDefaultClass: true

124

125

core: # @schema additionalProperties: false

126

# -- Can be used to use globally v2 router syntax. Deprecated since v3.4 /!\.

127

# See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes

128

defaultRuleSyntax: ""

129

# Traefik experimental features

130

experimental:

131

# -- Defines whether all plugins must be loaded successfully for Traefik to start

132

abortOnPluginFailure: false

133

fastProxy:

134

# -- Enables the FastProxy implementation.

135

enabled: false

136

# -- Enable debug mode for the FastProxy implementation.

137

debug: false

138

kubernetesGateway:

139

# -- Enable traefik experimental GatewayClass CRD

140

enabled: false

141

# -- Enable experimental plugins

142

plugins: {}

143

# -- Enable experimental local plugins

144

localPlugins: {}

145

# -- Enable OTLP logging experimental feature.

146

otlpLogs: false

147

# -- Enable Knative provider experimental feature.

148

knative: false

149

gateway:

150

# -- When providers.kubernetesGateway.enabled, deploy a default gateway

151

enabled: true

152

# -- Set a custom name to gateway

153

154

# -- By default, Gateway is created in the same `Namespace` as Traefik.

155

namespace: ""

156

# -- Additional gateway annotations (e.g. for cert-manager.io/issuer)

157

annotations: {}

158

# -- [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels)

159

infrastructure: {}

160

# -- Configure this Gateway as a [Default Gateway](https://kubernetes.io/blog/2025/11/06/gateway-api-v1-4/#introducing-default-gateways)

161

# by setting the `defaultScope` field (e.g. `All` or `Namespace`).

162

defaultScope: null # @schema enum:["All", "None", null]; type:[string, null]; default: null

163

listeners:

164

web:

165

# -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.

166

# The port must match a port declared in ports section.

167

port: 8000

168

# -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)

169

hostname: ""

170

# Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)

171

protocol: HTTP

172

# -- (object) Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces

173

namespacePolicy: # @schema type:[object, null]

174

# websecure listener is disabled by default because certificateRefs needs to be added,

175

# or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section.

176

# websecure:

177

# # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.

178

# # The port must match a port declared in ports section.

179

# port: 8443

180

# # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)

181

# hostname:

182

# # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)

183

# protocol: HTTPS

184

# # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces)

185

# namespacePolicy:

186

# # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig)

187

# certificateRefs:

188

# # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType).

189

# mode:

190

gatewayClass: # @schema additionalProperties: false

191

# -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass

192

enabled: true

193

# -- Set a custom name to GatewayClass

194

195

# -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)

196

labels: {}

197

api: # @schema additionalProperties: false

198

# -- Enable the dashboard

199

dashboard: true

200

# -- Custom name for the dashboard (v3.7+).

201

dashboardName: "" # @schema type:[string, null]

202

# -- Disable the advertisement from the dashboard.

203

disableDashboardAd: # @schema type:[boolean, null]

204

# -- Enable the insecure API (HTTP)

205

insecure: # @schema type:[boolean, null]

206

# -- Enable the debug API

207

debug: # @schema type:[boolean, null]

208

# -- Configure API basePath

209

basePath: "" # @schema type:[string, null]; default: "/"

210

# -- Only dashboard & healthcheck IngressRoute are supported.

211

# It's recommended to create workloads CR outside of this Chart.

212

# @default -- See _values.yaml_

213

ingressRoute:

214

dashboard:

215

# -- Create an IngressRoute for the dashboard

216

enabled: false

217

# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)

218

annotations: {}

219

# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)

220

labels: {}

221

# -- The router match rule used for the dashboard ingressRoute

222

matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)

223

# -- The internal service used for the dashboard ingressRoute

224

# @default -- api@internal

225

services:

226

- name: api@internal

227

kind: TraefikService

228

# -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).

229

# By default, it's using traefik entrypoint, which is not exposed.

230

# /!\ Do not expose your dashboard without any protection over the internet /!\

231

entryPoints: ["traefik"]

232

# -- Additional ingressRoute middlewares (e.g. for authentication)

233

middlewares: []

234

# -- TLS options (e.g. secret containing certificate)

235

tls: {}

236

healthcheck:

237

# -- Create an IngressRoute for the healthcheck probe

238

enabled: false

239

# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)

240

annotations: {}

241

# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)

242

labels: {}

243

# -- The router match rule used for the healthcheck ingressRoute

244

matchRule: PathPrefix(`/ping`)

245

# -- The internal service used for the healthcheck ingressRoute

246

# @default -- ping@internal

247

services:

248

- name: ping@internal

249

kind: TraefikService

250

# -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure).

251

# By default, it's using traefik entrypoint, which is not exposed.

252

entryPoints: ["traefik"]

253

# -- Additional ingressRoute middlewares (e.g. for authentication)

254

middlewares: []

255

# -- TLS options (e.g. secret containing certificate)

256

tls: {}

257

updateStrategy: # @schema additionalProperties: false

258

# -- Customize updateStrategy of Deployment or DaemonSet

259

type: RollingUpdate

260

rollingUpdate:

261

maxUnavailable: 0 # @schema type:[integer, string, null]

262

maxSurge: 1 # @schema type:[integer, string, null]

263

readinessProbe: # @schema additionalProperties: false

264

# -- The number of consecutive failures allowed before considering the probe as failed.

265

failureThreshold: 1

266

# -- The number of seconds to wait before starting the first probe.

267

initialDelaySeconds: 2

268

# -- The number of seconds to wait between consecutive probes.

269

periodSeconds: 10

270

# -- The minimum consecutive successes required to consider the probe successful.

271

successThreshold: 1

272

# -- The number of seconds to wait for a probe response before considering it as failed.

273

timeoutSeconds: 2

274

livenessProbe: # @schema additionalProperties: false

275

# -- The number of consecutive failures allowed before considering the probe as failed.

276

failureThreshold: 3

277

# -- The number of seconds to wait before starting the first probe.

278

initialDelaySeconds: 2

279

# -- The number of seconds to wait between consecutive probes.

280

periodSeconds: 10

281

# -- The minimum consecutive successes required to consider the probe successful.

282

successThreshold: 1

283

# -- The number of seconds to wait for a probe response before considering it as failed.

284

timeoutSeconds: 2

285

# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)

286

startupProbe: {}

287

# @schema additionalProperties: false

288

providers:

289

# -- Defines the routing precedence between providers. See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/#routing-precedence) for the default order.

290

precedence: []

291

# @schema additionalProperties: false

292

kubernetesCRD:

293

# -- Load Kubernetes IngressRoute provider

294

enabled: true

295

# -- Allows IngressRoute to reference resources in namespace other than theirs

296

allowCrossNamespace: false

297

# -- Allows to reference ExternalName services in IngressRoute

298

allowExternalNameServices: false

299

# -- Allows to return 503 when there are no endpoints available

300

allowEmptyServices: true

301

# -- List of namespaces from which IngressRoute, IngressRouteTCP, IngressRouteUDP, and TraefikService are allowed to declare cross-provider references. Requires traefik v3.7.1+.

302

crossProviderNamespaces: []

303

# -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.

304

ingressClass: ""

305

# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-labelselector)

306

labelSelector: ""

307

# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.

308

namespaces: []

309

# -- Defines whether to use Native Kubernetes load-balancing mode by default.

310

nativeLBByDefault: false

311

# @schema additionalProperties: false

312

kubernetesIngress:

313

# -- Load Kubernetes Ingress provider

314

enabled: true

315

# -- Allows to reference ExternalName services in Ingress

316

allowExternalNameServices: false

317

# -- Allows to return 503 when there are no endpoints available

318

allowEmptyServices: true

319

# -- List of namespaces from which Ingresses or Services are allowed to declare Middlewares, TLSOptions, or ServersTransport references. Requires traefik v3.7.1+.

320

crossProviderNamespaces: []

321

# -- Only for Traefik v3.0, Deprecated since v3.1. See [upstream documentation](https://doc.traefik.io/traefik/v3.0/providers/kubernetes-ingress/#disableingressclasslookup)

322

disableIngressClassLookup: false

323

# -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.

324

ingressClass: # @schema type:[string, null]

325

labelSelector: # @schema type:[string, null]

326

# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.

327

namespaces: []

328

# IP used for Kubernetes Ingress endpoints

329

publishedService:

330

# -- Enable [publishedService](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#ingressendpointpublishedservice),

331

# usually with the Service provided by this Chart. It's possible to use it with an external Service using pathOverride.

332

enabled: true

333

# -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.

334

# Default to Service deployed with this Chart.

335

pathOverride: ""

336

# @schema additionalProperties: false

337

ingressEndpoint:

338

# -- Hostname used for Kubernetes Ingress endpoints

339

hostname: "" # @schema type:[string, null]

340

# -- IP used for Kubernetes Ingress endpoints

341

ip: "" # @schema type:[string, null]

342

# -- Defines whether to use Native Kubernetes load-balancing mode by default.

343

nativeLBByDefault: false

344

# -- Defines whether to make prefix matching strictly comply with the Kubernetes Ingress specification.

345

strictPrefixMatching: false

346

# @schema additionalProperties: false

347

kubernetesGateway:

348

# -- Enable Traefik Gateway provider for Gateway API

349

enabled: false

350

# -- List of namespaces from which Gateway API routes are allowed to declare TraefikService backendRef references. Requires traefik v3.7.1+.

351

crossProviderNamespaces: []

352

# -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation).

353

# This option currently enables support for TCPRoute and TLSRoute.

354

experimentalChannel: false

355

# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. kubernetesGateway provider requires ClusterRole and as a consequence `rbac.namespaced` is not supported.

356

namespaces: []

357

# -- A label selector can be defined to filter on specific GatewayClass objects only.

358

labelSelector: ""

359

# -- Defines whether to use Native Kubernetes load-balancing mode by default.

360

nativeLBByDefault: false

361

# -- Maximum QPS to the Kubernetes API server. A negative value disables client-side ratelimiting (v3.7.3+). Defaults to 50.

362

qps: # @schema type:[integer, null]

363

# -- Maximum burst of requests to the Kubernetes API server (v3.7.3+). Defaults to 100.

364

burst: # @schema type:[integer, null]

365

statusAddress:

366

# -- This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6).

367

ip: ""

368

# -- This Hostname will get copied to the Gateway status.addresses.

369

hostname: ""

370

service:

371

# -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.

372

enabled: true

373

374

namespace: ""

375

# @schema additionalProperties: false

376

file:

377

# -- Create a file provider

378

enabled: false

379

# -- Allows Traefik to automatically watch for file changes

380

watch: true

381

# -- File content as an object (will be YAML-formatted, go template supported) (see https://doc.traefik.io/traefik/reference/install-configuration/providers/others/file/)

382

content: {}

383

# @schema additionalProperties: false

384

kubernetesIngressNGINX:

385

# -- Enable Kubernetes Ingress NGINX provider

386

enabled: false

387

# -- Ingress Class Controller value this controller satisfies

388

controllerClass: "k8s.io/ingress-nginx"

389

# -- Name of the ingress class this controller satisfies

390

ingressClass: "nginx"

391

# -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class

392

ingressClassByName: false

393

# -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified

394

watchIngressWithoutClass: false

395

# -- Single namespace the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespaceSelector.

396

watchNamespace: ""

397

# -- Select namespaces the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespace.

398

watchNamespaceSelector: ""

399

publishService:

400

# -- Enable publishService. Service fronting the Ingress controller, used to set the load-balancer status of Ingress objects.

401

# Usually the Service provided by this Chart. It's possible to use it with an external Service using pathOverride.

402

enabled: false

403

# -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.

404

# Default to Service deployed with this Chart.

405

pathOverride: ""

406

# -- Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies

407

publishStatusAddress: ""

408

# -- Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'

409

defaultBackendService: ""

410

# -- Disable support for Services of type ExternalName

411

disableSvcExternalName: false

412

# -- Ingress refresh throttle duration

413

throttleDuration: ""

414

# -- Kubernetes certificate authority file path (not needed for in-cluster client)

415

certAuthFilePath: ""

416

# -- Kubernetes server endpoint (required for external cluster client)

417

endpoint: ""

418

# -- Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token

419

token: ""

420

# -- Defines whether to enable request buffering (default: false)

421

proxyRequestBuffering: null # @schema type:[boolean, null]

422

# -- Default buffer size for reading client request body in bytes (default: 16384)

423

clientBodyBufferSize: # @schema type:[integer, null]

424

# -- Default maximum size of a client request body in bytes (default: 1048576)

425

proxyBodySize: # @schema type:[integer, null]

426

# -- Defines whether to enable response buffering (default: false)

427

proxyBuffering: null # @schema type:[boolean, null]

428

# -- Default buffer size for reading the response body in bytes (default: 8192)

429

proxyBufferSize: # @schema type:[integer, null]

430

# -- Default number of buffers for reading a response (default: 4)

431

proxyBuffersNumber: # @schema type:[integer, null]

432

# -- Amount of time to wait until a connection to a server can be established. Unitless, in seconds (default: 60)

433

proxyConnectTimeout: # @schema type:[integer, null]

434

# -- Amount of time between two successive read operations. Unitless, in seconds (default: 60)

435

proxyReadTimeout: # @schema type:[integer, null]

436

# -- Amount of time between two successive write operations. Unitless, in seconds (default: 60)

437

proxySendTimeout: # @schema type:[integer, null]

438

# -- Defines in which cases a request should be retried (default: "error timeout")

439

proxyNextUpstream: ""

440

# -- Limits the number of possible tries if the backend server does not reply (default: 3)

441

proxyNextUpstreamTries: # @schema type:[integer, null]

442

# -- Limits the total elapsed time to retry the request. Unitless, in seconds (default: 0)

443

proxyNextUpstreamTimeout: # @schema type:[integer, null]

444

# -- Defines which HTTP status codes should result in calling the default backend to return an error page

445

customHTTPErrors: []

446

# -- Defines the idle timeout for keep-alive connections to upstream servers. Unitless, in seconds (default: 60)

447

upstreamKeepaliveTimeout: # @schema type:[integer, null]

448

# -- Allow Ingress to reference resources (e.g. ConfigMaps, Secrets) in different namespaces (default: false)

449

allowCrossNamespaceResources: null # @schema type:[boolean, null]

450

# -- List of allowed response headers inside the custom headers annotations

451

globalAllowedResponseHeaders: []

452

# -- URL to the service that provides authentication for all the locations. Per ingress auth-url annotation has precedence over this option.

453

globalAuthUrl: ""

454

# -- When set, the strategy is applied to every generated IPAllowList middleware.

455

# @default -- See below

456

ipAllowListStrategy:

457

# -- Number of trusted proxy hops to skip when extracting the client IP from the X-Forwarded-For header. 0 disables depth-based extraction. (default: 0)

458

depth: 0

459

# -- List of IPs to exclude when scanning the X-Forwarded-For header to find the client IP.

460

excludedIPS: []

461

# -- IPv6 subnet size used to group IPv6 addresses when checking the allow list. 0 disables subnet grouping.

462

ipv6Subnet: 0

463

# -- Enables parsing and adding -snippet annotations/directives (default: false)

464

allowSnippetAnnotations: null # @schema type:[boolean, null]

465

# -- Defines whether to reject the entire ingress when any path contains regex characters and pathType is Prefix or Exact (default: true)

466

strictValidatePathType: null # @schema type:[boolean, null]

467

# -- Defines the EntryPoint to use for HTTP requests

468

httpEntryPoint: "web"

469

# -- Defines the EntryPoint to use for HTTPS requests

470

httpsEntryPoint: "websecure"

471

# @schema additionalProperties: false

472

modsec:

473

# -- Enable ModSec engine. Requires Traefik Hub >= v3.20.0-ea.8.

474

enabled: false

475

# -- Enable OWASP Core Rules.

476

owaspCoreRules: false

477

# -- Custom ModSec rules snippet.

478

snippet: ""

479

# @schema additionalProperties: false

480

knative:

481

# -- Enable Knative provider

482

enabled: false

483

# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.

484

namespaces: []

485

# -- Allow filtering Knative Ingress objects

486

labelSelector: ""

487

# -- Add volumes to the traefik pod. The volume name will be passed to tpl.

488

# This can be used to mount a cert pair or a configmap that holds a config.toml file.

489

# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:

490

# `additionalArguments:

491

# - "--providers.file.filename=/config/dynamic.toml"

492

# - "--ping"

493

# - "--ping.entrypoint=web"`

494

volumes: []

495

# - name: public-cert

496

# mountPath: "/certs"

497

# type: secret

498

# - name: '{{ printf "%s-configs" .Release.Name }}'

499

# mountPath: "/config"

500

# type: configMap

501

502

# -- Additional volumeMounts to add to the Traefik container

503

additionalVolumeMounts: []

504

# -- For instance when using a logshipper for access logs

505

# - name: traefik-logs

506

# mountPath: /var/log/traefik

507

508

# -- See [logs reference](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/)

509

log:

510

# -- Set [logs format](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-log-format)

511

format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"

512

# By default, the level is set to INFO.

513

# -- Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC.

514

level: "INFO" # @schema enum:[TRACE,DEBUG,INFO,WARN,ERROR,FATAL,PANIC]; default: "INFO"

515

# -- To write the logs into a log file, use the filePath option.

516

filePath: ""

517

# -- When set to true and format is common, it disables the colorized output.

518

noColor: false

519

otlp:

520

# -- Set to true in order to enable OpenTelemetry on logs. Note that experimental.otlpLogs needs to be enabled.

521

enabled: false

522

# -- Service name used in OTLP backend. Default: traefik.

523

serviceName: # @schema type:[string, null]

524

http:

525

# -- Set to true in order to send logs to the OpenTelemetry Collector using HTTP.

526

enabled: false

527

# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs

528

endpoint: ""

529

# -- Additional headers sent with logs by the reporter to the OpenTelemetry Collector.

530

headers: {}

531

## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.

532

tls:

533

# -- The path to the certificate authority, it defaults to the system bundle.

534

ca: ""

535

# -- The path to the public certificate. When using this option, setting the key option is required.

536

cert: ""

537

# -- The path to the private key. When using this option, setting the cert option is required.

538

key: ""

539

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

540

insecureSkipVerify: # @schema type:[boolean, null]

541

grpc:

542

# -- Set to true in order to send logs to the OpenTelemetry Collector using gRPC

543

enabled: false

544

# -- Format: <host>:<port>. Default: "localhost:4317"

545

endpoint: ""

546

# -- Allows reporter to send logs to the OpenTelemetry Collector without using a secured protocol.

547

insecure: false

548

## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.

549

tls:

550

# -- The path to the certificate authority, it defaults to the system bundle.

551

ca: ""

552

# -- The path to the public certificate. When using this option, setting the key option is required.

553

cert: ""

554

# -- The path to the private key. When using this option, setting the cert option is required.

555

key: ""

556

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

557

insecureSkipVerify: # @schema type:[boolean, null]

558

# -- Defines additional resource attributes to be sent to the collector.

559

resourceAttributes: {}

560

# -- See [access logs reference](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/)

561

accessLog:

562

# -- To enable access logs

563

enabled: false

564

# -- Set [access log format](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-accesslog-format)

565

format: # @schema enum:["common", "genericCLF", "json", null]; type:[string, null]; default: "common"

566

# filePath: "/var/log/traefik/access.log

567

# -- Set [bufferingSize](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-accesslog-bufferingSize)

568

bufferingSize: # @schema type:[integer, null]

569

# -- Set [timezone](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#time-zones)

570

timezone: ""

571

# -- Set [filtering](https://doc.traefik.io/traefik/observe/logs-and-access-logs/#access-log-filters)

572

# @default -- See below

573

filters: # @schema additionalProperties: false

574

# -- Set statusCodes, to limit the access logs to requests with a status codes in the specified range

575

statusCodes: ""

576

# -- Set retryAttempts, to keep the access logs when at least one retry has happened

577

retryAttempts: false

578

# -- Set minDuration, to keep access logs when requests take longer than the specified duration

579

minDuration: ""

580

# -- Enables accessLogs for internal resources. Default: false.

581

addInternals: false

582

# -- Enables access log output alongside OTLP (v3.7+).

583

dualOutput: false

584

fields:

585

# -- Set default mode for fields.names

586

defaultMode: keep # @schema enum:[keep, drop, redact]; default: keep

587

# -- Names of the fields to limit.

588

names: {}

589

headers:

590

# -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observe/logs-and-access-logs/#log-fields-customization)

591

defaultMode: drop # @schema enum:[keep, drop, redact]; default: drop

592

names: {}

593

queryParameters:

594

# -- Keep or drop all query parameters in the RequestPath access log field (v3.7.3+).

595

defaultMode: # @schema enum:[keep, drop, null]; type:[string, null]; default: null

596

otlp:

597

# -- Set to true in order to enable OpenTelemetry on access logs. Note that experimental.otlpLogs needs to be enabled.

598

enabled: false

599

# -- Service name used in OTLP backend. Default: traefik.

600

serviceName: # @schema type:[string, null]

601

http:

602

# -- Set to true in order to send access logs to the OpenTelemetry Collector using HTTP.

603

enabled: false

604

# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs

605

endpoint: ""

606

# -- Additional headers sent with access logs by the reporter to the OpenTelemetry Collector.

607

headers: {}

608

## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.

609

tls:

610

# -- The path to the certificate authority, it defaults to the system bundle.

611

ca: ""

612

# -- The path to the public certificate. When using this option, setting the key option is required.

613

cert: ""

614

# -- The path to the private key. When using this option, setting the cert option is required.

615

key: ""

616

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

617

insecureSkipVerify: # @schema type:[boolean, null]

618

grpc:

619

# -- Set to true in order to send access logs to the OpenTelemetry Collector using gRPC

620

enabled: false

621

# -- Format: <host>:<port>. Default: "localhost:4317"

622

endpoint: ""

623

# -- Allows reporter to send access logs to the OpenTelemetry Collector without using a secured protocol.

624

insecure: false

625

## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.

626

tls:

627

# -- The path to the certificate authority, it defaults to the system bundle.

628

ca: ""

629

# -- The path to the public certificate. When using this option, setting the key option is required.

630

cert: ""

631

# -- The path to the private key. When using this option, setting the cert option is required.

632

key: ""

633

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

634

insecureSkipVerify: # @schema type:[boolean, null]

635

# -- Defines additional resource attributes to be sent to the collector.

636

resourceAttributes: {}

637

metrics:

638

# -- Enable metrics for internal resources. Default: false

639

addInternals: false

640

## Prometheus is enabled by default.

641

## It can be disabled by setting "prometheus: null"

642

prometheus:

643

# -- Entry point used to expose metrics.

644

entryPoint: metrics

645

# -- Enable metrics on entry points. Default: true

646

addEntryPointsLabels: # @schema type:[boolean, null]

647

# -- Enable metrics on routers. Default: false

648

addRoutersLabels: # @schema type:[boolean, null]

649

# -- Enable metrics on services. Default: true

650

addServicesLabels: # @schema type:[boolean, null]

651

# -- Buckets for latency metrics. Default="0.1,0.3,1.2,5.0"

652

buckets: ""

653

# -- When manualRouting is true, it disables the default internal router in

654

## order to allow creating a custom router for prometheus@internal service.

655

manualRouting: false

656

# -- Add HTTP header labels to metrics. See EXAMPLES.md or upstream doc for usage.

657

headerLabels: {} # @schema type:[object, null]

658

service:

659

# -- Create a dedicated metrics service to use with ServiceMonitor

660

enabled: false

661

labels: {}

662

annotations: {}

663

# -- When set to true, it won't check if Prometheus Operator CRDs are deployed

664

disableAPICheck: # @schema type:[boolean, null]

665

serviceMonitor:

666

# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.

667

enabled: false

668

apiVersion: "monitoring.coreos.com/v1"

669

metricRelabelings: []

670

relabelings: []

671

jobLabel: ""

672

interval: ""

673

honorLabels: false

674

scrapeTimeout: ""

675

honorTimestamps: false

676

enableHttp2: false

677

followRedirects: false

678

additionalLabels: {}

679

namespace: ""

680

namespaceSelector: {}

681

prometheusRule:

682

# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.

683

enabled: false

684

apiVersion: "monitoring.coreos.com/v1"

685

additionalLabels: {}

686

namespace: ""

687

# datadog:

688

# ## Address instructs exporter to send metrics to datadog-agent at this address.

689

# address: "127.0.0.1:8125"

690

# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s

691

# # pushInterval: 30s

692

# ## The prefix to use for metrics collection. Default="traefik"

693

# # prefix: traefik

694

# ## Enable metrics on entry points. Default=true

695

# # addEntryPointsLabels: false

696

# ## Enable metrics on routers. Default=false

697

# # addRoutersLabels: true

698

# ## Enable metrics on services. Default=true

699

# # addServicesLabels: false

700

# influxdb2:

701

# ## Address instructs exporter to send metrics to influxdb v2 at this address.

702

# address: localhost:8086

703

# ## Token with which to connect to InfluxDB v2.

704

# token: xxx

705

# ## Organisation where metrics will be stored.

706

# org: ""

707

# ## Bucket where metrics will be stored.

708

# bucket: ""

709

# ## The interval used by the exporter to push metrics to influxdb. Default=10s

710

# # pushInterval: 30s

711

# ## Additional labels (influxdb tags) on all metrics.

712

# # additionalLabels:

713

# # env: production

714

# # foo: bar

715

# ## Enable metrics on entry points. Default=true

716

# # addEntryPointsLabels: false

717

# ## Enable metrics on routers. Default=false

718

# # addRoutersLabels: true

719

# ## Enable metrics on services. Default=true

720

# # addServicesLabels: false

721

# statsd:

722

# ## Address instructs exporter to send metrics to statsd at this address.

723

# address: localhost:8125

724

# ## The interval used by the exporter to push metrics to influxdb. Default=10s

725

# # pushInterval: 30s

726

# ## The prefix to use for metrics collection. Default="traefik"

727

# # prefix: traefik

728

# ## Enable metrics on entry points. Default=true

729

# # addEntryPointsLabels: false

730

# ## Enable metrics on routers. Default=false

731

# # addRoutersLabels: true

732

# ## Enable metrics on services. Default=true

733

# # addServicesLabels: false

734

otlp:

735

# -- Set to true in order to enable the OpenTelemetry metrics

736

enabled: false

737

# -- Enable metrics on entry points. Default: true

738

addEntryPointsLabels: # @schema type:[boolean, null]

739

# -- Enable metrics on routers. Default: false

740

addRoutersLabels: # @schema type:[boolean, null]

741

# -- Enable metrics on services. Default: true

742

addServicesLabels: # @schema type:[boolean, null]

743

# -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]

744

explicitBoundaries: []

745

# -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s

746

pushInterval: ""

747

# -- Service name used in OTLP backend. Default: traefik.

748

serviceName: # @schema type:[string, null]

749

http:

750

# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.

751

enabled: false

752

# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/metrics

753

endpoint: ""

754

# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.

755

headers: {}

756

## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

757

tls:

758

# -- The path to the certificate authority, it defaults to the system bundle.

759

ca: ""

760

# -- The path to the public certificate. When using this option, setting the key option is required.

761

cert: ""

762

# -- The path to the private key. When using this option, setting the cert option is required.

763

key: ""

764

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

765

insecureSkipVerify: # @schema type:[boolean, null]

766

grpc:

767

# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC

768

enabled: false

769

# -- Format: <host>:<port>. Default: "localhost:4317"

770

endpoint: ""

771

# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.

772

insecure: false

773

## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

774

tls:

775

# -- The path to the certificate authority, it defaults to the system bundle.

776

ca: ""

777

# -- The path to the public certificate. When using this option, setting the key option is required.

778

cert: ""

779

# -- The path to the private key. When using this option, setting the cert option is required.

780

key: ""

781

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

782

insecureSkipVerify: # @schema type:[boolean, null]

783

# -- Defines additional resource attributes to be sent to the collector.

784

resourceAttributes: {}

785

ocsp:

786

# -- Enable OCSP stapling support.

787

# See https://doc.traefik.io/traefik/reference/install-configuration/tls/ocsp/

788

enabled: false

789

# -- Defines the OCSP responder URLs to use instead of the one provided by the certificate.

790

responderOverrides: {}

791

## Tracing

792

# -- https://doc.traefik.io/traefik/reference/install-configuration/observability/tracing/

793

# @default -- See _values.yaml_

794

tracing: # @schema additionalProperties: false

795

# -- Enables tracing for internal resources. Default: false.

796

addInternals: false

797

# -- Service name used in selected backend. Default: traefik.

798

serviceName: # @schema type:[string, null]

799

# -- Defines additional resource attributes to be sent to the collector.

800

resourceAttributes: {}

801

# -- Defines the list of request headers to add as attributes. It applies to client and server kind spans.

802

capturedRequestHeaders: []

803

# -- Defines the list of response headers to add as attributes. It applies to client and server kind spans.

804

capturedResponseHeaders: []

805

# -- By default, all query parameters are redacted. Defines the list of query parameters to not redact.

806

safeQueryParams: []

807

# -- The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0.

808

sampleRate: # @schema type:[number, null]; minimum:0; maximum:1

809

otlp:

810

# -- See https://doc.traefik.io/traefik/reference/install-configuration/observability/tracing/#configuration-options

811

enabled: false

812

http:

813

# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.

814

enabled: false

815

# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/tracing

816

endpoint: ""

817

# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.

818

headers: {}

819

## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

820

tls:

821

# -- The path to the certificate authority, it defaults to the system bundle.

822

ca: ""

823

# -- The path to the public certificate. When using this option, setting the key option is required.

824

cert: ""

825

# -- The path to the private key. When using this option, setting the cert option is required.

826

key: ""

827

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

828

insecureSkipVerify: # @schema type:[boolean, null]

829

grpc:

830

# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC

831

enabled: false

832

# -- Format: <host>:<port>. Default: "localhost:4317"

833

endpoint: ""

834

# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.

835

insecure: false

836

## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

837

tls:

838

# -- The path to the certificate authority, it defaults to the system bundle.

839

ca: ""

840

# -- The path to the public certificate. When using this option, setting the key option is required.

841

cert: ""

842

# -- The path to the private key. When using this option, setting the cert option is required.

843

key: ""

844

# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

845

insecureSkipVerify: # @schema type:[boolean, null]

846

global:

847

checkNewVersion: true

848

# -- Please take time to consider whether or not you wish to share anonymous data with us

849

# See https://doc.traefik.io/traefik/contributing/data-collection/

850

sendAnonymousUsage: false

851

# -- Disable appending RemoteAddr to X-Forwarded-For header globally (v3.7+).

852

notAppendXForwardedFor: false

853

# -- Required for Azure Marketplace integration.

854

# See https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-technical-assets-kubernetes?tabs=linux,linux2#update-the-helm-chart

855

# @default -- See _values.yaml_

856

azure:

857

enabled: false

858

images:

859

proxy:

860

image: chainguard-private/traefik

861

tag: latest@sha256:04967295ecef8cee1269d17455b459cd3e4c999d8d62f3aa09f536c2b1cdf7bd

862

registry: cgr.dev

863

hub:

864

image: chainguard-private/traefik

865

tag: latest@sha256:04967295ecef8cee1269d17455b459cd3e4c999d8d62f3aa09f536c2b1cdf7bd

866

registry: cgr.dev

867

# -- Additional arguments to be passed at Traefik's binary

868

# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)

869

# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`

870

additionalArguments: []

871

# - "--providers.kubernetesingress.ingressclass=traefik-internal"

872

# - "--log.level=DEBUG"

873

874

# -- Additional Environment variables to be passed to Traefik's binary

875

env: []

876

# -- Environment variables to be passed to Traefik's binary from configMaps or secrets

877

envFrom: []

878

# @schema mergeProperties: true

879

ports:

880

# @schema additionalProperties: false

881

traefik:

882

port: 8080

883

# -- Use hostPort if set.

884

hostPort: # @schema type:[integer, null]; minimum:0

885

# -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which

886

# means it's listening on all your interfaces and all your IPs. You may want

887

# to set this value if you need traefik to listen on specific interface

888

# only.

889

hostIP: # @schema type:[string, null]

890

# Defines whether the port is exposed if service.type is LoadBalancer or

891

# NodePort.

892

893

# -- You SHOULD NOT expose the traefik port on production deployments.

894

# If you want to access it from outside your cluster,

895

# use `kubectl port-forward` or create a secure ingress

896

expose:

897

default: false

898

# -- The exposed port for this service

899

exposedPort: 8080

900

# -- The port protocol (TCP/UDP)

901

protocol: TCP

902

observability: # @schema additionalProperties: false

903

# -- Defines whether a router attached to this EntryPoint produces metrics by default.

904

metrics: # @schema type:[boolean, null]; default: true

905

# -- Defines whether a router attached to this EntryPoint produces access-logs by default.

906

accessLogs: # @schema type:[boolean, null]; default: true

907

# -- Defines whether a router attached to this EntryPoint produces traces by default.

908

tracing: # @schema type:[boolean, null]; default: true

909

# -- Defines the tracing verbosity level for routers attached to this EntryPoint.

910

traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal

911

web:

912

## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.

913

asDefault: # @schema type: [boolean, null]; default: null

914

port: 8000

915

# hostPort: 8000

916

# containerPort: 8000

917

expose:

918

default: true

919

exposedPort: 80

920

## -- Different target traefik port on the cluster, useful for IP type LB

921

targetPort: # @schema type:[string, integer, null]; minimum:0

922

# The port protocol (TCP/UDP)

923

protocol: TCP

924

# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)

925

nodePort: # @schema type:[integer, null]; minimum:0

926

# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#allowacmebypass)

927

allowACMEByPass: false

928

http:

929

redirections:

930

# -- Port Redirections

931

# Added in 2.2, one can make permanent redirects via entrypoints.

932

# Same sets of parameters: to, scheme, permanent and priority.

933

# https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#configuration-example

934

entryPoint: {}

935

forwardedHeaders:

936

# -- Trust forwarded headers information (X-Forwarded-*).

937

trustedIPs: []

938

insecure: false

939

# -- Disable appending RemoteAddr to X-Forwarded-For header (v3.7+).

940

notAppendXForwardedFor: false

941

proxyProtocol:

942

# -- Enable the Proxy Protocol header parsing for the entry point

943

trustedIPs: []

944

insecure: false

945

# -- Set transport settings for the entrypoint

946

# @default -- nil

947

transport:

948

respondingTimeouts:

949

readTimeout: # @schema type:[string, integer, null]

950

writeTimeout: # @schema type:[string, integer, null]

951

idleTimeout: # @schema type:[string, integer, null]

952

lifeCycle:

953

requestAcceptGraceTimeout: # @schema type:[string, integer, null]

954

graceTimeOut: # @schema type:[string, integer, null]

955

keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0

956

keepAliveMaxTime: # @schema type:[string, integer, null]

957

# -- Enable this port as an uplink for multi cluster.

958

# ⚠️ This feature is experimental and requires Traefik Hub with a specific subscription.

959

uplink: # @schema type: [boolean, null]; default: null

960

observability: # @schema additionalProperties: false

961

# -- Enables metrics for this entryPoint.

962

metrics: # @schema type:[boolean, null]; default: true

963

# -- Enables access-logs for this entryPoint.

964

accessLogs: # @schema type:[boolean, null]; default: true

965

# -- Enables tracing for this entryPoint.

966

tracing: # @schema type:[boolean, null]; default: true

967

# -- Defines the tracing verbosity level for this entryPoint.

968

traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal

969

websecure:

970

## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.

971

# asDefault: true

972

port: 8443

973

hostPort: # @schema type:[integer, null]; minimum:0

974

containerPort: # @schema type:[integer, null]; minimum:0

975

expose:

976

default: true

977

exposedPort: 443

978

## -- Different target traefik port on the cluster, useful for IP type LB

979

targetPort: # @schema type:[string, integer, null]; minimum:0

980

## -- The port protocol (TCP/UDP)

981

protocol: TCP

982

# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)

983

nodePort: # @schema type:[integer, null]; minimum:0

984

# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)

985

appProtocol: # @schema type:[string, null]

986

# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#allowacmebypass)

987

allowACMEByPass: false

988

http:

989

# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering)

990

# @default -- nil

991

encodedCharacters: # @schema additionalProperties: false

992

allowEncodedSlash: # @schema type:[boolean, null]

993

allowEncodedBackSlash: # @schema type:[boolean, null]

994

allowEncodedNullCharacter: # @schema type:[boolean, null]

995

allowEncodedSemicolon: # @schema type:[boolean, null]

996

allowEncodedPercent: # @schema type:[boolean, null]

997

allowEncodedQuestionMark: # @schema type:[boolean, null]

998

allowEncodedHash: # @schema type:[boolean, null]

999

# -- Maximum size of request headers in bytes. Default: 1048576 (1 MB)

1000

maxHeaderBytes: # @schema type:[integer, null]; minimum:0

1001

# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#httpmiddlewares)

1002

middlewares: [] # @schema type: [array, null]

1003

# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#path-sanitization)

1004

sanitizePath: # @schema type:[boolean, null]

1005

tls:

1006

# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http-tls)

1007

# @default -- true

1008

enabled: true

1009

options: ""

1010

certResolver: ""

1011

domains: []

1012

http3:

1013

## -- Enable HTTP/3 on the entrypoint

1014

## Enabling it will also enable http3 experimental feature

1015

## https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http3

1016

## There are known limitations when trying to listen on same ports for

1017

## TCP & UDP (Http3). There is a workaround in this chart using dual Service.

1018

## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741

1019

enabled: false

1020

advertisedPort: # @schema type:[integer, null]; minimum:0

1021

forwardedHeaders:

1022

# -- Trust forwarded headers information (X-Forwarded-*).

1023

trustedIPs: []

1024

insecure: false

1025

# -- Disable appending RemoteAddr to X-Forwarded-For header (v3.7+).

1026

notAppendXForwardedFor: false

1027

proxyProtocol:

1028

# -- Enable the Proxy Protocol header parsing for the entry point

1029

trustedIPs: []

1030

insecure: false

1031

# @default -- nil

1032

transport:

1033

respondingTimeouts:

1034

readTimeout: # @schema type:[string, integer, null]

1035

writeTimeout: # @schema type:[string, integer, null]

1036

idleTimeout: # @schema type:[string, integer, null]

1037

lifeCycle:

1038

requestAcceptGraceTimeout: # @schema type:[string, integer, null]

1039

graceTimeOut: # @schema type:[string, integer, null]

1040

keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0

1041

keepAliveMaxTime: # @schema type:[string, integer, null]

1042

observability: # @schema additionalProperties: false

1043

# -- Enables metrics for this entryPoint.

1044

metrics: # @schema type:[boolean, null]; default: true

1045

# -- Enables access-logs for this entryPoint.

1046

accessLogs: # @schema type:[boolean, null]; default: true

1047

# -- Enables tracing for this entryPoint.

1048

tracing: # @schema type:[boolean, null]; default: true

1049

# -- Defines the tracing verbosity level for this entryPoint.

1050

traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal

1051

metrics:

1052

# -- When using hostNetwork, use another port to avoid conflict with node exporter:

1053

# https://github.com/prometheus/prometheus/wiki/Default-port-allocations

1054

port: 9100

1055

# -- You may not want to expose the metrics port on production deployments.

1056

# If you want to access it from outside your cluster,

1057

# use `kubectl port-forward` or create a secure ingress

1058

expose:

1059

default: false

1060

# -- The exposed port for this service

1061

exposedPort: 9100

1062

# -- The port protocol (TCP/UDP)

1063

protocol: TCP

1064

observability: # @schema additionalProperties: false

1065

# -- Enables metrics for this entryPoint.

1066

metrics: # @schema type:[boolean, null]; default: true

1067

# -- Enables access-logs for this entryPoint.

1068

accessLogs: # @schema type:[boolean, null]; default: true

1069

# -- Enables tracing for this entryPoint.

1070

tracing: # @schema type:[boolean, null]; default: true

1071

# -- Defines the tracing verbosity level for this entryPoint.

1072

traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal

1073

# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/tls/tlsoption/)

1074

# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.

1075

# See EXAMPLE.md for details.

1076

tlsOptions: {}

1077

# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/tls/tlsstore/).

1078

# This is useful if you want to set a default certificate. See EXAMPLE.md for details.

1079

tlsStore: {}

1080

service:

1081

enabled: true

1082

# -- Override the default Service name. Useful for adopting an existing Service (e.g., during migration from another ingress controller).

1083

nameOverride: "" # @schema type:[string, null]

1084

## -- Single service is using `MixedProtocolLBService` feature gate.

1085

## -- When set to false, it will create two Service, one for TCP and one for UDP.

1086

single: true

1087

# -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)

1088

annotations: {}

1089

# -- Additional annotations for TCP service only

1090

annotationsTCP: {}

1091

# -- Additional annotations for UDP service only

1092

annotationsUDP: {}

1093

# -- Additional service labels (e.g. for filtering Service by custom labels)

1094

labels: {}

1095

# -- Additional entries here will be added to the Service [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#servicespec-v1-core).

1096

# Cannot contain selector or ports entries.

1097

spec:

1098

type: LoadBalancer

1099

# -- Can be used to create multiple Service.

1100

# See EXAMPLES.md for more details.

1101

additionalServices: {}

1102

autoscaling: # @schema additionalProperties: false

1103

# -- Create HorizontalPodAutoscaler object.

1104

# See EXAMPLES.md for more details.

1105

enabled: false

1106

# -- minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod.

1107

minReplicas: # @schema type:[integer, null]; minimum:0

1108

# -- maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.

1109

maxReplicas: # @schema type:[integer, null]; minimum:0

1110

# -- metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).

1111

metrics: []

1112

# -- behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).

1113

behavior: {}

1114

# -- scaleTargetRef points to the target resource to scale, and is used for the pods for which metrics should be collected, as well as to actually change the replica count.

1115

# @default -- Traefik Deployment

1116

scaleTargetRef:

1117

apiVersion: apps/v1

1118

kind: Deployment

1119

1120

persistence:

1121

# -- Enable persistence using Persistent Volume Claims

1122

# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.

1123

# It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option

1124

enabled: false

1125

1126

existingClaim: ""

1127

accessMode: ReadWriteOnce

1128

size: 128Mi

1129

storageClass: # @schema type:[string, null]

1130

volumeName: ""

1131

path: /data

1132

annotations: {}

1133

# -- Only mount a subpath of the Volume into the pod

1134

subPath: ""

1135

# -- Certificates resolvers configuration.

1136

# Ref: https://doc.traefik.io/traefik/reference/install-configuration/tls/certificate-resolvers/acme/

1137

# See EXAMPLES.md for more details.

1138

certificatesResolvers: {}

1139

# -- If hostNetwork is true, runs traefik in the host network namespace

1140

# To prevent unschedulable pods due to port collisions, if hostNetwork=true

1141

# and replicas>1, a pod anti-affinity is recommended and will be set if the

1142

# affinity is left as default.

1143

hostNetwork: false

1144

rbac: # @schema additionalProperties: false

1145

# -- Whether Role Based Access Control objects like roles and rolebindings should be created

1146

enabled: true

1147

# -- When set to true: <br />

1148

# 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`.<br />

1149

# 2. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers<br />

1150

# **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. <br />

1151

# See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-disableClusterScopeResources) for more details.

1152

namespaced: false

1153

# -- Enable user-facing roles

1154

# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

1155

aggregateTo: []

1156

# -- The service account the pods will use to interact with the Kubernetes API

1157

serviceAccount: # @schema additionalProperties: false

1158

# If set, an existing service account is used

1159

# If not set, a service account is created automatically using the fullname template

1160

1161

# -- Additional serviceAccount annotations (e.g. for oidc authentication)

1162

serviceAccountAnnotations: {}

1163

# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.

1164

resources: {}

1165

# -- This example pod anti-affinity forces the scheduler to put traefik pods

1166

# -- on nodes where no other traefik pods are scheduled.

1167

# It should be used when hostNetwork: true to prevent port conflicts

1168

affinity: {}

1169

# podAntiAffinity:

1170

# requiredDuringSchedulingIgnoredDuringExecution:

1171

# - labelSelector:

1172

# matchLabels:

1173

# app.kubernetes.io/name: '{{ template "traefik.name" . }}'

1174

# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'

1175

# topologyKey: kubernetes.io/hostname

1176

1177

# -- nodeSelector is the simplest recommended form of node selection constraint.

1178

nodeSelector: {}

1179

# -- Tolerations allow the scheduler to schedule pods with matching taints.

1180

tolerations: []

1181

# -- You can use topology spread constraints to control

1182

# how Pods are spread across your cluster among failure-domains.

1183

topologySpreadConstraints: []

1184

# This example topologySpreadConstraints forces the scheduler to put traefik pods

1185

# on nodes where no other traefik pods are scheduled.

1186

# - labelSelector:

1187

# matchLabels:

1188

# app.kubernetes.io/name: '{{ template "traefik.name" . }}'

1189

# maxSkew: 1

1190

# topologyKey: kubernetes.io/hostname

1191

# whenUnsatisfiable: DoNotSchedule

1192

1193

# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)

1194

priorityClassName: ""

1195

# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)

1196

# @default -- See _values.yaml_

1197

securityContext:

1198

allowPrivilegeEscalation: false

1199

capabilities:

1200

drop: [ALL]

1201

readOnlyRootFilesystem: true

1202

# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)

1203

# @default -- See _values.yaml_

1204

podSecurityContext:

1205

runAsGroup: 65532

1206

runAsNonRoot: true

1207

runAsUser: 65532

1208

seccompProfile:

1209

type: RuntimeDefault

1210

1211

# -- Extra objects to deploy (value evaluated as a template)

1212

1213

# In some cases, it can avoid the need for additional, extended or adhoc deployments.

1214

# See #595 for more details and traefik/tests/values/extra.yaml for example.

1215

extraObjects: []

1216

# -- This field overrides the default Release Namespace for Helm.

1217

# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`

1218

namespaceOverride: ""

1219

# -- This field overrides the default app.kubernetes.io/instance label for all Objects.

1220

instanceLabelOverride: ""

1221

# -- This field overrides the default version extracted from image.tag. Required when pinning by `image.digest`, since the version cannot be derived from a digest.

1222

versionOverride: ""

1223

# -- overrides the app.kubernetes.io/name label

1224

nameOverride: ""

1225

# -- Overrides the resource name for templates (i.e deployment, service, etc..)

1226

fullnameOverride: ""

1227

# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/

1228

hub: # @schema additionalProperties: false

1229

# -- Name of `Secret` with key 'token' set to a valid license token.

1230

# It enables API Gateway.

1231

token: ""

1232

# -- Mount path for token secret.

1233

tokenMountPath: "/etc/secrets"

1234

# -- Disables all external network connections.

1235

offline: # @schema type:[boolean, null]

1236

# -- By default, Traefik Hub provider watches all namespaces. When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.

1237

namespaces: [] # @schema required:true

1238

apimanagement:

1239

# -- Set to true in order to enable API Management. Requires a valid license token.

1240

enabled: false

1241

admission:

1242

# -- WebHook admission server listen address. Default: "0.0.0.0:9943".

1243

listenAddr: ""

1244

# -- Certificate name of the WebHook admission server. Default: "hub-agent-cert".

1245

secretName: "hub-agent-cert"

1246

# -- By default, this chart handles directly the tls certificate required for the admission webhook. It's possible to disable this behavior and handle it outside of the chart. See EXAMPLES.md for more details.

1247

selfManagedCertificate: false

1248

# -- Set custom certificate for the WebHook admission server. The certificate should be specified with _tls.crt_ and _tls.key_ in base64 encoding.

1249

customWebhookCertificate: {}

1250

# -- Set it to false if you need to disable Traefik Hub pod restart when mutating webhook certificate is updated. It's done with a label update.

1251

restartOnCertificateChange: true

1252

# -- Set custom annotations.

1253

annotations: {}

1254

openApi:

1255

# -- When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification

1256

validateRequestMethodAndPath: false

1257

mcpgateway:

1258

# -- Set to true in order to enable AI MCP Gateway. Requires a valid license token.

1259

enabled: false

1260

# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).

1261

maxRequestBodySize: # @schema type:[integer, null]; minimum:0

1262

aigateway:

1263

# -- Set to true in order to enable AI Gateway. Requires a valid license token.

1264

enabled: false

1265

# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).

1266

maxRequestBodySize: # @schema type:[integer, null]; minimum:0

1267

providers:

1268

consulCatalogEnterprise:

1269

# -- Enable Consul Catalog Enterprise backend with default settings.

1270

enabled: false

1271

# -- Use local agent caching for catalog reads.

1272

cache: false

1273

# -- Enable Consul Connect support.

1274

connectAware: false

1275

# -- Consider every service as Connect capable by default.

1276

connectByDefault: false

1277

# -- Constraints is an expression that Traefik matches against the container's labels

1278

constraints: ""

1279

# -- Default rule.

1280

defaultRule: "Host(`{{ normalize .Name }}`)"

1281

endpoint:

1282

# -- The address of the Consul server

1283

address: ""

1284

# -- Data center to use. If not provided, the default agent data center is used

1285

datacenter: ""

1286

# -- WaitTime limits how long a Watch will block. If not provided, the agent default

1287

endpointWaitTime: # @schema type:[integer, null]

1288

httpauth:

1289

# -- Basic Auth password

1290

password: ""

1291

# -- Basic Auth username

1292

username: ""

1293

# -- The URI scheme for the Consul server

1294

scheme: ""

1295

tls:

1296

# -- TLS CA

1297

ca: ""

1298

# -- TLS cert

1299

cert: ""

1300

# -- TLS insecure skip verify

1301

insecureSkipVerify: false

1302

# -- TLS key

1303

key: ""

1304

# -- Token is used to provide a per-request ACL token which overrides the agent's

1305

token: ""

1306

# -- Expose containers by default.

1307

exposedByDefault: true

1308

# -- Sets the namespaces used to discover services (Consul Enterprise only).

1309

namespaces: ""

1310

# -- Sets the partition used to discover services (Consul Enterprise only).

1311

partition: ""

1312

# -- Prefix for consul service tags.

1313

prefix: "traefik"

1314

# -- Interval for checking Consul API.

1315

refreshInterval: 15

1316

# -- Forces the read to be fully consistent.

1317

requireConsistent: false

1318

# -- Name of the Traefik service in Consul Catalog (needs to be registered via the

1319

serviceName: "traefik"

1320

# -- Use stale consistency for catalog reads.

1321

stale: false

1322

# -- A list of service health statuses to allow taking traffic.

1323

strictChecks: "passing, warning"

1324

# -- Watch Consul API events.

1325

watch: false

1326

microcks:

1327

# -- Enable Microcks provider.

1328

enabled: false

1329

auth:

1330

# -- Microcks API client ID.

1331

clientId: ""

1332

# -- Microcks API client secret.

1333

clientSecret: ""

1334

# -- Microcks API endpoint.

1335

endpoint: ""

1336

# -- Microcks API token.

1337

token: ""

1338

# -- Microcks API endpoint.

1339

endpoint: ""

1340

# -- Polling interval for Microcks API.

1341

pollInterval: 30

1342

# -- Polling timeout for Microcks API.

1343

pollTimeout: 5

1344

tls:

1345

# -- TLS CA

1346

ca: ""

1347

# -- TLS cert

1348

cert: ""

1349

# -- TLS insecure skip verify

1350

insecureSkipVerify: false

1351

# -- TLS key

1352

key: ""

1353

multicluster:

1354

# -- Enable Multi-cluster provider.

1355

enabled: false

1356

# -- Polling interval for Multi-cluster.

1357

pollInterval: 5

1358

# -- Polling timeout for Multi-cluster.

1359

pollTimeout: 5

1360

# @schema mergeProperties: true

1361

# -- Child cluster configurations, keyed by a unique name.

1362

# @default -- {}

1363

children:

1364

# @schema additionalProperties: false

1365

cluster-1:

1366

# -- URL of the child cluster's uplink entrypoint.

1367

address: ""

1368

# -- TLS and transport configuration for connecting to this child.

1369

# @default -- {}

1370

serversTransport:

1371

# @schema type:[boolean, null]

1372

# -- Disable TLS certificate verification. **Not recommended for production.**

1373

# @default -- false

1374

insecureSkipVerify:

1375

# -- Server name used for SNI and certificate verification.

1376

serverName: ""

1377

rootCAs: []

1378

certificates: []

1379

# @schema type:[integer, null]

1380

# -- Maximum idle connections per host.

1381

# @default -- 200

1382

maxIdleConnsPerHost:

1383

# @schema type:[boolean, null]

1384

# -- Disable HTTP/2 for connections to this child.

1385

# @default -- false

1386

disableHTTP2:

1387

# -- Minimum TLS version (e.g. `VersionTLS12`, `VersionTLS13`).

1388

minVersion: ""

1389

# -- Maximum TLS version (e.g. `VersionTLS12`, `VersionTLS13`).

1390

maxVersion: ""

1391

# -- List of supported cipher suites for TLS versions up to 1.2.

1392

cipherSuites: []

1393

# -- URI used to match against SAN URIs during the server's certificate verification.

1394

peerCertURI: ""

1395

forwardingTimeouts:

1396

# @schema type:[string, integer, null]

1397

# -- Timeout for establishing connections.

1398

# @default -- 30s

1399

dialTimeout:

1400

# @schema type:[string, integer, null]

1401

# -- Timeout for reading response headers.

1402

# @default -- 0s

1403

responseHeaderTimeout:

1404

# @schema type:[string, integer, null]

1405

# -- Timeout for idle connections.

1406

# @default -- 90s

1407

idleConnTimeout:

1408

# @schema type:[string, integer, null]

1409

# -- Timeout for HTTP/2 server ping frames.

1410

# @default -- 15s

1411

pingTimeout:

1412

# @schema type:[string, integer, null]

1413

# -- Timeout for HTTP/2 connection idle reads.

1414

# @default -- 0s

1415

readIdleTimeout:

1416

# @schema type:[string, integer, null]

1417

# -- Timeout for reading the request body.

1418

# @default -- 0s

1419

readTimeout:

1420

# @schema type:[string, integer, null]

1421

# -- Timeout for writing the response.

1422

# @default -- 0s

1423

writeTimeout:

1424

spiffe:

1425

ids: []

1426

# @schema type:[string, integer, null]

1427

# -- SPIFFE trust domain.

1428

trustDomain: ""

1429

# @schema additionalProperties: false

1430

nutanixPrismCentral:

1431

# -- Enable Nutanix Prism Central provider.

1432

enabled: false

1433

# -- Prism Central endpoint.

1434

endpoint: ""

1435

# -- Prism Central username.

1436

username: ""

1437

# -- Prism Central password.

1438

password: ""

1439

# -- Prism Central API key.

1440

apiKey: ""

1441

# -- Base configuration file path.

1442

filename: ""

1443

# -- Polling interval for Nutanix Prism Central API.

1444

pollInterval: 30

1445

# -- Polling timeout for Nutanix Prism Central API.

1446

pollTimeout: 5

1447

# -- Category key used to derive the service name.

1448

serviceNameCategoryKey: "TraefikServiceName"

1449

# -- Filter VMs by VPCs. List of `{ uuid: "<vpc-uuid>" }` entries.

1450

allowedVpcs: []

1451

tls:

1452

# -- TLS CA

1453

ca: ""

1454

# -- TLS cert

1455

cert: ""

1456

# -- TLS key

1457

key: ""

1458

# -- TLS insecure skip verify

1459

insecureSkipVerify: false

1460

redis:

1461

# -- Enable Redis Cluster. Default: true.

1462

cluster: # @schema type:[boolean, null]

1463

# -- Database used to store information. Default: "0".

1464

database: # @schema type:[string, null]

1465

# -- Endpoints of the Redis instances to connect to. Default: "".

1466

endpoints: ""

1467

# -- The username to use when connecting to Redis endpoints. Default: "".

1468

username: ""

1469

# -- The password to use when connecting to Redis endpoints. Default: "".

1470

password: ""

1471

sentinel:

1472

# -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".

1473

masterset: ""

1474

# -- Username to use for sentinel authentication (can be different from endpoint username). Default: "".

1475

username: ""

1476

# -- Password to use for sentinel authentication (can be different from endpoint password). Default: "".

1477

password: ""

1478

# -- Timeout applied on connection with redis. Default: "0s".

1479

timeout: ""

1480

tls:

1481

# -- Path to the certificate authority used for the secured connection.

1482

ca: ""

1483

# -- Path to the public certificate used for the secure connection.

1484

cert: ""

1485

# -- Path to the private key used for the secure connection.

1486

key: ""

1487

# -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.

1488

insecureSkipVerify: false

1489

# Enable export of error logs to the platform. Default: true.

1490

sendlogs: # @schema type:[boolean, null]

1491

tracing:

1492

additionalTraceHeaders:

1493

# -- Tracing headers to duplicate.

1494

# To configure the following, tracing.otlp.enabled needs to be set to true.

1495

# @default -- See below

1496

enabled: false

1497

traceContext:

1498

# -- Name of the header that will contain the parent-id header copy.

1499

parentId: ""

1500

# -- Name of the header that will contain the trace-id copy.

1501

traceId: ""

1502

# -- Name of the header that will contain the traceparent copy.

1503

traceParent: ""

1504

# -- Name of the header that will contain the tracestate copy.

1505

traceState: ""

1506

# Define private plugin sources

1507

pluginRegistry:

1508

sources: {}

1509

# -- Required for OCI Marketplace integration.

1510

# See https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Marketplace/understanding-helm-charts.htm

1511

# @default -- See _values.yaml_

1512

oci_meta:

1513

# -- Enable specific values for Oracle Cloud Infrastructure

1514

enabled: false

1515

# -- It needs to be an ocir repo

1516

repo: cgr.dev

1517

images:

1518

proxy:

1519

image: chainguard-private/traefik

1520

tag: latest@sha256:04967295ecef8cee1269d17455b459cd3e4c999d8d62f3aa09f536c2b1cdf7bd

1521

hub:

1522

image: chainguard-private/traefik

1523

tag: latest@sha256:04967295ecef8cee1269d17455b459cd3e4c999d8d62f3aa09f536c2b1cdf7bd

1524

# -- Required for IBM Cloud Marketplace integration.

1525

# Injected by IBM Cloud Catalog when deploying via IBM Cloud Schematics. This value is not used by the chart.

1526

offering_version: "" # @schema type:[string, null]

1527

# -- Allow the Helm chart to be used as optional subchart.

1528

enabled: true # @schema type:boolean; const:true

1529

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

traefik

The trusted source for open source

Product

Solutions

Customers

Resources

Company