DirectorySecurity AdvisoriesPricing
Sign in
Directory
traefik logoHELM

traefik

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# Default values for Traefik
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into templates
4
5
image: # @schema additionalProperties: false
6
# -- Traefik image host registry
7
registry: cgr.dev
8
# -- Traefik image repository
9
repository: chainguard-private/traefik
10
# -- defaults to appVersion. It's used for version checking, even prefixed with experimental- or latest-.
11
# To pin by digest, prefer `image.digest`. A `<version>@<digest>` combo is also accepted here; in that case the digest is what Kubernetes verifies and the version is informational (and can drift from the underlying image).
12
tag: latest@sha256:a1d046ceb7669fc10bb53d509b21a4f8835e69db8b510195de29fa582aa5f08b # @schema type:[string, null]
13
# -- Traefik image digest (e.g. `sha256:abc...`). When set, takes precedence over `tag`. Set `versionOverride` alongside it so the chart's version-checking logic knows the version (it cannot be derived from the digest).
14
digest: # @schema type:[string, null]; pattern:^sha256:[a-f0-9]{64}$
15
# -- Traefik image pull policy
16
pullPolicy: IfNotPresent
17
# -- Add additional label to all resources
18
commonLabels: {}
19
deployment:
20
# -- Enable deployment
21
enabled: true
22
# -- Deployment or DaemonSet
23
kind: Deployment
24
# -- Number of pods of the deployment (only applies when kind == Deployment)
25
replicas: 1
26
# -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
27
revisionHistoryLimit: # @schema type:[integer, null];minimum:0
28
# -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
29
terminationGracePeriodSeconds: 60
30
# -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
31
minReadySeconds: 0
32
## -- Override the liveness/readiness port. This is useful to integrate traefik
33
## with an external Load Balancer that performs healthchecks.
34
## Default: ports.traefik.port
35
healthchecksPort: # @schema type:[integer, null];minimum:0
36
## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint.
37
## Default: ports.traefik.hostIP if set, otherwise Pod IP
38
healthchecksHost: ""
39
## -- Override the liveness/readiness scheme. Useful for getting ping to
40
## respond on websecure entryPoint.
41
healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP
42
## -- Override the readiness path.
43
## Default: /ping
44
readinessPath: ""
45
# -- Override the liveness path.
46
# Default: /ping
47
livenessPath: ""
48
# -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
49
annotations: {}
50
# -- Additional deployment labels (e.g. for filtering deployment by custom labels)
51
labels: {}
52
# -- Additional pod annotations (e.g. for mesh injection or prometheus scraping)
53
# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
54
podAnnotations: {}
55
# -- Additional Pod labels (e.g. for filtering Pod by custom labels)
56
# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
57
podLabels: {}
58
# -- Additional containers (e.g. for metric offloading sidecars)
59
additionalContainers: []
60
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
61
# - name: socat-proxy
62
# image: alpine/socat:1.0.5
63
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
64
# volumeMounts:
65
# - name: dsdsocket
66
# mountPath: /socket
67
# -- Additional volumes available for use with initContainers and additionalContainers
68
additionalVolumes: []
69
# - name: dsdsocket
70
# hostPath:
71
# path: /var/run/statsd-exporter
72
# -- Additional initContainers (e.g. for setting file permission as shown below)
73
initContainers: []
74
# The "volume-permissions" init container is required if you run into permission issues.
75
# Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
76
# - name: volume-permissions
77
# image: busybox:latest
78
# command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
79
# volumeMounts:
80
# - name: data
81
# mountPath: /data
82
# -- Use process namespace sharing
83
shareProcessNamespace: false
84
# @schema type: [boolean, null]
85
# -- Whether to use the host user namespace. Setting this to false enables user namespaces,
86
# which can improve security by isolating the pod's users from the host.
87
# See https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
88
# @default -- unset (inherits cluster default)
89
hostUsers:
90
# -- Custom pod DNS policy. Apply if `hostNetwork: true`
91
dnsPolicy: ""
92
# -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core)
93
dnsConfig: {}
94
# -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
95
hostAliases: []
96
# -- Pull secret for fetching traefik container image
97
imagePullSecrets: []
98
# -- Pod lifecycle actions
99
lifecycle: {}
100
# preStop:
101
# sleep:
102
# seconds: 20
103
# postStart:
104
# httpGet:
105
# path: /ping
106
# port: 8080
107
# host: localhost
108
# scheme: HTTP
109
# -- Set a runtimeClassName on pod
110
runtimeClassName: ""
111
# -- Percentage of memory limit to set for GOMEMLIMIT, set as decimal (0.9 = 90%, 0.95 = 95% etc). Only takes effect when resources.limits.memory is set. Set to 0 to disable (e.g. when using VPA or setting it via env)
112
goMemLimitPercentage: 0.9
113
# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
114
# @default -- See _values.yaml_
115
podDisruptionBudget: # @schema additionalProperties: false
116
enabled: false
117
maxUnavailable: # @schema type:[string, integer, null];minimum:0
118
minAvailable: # @schema type:[string, integer, null];minimum:0
119
ingressClass: # @schema additionalProperties: false
120
# -- Create a default IngressClass for Traefik
121
enabled: true
122
isDefaultClass: true
123
name: ""
124
core: # @schema additionalProperties: false
125
# -- Can be used to use globally v2 router syntax. Deprecated since v3.4 /!\.
126
# See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes
127
defaultRuleSyntax: ""
128
# Traefik experimental features
129
experimental:
130
# -- Defines whether all plugins must be loaded successfully for Traefik to start
131
abortOnPluginFailure: false
132
fastProxy:
133
# -- Enables the FastProxy implementation.
134
enabled: false
135
# -- Enable debug mode for the FastProxy implementation.
136
debug: false
137
kubernetesGateway:
138
# -- Enable traefik experimental GatewayClass CRD
139
enabled: false
140
# -- Enable experimental plugins
141
plugins: {}
142
# -- Enable experimental local plugins
143
localPlugins: {}
144
# -- Enable OTLP logging experimental feature.
145
otlpLogs: false
146
# -- Enable Knative provider experimental feature.
147
knative: false
148
gateway:
149
# -- When providers.kubernetesGateway.enabled, deploy a default gateway
150
enabled: true
151
# -- Set a custom name to gateway
152
name: ""
153
# -- By default, Gateway is created in the same `Namespace` as Traefik.
154
namespace: ""
155
# -- Additional gateway annotations (e.g. for cert-manager.io/issuer)
156
annotations: {}
157
# -- [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels)
158
infrastructure: {}
159
# -- Configure this Gateway as a [Default Gateway](https://kubernetes.io/blog/2025/11/06/gateway-api-v1-4/#introducing-default-gateways)
160
# by setting the `defaultScope` field (e.g. `All` or `Namespace`).
161
defaultScope: null # @schema enum:["All", "None", null]; type:[string, null]; default: null
162
listeners:
163
web:
164
# -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
165
# The port must match a port declared in ports section.
166
port: 8000
167
# -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
168
hostname: ""
169
# Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
170
protocol: HTTP
171
# -- (object) Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces
172
namespacePolicy: # @schema type:[object, null]
173
# websecure listener is disabled by default because certificateRefs needs to be added,
174
# or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section.
175
# websecure:
176
# # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
177
# # The port must match a port declared in ports section.
178
# port: 8443
179
# # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
180
# hostname:
181
# # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
182
# protocol: HTTPS
183
# # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces)
184
# namespacePolicy:
185
# # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig)
186
# certificateRefs:
187
# # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType).
188
# mode:
189
gatewayClass: # @schema additionalProperties: false
190
# -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass
191
enabled: true
192
# -- Set a custom name to GatewayClass
193
name: ""
194
# -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)
195
labels: {}
196
api: # @schema additionalProperties: false
197
# -- Enable the dashboard
198
dashboard: true
199
# -- Custom name for the dashboard (v3.7+).
200
dashboardName: "" # @schema type:[string, null]
201
# -- Disable the advertisement from the dashboard.
202
disableDashboardAd: # @schema type:[boolean, null]
203
# -- Enable the insecure API (HTTP)
204
insecure: # @schema type:[boolean, null]
205
# -- Enable the debug API
206
debug: # @schema type:[boolean, null]
207
# -- Configure API basePath
208
basePath: "" # @schema type:[string, null]; default: "/"
209
# -- Only dashboard & healthcheck IngressRoute are supported.
210
# It's recommended to create workloads CR outside of this Chart.
211
# @default -- See _values.yaml_
212
ingressRoute:
213
dashboard:
214
# -- Create an IngressRoute for the dashboard
215
enabled: false
216
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
217
annotations: {}
218
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
219
labels: {}
220
# -- The router match rule used for the dashboard ingressRoute
221
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
222
# -- The internal service used for the dashboard ingressRoute
223
# @default -- api@internal
224
services:
225
- name: api@internal
226
kind: TraefikService
227
# -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
228
# By default, it's using traefik entrypoint, which is not exposed.
229
# /!\ Do not expose your dashboard without any protection over the internet /!\
230
entryPoints: ["traefik"]
231
# -- Additional ingressRoute middlewares (e.g. for authentication)
232
middlewares: []
233
# -- TLS options (e.g. secret containing certificate)
234
tls: {}
235
healthcheck:
236
# -- Create an IngressRoute for the healthcheck probe
237
enabled: false
238
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
239
annotations: {}
240
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
241
labels: {}
242
# -- The router match rule used for the healthcheck ingressRoute
243
matchRule: PathPrefix(`/ping`)
244
# -- The internal service used for the healthcheck ingressRoute
245
# @default -- ping@internal
246
services:
247
- name: ping@internal
248
kind: TraefikService
249
# -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure).
250
# By default, it's using traefik entrypoint, which is not exposed.
251
entryPoints: ["traefik"]
252
# -- Additional ingressRoute middlewares (e.g. for authentication)
253
middlewares: []
254
# -- TLS options (e.g. secret containing certificate)
255
tls: {}
256
updateStrategy: # @schema additionalProperties: false
257
# -- Customize updateStrategy of Deployment or DaemonSet
258
type: RollingUpdate
259
rollingUpdate:
260
maxUnavailable: 0 # @schema type:[integer, string, null]
261
maxSurge: 1 # @schema type:[integer, string, null]
262
readinessProbe: # @schema additionalProperties: false
263
# -- The number of consecutive failures allowed before considering the probe as failed.
264
failureThreshold: 1
265
# -- The number of seconds to wait before starting the first probe.
266
initialDelaySeconds: 2
267
# -- The number of seconds to wait between consecutive probes.
268
periodSeconds: 10
269
# -- The minimum consecutive successes required to consider the probe successful.
270
successThreshold: 1
271
# -- The number of seconds to wait for a probe response before considering it as failed.
272
timeoutSeconds: 2
273
livenessProbe: # @schema additionalProperties: false
274
# -- The number of consecutive failures allowed before considering the probe as failed.
275
failureThreshold: 3
276
# -- The number of seconds to wait before starting the first probe.
277
initialDelaySeconds: 2
278
# -- The number of seconds to wait between consecutive probes.
279
periodSeconds: 10
280
# -- The minimum consecutive successes required to consider the probe successful.
281
successThreshold: 1
282
# -- The number of seconds to wait for a probe response before considering it as failed.
283
timeoutSeconds: 2
284
# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)
285
startupProbe: {}
286
# @schema additionalProperties: false
287
providers:
288
# -- Defines the routing precedence between providers. See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/#routing-precedence) for the default order.
289
precedence: []
290
# @schema additionalProperties: false
291
kubernetesCRD:
292
# -- Load Kubernetes IngressRoute provider
293
enabled: true
294
# -- Allows IngressRoute to reference resources in namespace other than theirs
295
allowCrossNamespace: false
296
# -- Allows to reference ExternalName services in IngressRoute
297
allowExternalNameServices: false
298
# -- Allows to return 503 when there are no endpoints available
299
allowEmptyServices: true
300
# -- List of namespaces from which IngressRoute, IngressRouteTCP, IngressRouteUDP, and TraefikService are allowed to declare cross-provider references. Requires traefik v3.7.1+.
301
crossProviderNamespaces: []
302
# -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.
303
ingressClass: ""
304
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-labelselector)
305
labelSelector: ""
306
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
307
namespaces: []
308
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
309
nativeLBByDefault: false
310
# @schema additionalProperties: false
311
kubernetesIngress:
312
# -- Load Kubernetes Ingress provider
313
enabled: true
314
# -- Allows to reference ExternalName services in Ingress
315
allowExternalNameServices: false
316
# -- Allows to return 503 when there are no endpoints available
317
allowEmptyServices: true
318
# -- List of namespaces from which Ingresses or Services are allowed to declare Middlewares, TLSOptions, or ServersTransport references. Requires traefik v3.7.1+.
319
crossProviderNamespaces: []
320
# -- Only for Traefik v3.0, Deprecated since v3.1. See [upstream documentation](https://doc.traefik.io/traefik/v3.0/providers/kubernetes-ingress/#disableingressclasslookup)
321
disableIngressClassLookup: false
322
# -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.
323
ingressClass: # @schema type:[string, null]
324
labelSelector: # @schema type:[string, null]
325
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
326
namespaces: []
327
# IP used for Kubernetes Ingress endpoints
328
publishedService:
329
# -- Enable [publishedService](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#ingressendpointpublishedservice),
330
# usually with the Service provided by this Chart. It's possible to use it with an external Service using pathOverride.
331
enabled: true
332
# -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.
333
# Default to Service deployed with this Chart.
334
pathOverride: ""
335
# @schema additionalProperties: false
336
ingressEndpoint:
337
# -- Hostname used for Kubernetes Ingress endpoints
338
hostname: "" # @schema type:[string, null]
339
# -- IP used for Kubernetes Ingress endpoints
340
ip: "" # @schema type:[string, null]
341
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
342
nativeLBByDefault: false
343
# -- Defines whether to make prefix matching strictly comply with the Kubernetes Ingress specification.
344
strictPrefixMatching: false
345
# @schema additionalProperties: false
346
kubernetesGateway:
347
# -- Enable Traefik Gateway provider for Gateway API
348
enabled: false
349
# -- List of namespaces from which Gateway API routes are allowed to declare TraefikService backendRef references. Requires traefik v3.7.1+.
350
crossProviderNamespaces: []
351
# -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation).
352
# This option currently enables support for TCPRoute and TLSRoute.
353
experimentalChannel: false
354
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. kubernetesGateway provider requires ClusterRole and as a consequence `rbac.namespaced` is not supported.
355
namespaces: []
356
# -- A label selector can be defined to filter on specific GatewayClass objects only.
357
labelSelector: ""
358
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
359
nativeLBByDefault: false
360
statusAddress:
361
# -- This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6).
362
ip: ""
363
# -- This Hostname will get copied to the Gateway status.addresses.
364
hostname: ""
365
service:
366
# -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
367
enabled: true
368
name: ""
369
namespace: ""
370
# @schema additionalProperties: false
371
file:
372
# -- Create a file provider
373
enabled: false
374
# -- Allows Traefik to automatically watch for file changes
375
watch: true
376
# -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/reference/install-configuration/providers/others/file/)
377
content: ""
378
# @schema additionalProperties: false
379
kubernetesIngressNGINX:
380
# -- Enable Kubernetes Ingress NGINX provider
381
enabled: false
382
# -- Ingress Class Controller value this controller satisfies
383
controllerClass: "k8s.io/ingress-nginx"
384
# -- Name of the ingress class this controller satisfies
385
ingressClass: "nginx"
386
# -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class
387
ingressClassByName: false
388
# -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified
389
watchIngressWithoutClass: false
390
# -- Single namespace the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespaceSelector.
391
watchNamespace: ""
392
# -- Select namespaces the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespace.
393
watchNamespaceSelector: ""
394
publishService:
395
# -- Service fronting the Ingress controller. Takes the form 'namespace/name'
396
enabled: false
397
pathOverride: ""
398
# -- Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies
399
publishStatusAddress: ""
400
# -- Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'
401
defaultBackendService: ""
402
# -- Disable support for Services of type ExternalName
403
disableSvcExternalName: false
404
# -- Ingress refresh throttle duration
405
throttleDuration: ""
406
# -- Kubernetes certificate authority file path (not needed for in-cluster client)
407
certAuthFilePath: ""
408
# -- Kubernetes server endpoint (required for external cluster client)
409
endpoint: ""
410
# -- Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token
411
token: ""
412
# -- Defines whether to enable request buffering (default: false)
413
proxyRequestBuffering: null # @schema type:[boolean, null]
414
# -- Default buffer size for reading client request body in bytes (default: 16384)
415
clientBodyBufferSize: # @schema type:[integer, null]
416
# -- Default maximum size of a client request body in bytes (default: 1048576)
417
proxyBodySize: # @schema type:[integer, null]
418
# -- Defines whether to enable response buffering (default: false)
419
proxyBuffering: null # @schema type:[boolean, null]
420
# -- Default buffer size for reading the response body in bytes (default: 8192)
421
proxyBufferSize: # @schema type:[integer, null]
422
# -- Default number of buffers for reading a response (default: 4)
423
proxyBuffersNumber: # @schema type:[integer, null]
424
# -- Amount of time to wait until a connection to a server can be established. Unitless, in seconds (default: 60)
425
proxyConnectTimeout: # @schema type:[integer, null]
426
# -- Amount of time between two successive read operations. Unitless, in seconds (default: 60)
427
proxyReadTimeout: # @schema type:[integer, null]
428
# -- Amount of time between two successive write operations. Unitless, in seconds (default: 60)
429
proxySendTimeout: # @schema type:[integer, null]
430
# -- Defines in which cases a request should be retried (default: "error timeout")
431
proxyNextUpstream: ""
432
# -- Limits the number of possible tries if the backend server does not reply (default: 3)
433
proxyNextUpstreamTries: # @schema type:[integer, null]
434
# -- Limits the total elapsed time to retry the request. Unitless, in seconds (default: 0)
435
proxyNextUpstreamTimeout: # @schema type:[integer, null]
436
# -- Defines which HTTP status codes should result in calling the default backend to return an error page
437
customHTTPErrors: []
438
# -- Defines the idle timeout for keep-alive connections to upstream servers. Unitless, in seconds (default: 60)
439
upstreamKeepaliveTimeout: # @schema type:[integer, null]
440
# -- Allow Ingress to reference resources (e.g. ConfigMaps, Secrets) in different namespaces (default: false)
441
allowCrossNamespaceResources: null # @schema type:[boolean, null]
442
# -- List of allowed response headers inside the custom headers annotations
443
globalAllowedResponseHeaders: []
444
# -- URL to the service that provides authentication for all the locations. Per ingress auth-url annotation has precedence over this option.
445
globalAuthUrl: ""
446
# -- When set, the strategy is applied to every generated IPAllowList middleware.
447
# @default -- See below
448
ipAllowListStrategy:
449
# -- Number of trusted proxy hops to skip when extracting the client IP from the X-Forwarded-For header. 0 disables depth-based extraction. (default: 0)
450
depth: 0
451
# -- List of IPs to exclude when scanning the X-Forwarded-For header to find the client IP.
452
excludedIPS: []
453
# -- IPv6 subnet size used to group IPv6 addresses when checking the allow list. 0 disables subnet grouping.
454
ipv6Subnet: 0
455
# -- Enables parsing and adding -snippet annotations/directives (default: false)
456
allowSnippetAnnotations: null # @schema type:[boolean, null]
457
# -- Defines whether to reject the entire ingress when any path contains regex characters and pathType is Prefix or Exact (default: true)
458
strictValidatePathType: null # @schema type:[boolean, null]
459
# -- Defines the EntryPoint to use for HTTP requests
460
httpEntryPoint: "web"
461
# -- Defines the EntryPoint to use for HTTPS requests
462
httpsEntryPoint: "websecure"
463
# @schema additionalProperties: false
464
modsec:
465
# -- Enable ModSec engine. Requires Traefik Hub >= v3.20.0-ea.8.
466
enabled: false
467
# -- Enable OWASP Core Rules.
468
owaspCoreRules: false
469
# -- Custom ModSec rules snippet.
470
snippet: ""
471
# @schema additionalProperties: false
472
knative:
473
# -- Enable Knative provider
474
enabled: false
475
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
476
namespaces: []
477
# -- Allow filtering Knative Ingress objects
478
labelSelector: ""
479
# -- Add volumes to the traefik pod. The volume name will be passed to tpl.
480
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
481
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
482
# `additionalArguments:
483
# - "--providers.file.filename=/config/dynamic.toml"
484
# - "--ping"
485
# - "--ping.entrypoint=web"`
486
volumes: []
487
# - name: public-cert
488
# mountPath: "/certs"
489
# type: secret
490
# - name: '{{ printf "%s-configs" .Release.Name }}'
491
# mountPath: "/config"
492
# type: configMap
493
494
# -- Additional volumeMounts to add to the Traefik container
495
additionalVolumeMounts: []
496
# -- For instance when using a logshipper for access logs
497
# - name: traefik-logs
498
# mountPath: /var/log/traefik
499
500
logs:
501
general:
502
# -- Set [logs format](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-log-format)
503
format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
504
# By default, the level is set to INFO.
505
# -- Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC.
506
level: "INFO" # @schema enum:[TRACE,DEBUG,INFO,WARN,ERROR,FATAL,PANIC]; default: "INFO"
507
# -- To write the logs into a log file, use the filePath option.
508
filePath: ""
509
# -- When set to true and format is common, it disables the colorized output.
510
noColor: false
511
otlp:
512
# -- Set to true in order to enable OpenTelemetry on logs. Note that experimental.otlpLogs needs to be enabled.
513
enabled: false
514
# -- Service name used in OTLP backend. Default: traefik.
515
serviceName: # @schema type:[string, null]
516
http:
517
# -- Set to true in order to send logs to the OpenTelemetry Collector using HTTP.
518
enabled: false
519
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
520
endpoint: ""
521
# -- Additional headers sent with logs by the reporter to the OpenTelemetry Collector.
522
headers: {}
523
## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
524
tls:
525
# -- The path to the certificate authority, it defaults to the system bundle.
526
ca: ""
527
# -- The path to the public certificate. When using this option, setting the key option is required.
528
cert: ""
529
# -- The path to the private key. When using this option, setting the cert option is required.
530
key: ""
531
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
532
insecureSkipVerify: # @schema type:[boolean, null]
533
grpc:
534
# -- Set to true in order to send logs to the OpenTelemetry Collector using gRPC
535
enabled: false
536
# -- Format: <host>:<port>. Default: "localhost:4317"
537
endpoint: ""
538
# -- Allows reporter to send logs to the OpenTelemetry Collector without using a secured protocol.
539
insecure: false
540
## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
541
tls:
542
# -- The path to the certificate authority, it defaults to the system bundle.
543
ca: ""
544
# -- The path to the public certificate. When using this option, setting the key option is required.
545
cert: ""
546
# -- The path to the private key. When using this option, setting the cert option is required.
547
key: ""
548
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
549
insecureSkipVerify: # @schema type:[boolean, null]
550
# -- Defines additional resource attributes to be sent to the collector.
551
resourceAttributes: {}
552
access:
553
# -- To enable access logs
554
enabled: false
555
# -- Set [access log format](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-accesslog-format)
556
format: # @schema enum:["common", "genericCLF", "json", null]; type:[string, null]; default: "common"
557
# filePath: "/var/log/traefik/access.log
558
# -- Set [bufferingSize](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-accesslog-bufferingSize)
559
bufferingSize: # @schema type:[integer, null]
560
# -- Set [timezone](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#time-zones)
561
timezone: ""
562
# -- Set [filtering](https://doc.traefik.io/traefik/observe/logs-and-access-logs/#access-log-filters)
563
# @default -- See below
564
filters: # @schema additionalProperties: false
565
# -- Set statusCodes, to limit the access logs to requests with a status codes in the specified range
566
statuscodes: ""
567
# -- Set retryAttempts, to keep the access logs when at least one retry has happened
568
retryattempts: false
569
# -- Set minDuration, to keep access logs when requests take longer than the specified duration
570
minduration: ""
571
# -- Enables accessLogs for internal resources. Default: false.
572
addInternals: false
573
# -- Enables access log output alongside OTLP (v3.7+).
574
dualOutput: false
575
fields:
576
general:
577
# -- Set default mode for fields.names
578
defaultmode: keep # @schema enum:[keep, drop, redact]; default: keep
579
# -- Names of the fields to limit.
580
names: {}
581
headers:
582
# -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observe/logs-and-access-logs/#log-fields-customization)
583
defaultmode: drop # @schema enum:[keep, drop, redact]; default: drop
584
names: {}
585
otlp:
586
# -- Set to true in order to enable OpenTelemetry on access logs. Note that experimental.otlpLogs needs to be enabled.
587
enabled: false
588
# -- Service name used in OTLP backend. Default: traefik.
589
serviceName: # @schema type:[string, null]
590
http:
591
# -- Set to true in order to send access logs to the OpenTelemetry Collector using HTTP.
592
enabled: false
593
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
594
endpoint: ""
595
# -- Additional headers sent with access logs by the reporter to the OpenTelemetry Collector.
596
headers: {}
597
## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
598
tls:
599
# -- The path to the certificate authority, it defaults to the system bundle.
600
ca: ""
601
# -- The path to the public certificate. When using this option, setting the key option is required.
602
cert: ""
603
# -- The path to the private key. When using this option, setting the cert option is required.
604
key: ""
605
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
606
insecureSkipVerify: # @schema type:[boolean, null]
607
grpc:
608
# -- Set to true in order to send access logs to the OpenTelemetry Collector using gRPC
609
enabled: false
610
# -- Format: <host>:<port>. Default: "localhost:4317"
611
endpoint: ""
612
# -- Allows reporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
613
insecure: false
614
## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
615
tls:
616
# -- The path to the certificate authority, it defaults to the system bundle.
617
ca: ""
618
# -- The path to the public certificate. When using this option, setting the key option is required.
619
cert: ""
620
# -- The path to the private key. When using this option, setting the cert option is required.
621
key: ""
622
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
623
insecureSkipVerify: # @schema type:[boolean, null]
624
# -- Defines additional resource attributes to be sent to the collector.
625
resourceAttributes: {}
626
metrics:
627
# -- Enable metrics for internal resources. Default: false
628
addInternals: false
629
## Prometheus is enabled by default.
630
## It can be disabled by setting "prometheus: null"
631
prometheus:
632
# -- Entry point used to expose metrics.
633
entryPoint: metrics
634
# -- Enable metrics on entry points. Default: true
635
addEntryPointsLabels: # @schema type:[boolean, null]
636
# -- Enable metrics on routers. Default: false
637
addRoutersLabels: # @schema type:[boolean, null]
638
# -- Enable metrics on services. Default: true
639
addServicesLabels: # @schema type:[boolean, null]
640
# -- Buckets for latency metrics. Default="0.1,0.3,1.2,5.0"
641
buckets: ""
642
# -- When manualRouting is true, it disables the default internal router in
643
## order to allow creating a custom router for prometheus@internal service.
644
manualRouting: false
645
# -- Add HTTP header labels to metrics. See EXAMPLES.md or upstream doc for usage.
646
headerLabels: {} # @schema type:[object, null]
647
service:
648
# -- Create a dedicated metrics service to use with ServiceMonitor
649
enabled: false
650
labels: {}
651
annotations: {}
652
# -- When set to true, it won't check if Prometheus Operator CRDs are deployed
653
disableAPICheck: # @schema type:[boolean, null]
654
serviceMonitor:
655
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
656
enabled: false
657
apiVersion: "monitoring.coreos.com/v1"
658
metricRelabelings: []
659
relabelings: []
660
jobLabel: ""
661
interval: ""
662
honorLabels: false
663
scrapeTimeout: ""
664
honorTimestamps: false
665
enableHttp2: false
666
followRedirects: false
667
additionalLabels: {}
668
namespace: ""
669
namespaceSelector: {}
670
prometheusRule:
671
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
672
enabled: false
673
apiVersion: "monitoring.coreos.com/v1"
674
additionalLabels: {}
675
namespace: ""
676
# datadog:
677
# ## Address instructs exporter to send metrics to datadog-agent at this address.
678
# address: "127.0.0.1:8125"
679
# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s
680
# # pushInterval: 30s
681
# ## The prefix to use for metrics collection. Default="traefik"
682
# # prefix: traefik
683
# ## Enable metrics on entry points. Default=true
684
# # addEntryPointsLabels: false
685
# ## Enable metrics on routers. Default=false
686
# # addRoutersLabels: true
687
# ## Enable metrics on services. Default=true
688
# # addServicesLabels: false
689
# influxdb2:
690
# ## Address instructs exporter to send metrics to influxdb v2 at this address.
691
# address: localhost:8086
692
# ## Token with which to connect to InfluxDB v2.
693
# token: xxx
694
# ## Organisation where metrics will be stored.
695
# org: ""
696
# ## Bucket where metrics will be stored.
697
# bucket: ""
698
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
699
# # pushInterval: 30s
700
# ## Additional labels (influxdb tags) on all metrics.
701
# # additionalLabels:
702
# # env: production
703
# # foo: bar
704
# ## Enable metrics on entry points. Default=true
705
# # addEntryPointsLabels: false
706
# ## Enable metrics on routers. Default=false
707
# # addRoutersLabels: true
708
# ## Enable metrics on services. Default=true
709
# # addServicesLabels: false
710
# statsd:
711
# ## Address instructs exporter to send metrics to statsd at this address.
712
# address: localhost:8125
713
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
714
# # pushInterval: 30s
715
# ## The prefix to use for metrics collection. Default="traefik"
716
# # prefix: traefik
717
# ## Enable metrics on entry points. Default=true
718
# # addEntryPointsLabels: false
719
# ## Enable metrics on routers. Default=false
720
# # addRoutersLabels: true
721
# ## Enable metrics on services. Default=true
722
# # addServicesLabels: false
723
otlp:
724
# -- Set to true in order to enable the OpenTelemetry metrics
725
enabled: false
726
# -- Enable metrics on entry points. Default: true
727
addEntryPointsLabels: # @schema type:[boolean, null]
728
# -- Enable metrics on routers. Default: false
729
addRoutersLabels: # @schema type:[boolean, null]
730
# -- Enable metrics on services. Default: true
731
addServicesLabels: # @schema type:[boolean, null]
732
# -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]
733
explicitBoundaries: []
734
# -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s
735
pushInterval: ""
736
# -- Service name used in OTLP backend. Default: traefik.
737
serviceName: # @schema type:[string, null]
738
http:
739
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
740
enabled: false
741
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/metrics
742
endpoint: ""
743
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
744
headers: {}
745
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
746
tls:
747
# -- The path to the certificate authority, it defaults to the system bundle.
748
ca: ""
749
# -- The path to the public certificate. When using this option, setting the key option is required.
750
cert: ""
751
# -- The path to the private key. When using this option, setting the cert option is required.
752
key: ""
753
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
754
insecureSkipVerify: # @schema type:[boolean, null]
755
grpc:
756
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
757
enabled: false
758
# -- Format: <host>:<port>. Default: "localhost:4317"
759
endpoint: ""
760
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
761
insecure: false
762
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
763
tls:
764
# -- The path to the certificate authority, it defaults to the system bundle.
765
ca: ""
766
# -- The path to the public certificate. When using this option, setting the key option is required.
767
cert: ""
768
# -- The path to the private key. When using this option, setting the cert option is required.
769
key: ""
770
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
771
insecureSkipVerify: # @schema type:[boolean, null]
772
# -- Defines additional resource attributes to be sent to the collector.
773
resourceAttributes: {}
774
ocsp:
775
# -- Enable OCSP stapling support.
776
# See https://doc.traefik.io/traefik/reference/install-configuration/tls/ocsp/
777
enabled: false
778
# -- Defines the OCSP responder URLs to use instead of the one provided by the certificate.
779
responderOverrides: {}
780
## Tracing
781
# -- https://doc.traefik.io/traefik/reference/install-configuration/observability/tracing/
782
# @default -- See _values.yaml_
783
tracing: # @schema additionalProperties: false
784
# -- Enables tracing for internal resources. Default: false.
785
addInternals: false
786
# -- Service name used in selected backend. Default: traefik.
787
serviceName: # @schema type:[string, null]
788
# -- Defines additional resource attributes to be sent to the collector.
789
resourceAttributes: {}
790
# -- Defines the list of request headers to add as attributes. It applies to client and server kind spans.
791
capturedRequestHeaders: []
792
# -- Defines the list of response headers to add as attributes. It applies to client and server kind spans.
793
capturedResponseHeaders: []
794
# -- By default, all query parameters are redacted. Defines the list of query parameters to not redact.
795
safeQueryParams: []
796
# -- The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0.
797
sampleRate: # @schema type:[number, null]; minimum:0; maximum:1
798
otlp:
799
# -- See https://doc.traefik.io/traefik/reference/install-configuration/observability/tracing/#configuration-options
800
enabled: false
801
http:
802
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
803
enabled: false
804
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/tracing
805
endpoint: ""
806
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
807
headers: {}
808
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
809
tls:
810
# -- The path to the certificate authority, it defaults to the system bundle.
811
ca: ""
812
# -- The path to the public certificate. When using this option, setting the key option is required.
813
cert: ""
814
# -- The path to the private key. When using this option, setting the cert option is required.
815
key: ""
816
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
817
insecureSkipVerify: # @schema type:[boolean, null]
818
grpc:
819
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
820
enabled: false
821
# -- Format: <host>:<port>. Default: "localhost:4317"
822
endpoint: ""
823
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
824
insecure: false
825
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
826
tls:
827
# -- The path to the certificate authority, it defaults to the system bundle.
828
ca: ""
829
# -- The path to the public certificate. When using this option, setting the key option is required.
830
cert: ""
831
# -- The path to the private key. When using this option, setting the cert option is required.
832
key: ""
833
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
834
insecureSkipVerify: # @schema type:[boolean, null]
835
global:
836
checkNewVersion: true
837
# -- Please take time to consider whether or not you wish to share anonymous data with us
838
# See https://doc.traefik.io/traefik/contributing/data-collection/
839
sendAnonymousUsage: false
840
# -- Disable appending RemoteAddr to X-Forwarded-For header globally (v3.7+).
841
notAppendXForwardedFor: false
842
# -- Required for Azure Marketplace integration.
843
# See https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-technical-assets-kubernetes?tabs=linux,linux2#update-the-helm-chart
844
# @default -- See _values.yaml_
845
azure:
846
enabled: false
847
images:
848
proxy:
849
image: chainguard-private/traefik
850
tag: latest@sha256:a1d046ceb7669fc10bb53d509b21a4f8835e69db8b510195de29fa582aa5f08b
851
registry: cgr.dev
852
hub:
853
image: chainguard-private/traefik
854
tag: latest@sha256:a1d046ceb7669fc10bb53d509b21a4f8835e69db8b510195de29fa582aa5f08b
855
registry: cgr.dev
856
# -- Additional arguments to be passed at Traefik's binary
857
# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)
858
# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
859
additionalArguments: []
860
# - "--providers.kubernetesingress.ingressclass=traefik-internal"
861
# - "--log.level=DEBUG"
862
863
# -- Additional Environment variables to be passed to Traefik's binary
864
env: []
865
# -- Environment variables to be passed to Traefik's binary from configMaps or secrets
866
envFrom: []
867
# @schema mergeProperties: true
868
ports:
869
# @schema additionalProperties: false
870
traefik:
871
port: 8080
872
# -- Use hostPort if set.
873
hostPort: # @schema type:[integer, null]; minimum:0
874
# -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
875
# means it's listening on all your interfaces and all your IPs. You may want
876
# to set this value if you need traefik to listen on specific interface
877
# only.
878
hostIP: # @schema type:[string, null]
879
# Defines whether the port is exposed if service.type is LoadBalancer or
880
# NodePort.
881
#
882
# -- You SHOULD NOT expose the traefik port on production deployments.
883
# If you want to access it from outside your cluster,
884
# use `kubectl port-forward` or create a secure ingress
885
expose:
886
default: false
887
# -- The exposed port for this service
888
exposedPort: 8080
889
# -- The port protocol (TCP/UDP)
890
protocol: TCP
891
observability: # @schema additionalProperties: false
892
# -- Defines whether a router attached to this EntryPoint produces metrics by default.
893
metrics: # @schema type:[boolean, null]; default: true
894
# -- Defines whether a router attached to this EntryPoint produces access-logs by default.
895
accessLogs: # @schema type:[boolean, null]; default: true
896
# -- Defines whether a router attached to this EntryPoint produces traces by default.
897
tracing: # @schema type:[boolean, null]; default: true
898
# -- Defines the tracing verbosity level for routers attached to this EntryPoint.
899
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
900
web:
901
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
902
asDefault: # @schema type: [boolean, null]; default: null
903
port: 8000
904
# hostPort: 8000
905
# containerPort: 8000
906
expose:
907
default: true
908
exposedPort: 80
909
## -- Different target traefik port on the cluster, useful for IP type LB
910
targetPort: # @schema type:[string, integer, null]; minimum:0
911
# The port protocol (TCP/UDP)
912
protocol: TCP
913
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
914
nodePort: # @schema type:[integer, null]; minimum:0
915
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#allowacmebypass)
916
allowACMEByPass: false
917
http:
918
redirections:
919
# -- Port Redirections
920
# Added in 2.2, one can make permanent redirects via entrypoints.
921
# Same sets of parameters: to, scheme, permanent and priority.
922
# https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#configuration-example
923
entryPoint: {}
924
forwardedHeaders:
925
# -- Trust forwarded headers information (X-Forwarded-*).
926
trustedIPs: []
927
insecure: false
928
# -- Disable appending RemoteAddr to X-Forwarded-For header (v3.7+).
929
notAppendXForwardedFor: false
930
proxyProtocol:
931
# -- Enable the Proxy Protocol header parsing for the entry point
932
trustedIPs: []
933
insecure: false
934
# -- Set transport settings for the entrypoint
935
# @default -- nil
936
transport:
937
respondingTimeouts:
938
readTimeout: # @schema type:[string, integer, null]
939
writeTimeout: # @schema type:[string, integer, null]
940
idleTimeout: # @schema type:[string, integer, null]
941
lifeCycle:
942
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
943
graceTimeOut: # @schema type:[string, integer, null]
944
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
945
keepAliveMaxTime: # @schema type:[string, integer, null]
946
# -- Enable this port as an uplink for multi cluster.
947
# ⚠️ This feature is experimental and requires Traefik Hub with a specific subscription.
948
uplink: # @schema type: [boolean, null]; default: null
949
observability: # @schema additionalProperties: false
950
# -- Enables metrics for this entryPoint.
951
metrics: # @schema type:[boolean, null]; default: true
952
# -- Enables access-logs for this entryPoint.
953
accessLogs: # @schema type:[boolean, null]; default: true
954
# -- Enables tracing for this entryPoint.
955
tracing: # @schema type:[boolean, null]; default: true
956
# -- Defines the tracing verbosity level for this entryPoint.
957
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
958
websecure:
959
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
960
# asDefault: true
961
port: 8443
962
hostPort: # @schema type:[integer, null]; minimum:0
963
containerPort: # @schema type:[integer, null]; minimum:0
964
expose:
965
default: true
966
exposedPort: 443
967
## -- Different target traefik port on the cluster, useful for IP type LB
968
targetPort: # @schema type:[string, integer, null]; minimum:0
969
## -- The port protocol (TCP/UDP)
970
protocol: TCP
971
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
972
nodePort: # @schema type:[integer, null]; minimum:0
973
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)
974
appProtocol: # @schema type:[string, null]
975
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#allowacmebypass)
976
allowACMEByPass: false
977
http:
978
# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering)
979
# @default -- nil
980
encodedCharacters: # @schema additionalProperties: false
981
allowEncodedSlash: # @schema type:[boolean, null]
982
allowEncodedBackSlash: # @schema type:[boolean, null]
983
allowEncodedNullCharacter: # @schema type:[boolean, null]
984
allowEncodedSemicolon: # @schema type:[boolean, null]
985
allowEncodedPercent: # @schema type:[boolean, null]
986
allowEncodedQuestionMark: # @schema type:[boolean, null]
987
allowEncodedHash: # @schema type:[boolean, null]
988
# -- Maximum size of request headers in bytes. Default: 1048576 (1 MB)
989
maxHeaderBytes: # @schema type:[integer, null]; minimum:0
990
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#httpmiddlewares)
991
middlewares: [] # @schema type: [array, null]
992
# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#path-sanitization)
993
sanitizePath: # @schema type:[boolean, null]
994
tls:
995
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http-tls)
996
# @default -- true
997
enabled: true
998
options: ""
999
certResolver: ""
1000
domains: []
1001
http3:
1002
## -- Enable HTTP/3 on the entrypoint
1003
## Enabling it will also enable http3 experimental feature
1004
## https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http3
1005
## There are known limitations when trying to listen on same ports for
1006
## TCP & UDP (Http3). There is a workaround in this chart using dual Service.
1007
## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741
1008
enabled: false
1009
advertisedPort: # @schema type:[integer, null]; minimum:0
1010
forwardedHeaders:
1011
# -- Trust forwarded headers information (X-Forwarded-*).
1012
trustedIPs: []
1013
insecure: false
1014
# -- Disable appending RemoteAddr to X-Forwarded-For header (v3.7+).
1015
notAppendXForwardedFor: false
1016
proxyProtocol:
1017
# -- Enable the Proxy Protocol header parsing for the entry point
1018
trustedIPs: []
1019
insecure: false
1020
# @default -- nil
1021
transport:
1022
respondingTimeouts:
1023
readTimeout: # @schema type:[string, integer, null]
1024
writeTimeout: # @schema type:[string, integer, null]
1025
idleTimeout: # @schema type:[string, integer, null]
1026
lifeCycle:
1027
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
1028
graceTimeOut: # @schema type:[string, integer, null]
1029
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
1030
keepAliveMaxTime: # @schema type:[string, integer, null]
1031
observability: # @schema additionalProperties: false
1032
# -- Enables metrics for this entryPoint.
1033
metrics: # @schema type:[boolean, null]; default: true
1034
# -- Enables access-logs for this entryPoint.
1035
accessLogs: # @schema type:[boolean, null]; default: true
1036
# -- Enables tracing for this entryPoint.
1037
tracing: # @schema type:[boolean, null]; default: true
1038
# -- Defines the tracing verbosity level for this entryPoint.
1039
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
1040
metrics:
1041
# -- When using hostNetwork, use another port to avoid conflict with node exporter:
1042
# https://github.com/prometheus/prometheus/wiki/Default-port-allocations
1043
port: 9100
1044
# -- You may not want to expose the metrics port on production deployments.
1045
# If you want to access it from outside your cluster,
1046
# use `kubectl port-forward` or create a secure ingress
1047
expose:
1048
default: false
1049
# -- The exposed port for this service
1050
exposedPort: 9100
1051
# -- The port protocol (TCP/UDP)
1052
protocol: TCP
1053
observability: # @schema additionalProperties: false
1054
# -- Enables metrics for this entryPoint.
1055
metrics: # @schema type:[boolean, null]; default: true
1056
# -- Enables access-logs for this entryPoint.
1057
accessLogs: # @schema type:[boolean, null]; default: true
1058
# -- Enables tracing for this entryPoint.
1059
tracing: # @schema type:[boolean, null]; default: true
1060
# -- Defines the tracing verbosity level for this entryPoint.
1061
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
1062
# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/tls/tlsoption/)
1063
# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
1064
# See EXAMPLE.md for details.
1065
tlsOptions: {}
1066
# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/tls/tlsstore/).
1067
# This is useful if you want to set a default certificate. See EXAMPLE.md for details.
1068
tlsStore: {}
1069
service:
1070
enabled: true
1071
# -- Override the default Service name. Useful for adopting an existing Service (e.g., during migration from another ingress controller).
1072
nameOverride: "" # @schema type:[string, null]
1073
## -- Single service is using `MixedProtocolLBService` feature gate.
1074
## -- When set to false, it will create two Service, one for TCP and one for UDP.
1075
single: true
1076
# -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
1077
annotations: {}
1078
# -- Additional annotations for TCP service only
1079
annotationsTCP: {}
1080
# -- Additional annotations for UDP service only
1081
annotationsUDP: {}
1082
# -- Additional service labels (e.g. for filtering Service by custom labels)
1083
labels: {}
1084
# -- Additional entries here will be added to the Service [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#servicespec-v1-core).
1085
# Cannot contain selector or ports entries.
1086
spec:
1087
type: LoadBalancer
1088
# -- Can be used to create multiple Service.
1089
# See EXAMPLES.md for more details.
1090
additionalServices: {}
1091
autoscaling: # @schema additionalProperties: false
1092
# -- Create HorizontalPodAutoscaler object.
1093
# See EXAMPLES.md for more details.
1094
enabled: false
1095
# -- minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod.
1096
minReplicas: # @schema type:[integer, null]; minimum:0
1097
# -- maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
1098
maxReplicas: # @schema type:[integer, null]; minimum:0
1099
# -- metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).
1100
metrics: []
1101
# -- behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).
1102
behavior: {}
1103
# -- scaleTargetRef points to the target resource to scale, and is used for the pods for which metrics should be collected, as well as to actually change the replica count.
1104
# @default -- Traefik Deployment
1105
scaleTargetRef:
1106
apiVersion: apps/v1
1107
kind: Deployment
1108
name: "{{ template \"traefik.fullname\" . }}"
1109
persistence:
1110
# -- Enable persistence using Persistent Volume Claims
1111
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.
1112
# It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option
1113
enabled: false
1114
name: data
1115
existingClaim: ""
1116
accessMode: ReadWriteOnce
1117
size: 128Mi
1118
storageClass: # @schema type:[string, null]
1119
volumeName: ""
1120
path: /data
1121
annotations: {}
1122
# -- Only mount a subpath of the Volume into the pod
1123
subPath: ""
1124
# -- Certificates resolvers configuration.
1125
# Ref: https://doc.traefik.io/traefik/reference/install-configuration/tls/certificate-resolvers/acme/
1126
# See EXAMPLES.md for more details.
1127
certificatesResolvers: {}
1128
# -- If hostNetwork is true, runs traefik in the host network namespace
1129
# To prevent unschedulable pods due to port collisions, if hostNetwork=true
1130
# and replicas>1, a pod anti-affinity is recommended and will be set if the
1131
# affinity is left as default.
1132
hostNetwork: false
1133
rbac: # @schema additionalProperties: false
1134
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
1135
enabled: true
1136
# -- When set to true: <br />
1137
# 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`.<br />
1138
# 2. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers<br />
1139
# **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. <br />
1140
# See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-disableClusterScopeResources) for more details.
1141
namespaced: false
1142
# -- Enable user-facing roles
1143
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
1144
aggregateTo: []
1145
# -- The service account the pods will use to interact with the Kubernetes API
1146
serviceAccount: # @schema additionalProperties: false
1147
# If set, an existing service account is used
1148
# If not set, a service account is created automatically using the fullname template
1149
name: ""
1150
# -- Additional serviceAccount annotations (e.g. for oidc authentication)
1151
serviceAccountAnnotations: {}
1152
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
1153
resources: {}
1154
# -- This example pod anti-affinity forces the scheduler to put traefik pods
1155
# -- on nodes where no other traefik pods are scheduled.
1156
# It should be used when hostNetwork: true to prevent port conflicts
1157
affinity: {}
1158
# podAntiAffinity:
1159
# requiredDuringSchedulingIgnoredDuringExecution:
1160
# - labelSelector:
1161
# matchLabels:
1162
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
1163
# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
1164
# topologyKey: kubernetes.io/hostname
1165
1166
# -- nodeSelector is the simplest recommended form of node selection constraint.
1167
nodeSelector: {}
1168
# -- Tolerations allow the scheduler to schedule pods with matching taints.
1169
tolerations: []
1170
# -- You can use topology spread constraints to control
1171
# how Pods are spread across your cluster among failure-domains.
1172
topologySpreadConstraints: []
1173
# This example topologySpreadConstraints forces the scheduler to put traefik pods
1174
# on nodes where no other traefik pods are scheduled.
1175
# - labelSelector:
1176
# matchLabels:
1177
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
1178
# maxSkew: 1
1179
# topologyKey: kubernetes.io/hostname
1180
# whenUnsatisfiable: DoNotSchedule
1181
1182
# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
1183
priorityClassName: ""
1184
# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
1185
# @default -- See _values.yaml_
1186
securityContext:
1187
allowPrivilegeEscalation: false
1188
capabilities:
1189
drop: [ALL]
1190
readOnlyRootFilesystem: true
1191
# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
1192
# @default -- See _values.yaml_
1193
podSecurityContext:
1194
runAsGroup: 65532
1195
runAsNonRoot: true
1196
runAsUser: 65532
1197
seccompProfile:
1198
type: RuntimeDefault
1199
#
1200
# -- Extra objects to deploy (value evaluated as a template)
1201
#
1202
# In some cases, it can avoid the need for additional, extended or adhoc deployments.
1203
# See #595 for more details and traefik/tests/values/extra.yaml for example.
1204
extraObjects: []
1205
# -- This field overrides the default Release Namespace for Helm.
1206
# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
1207
namespaceOverride: ""
1208
# -- This field overrides the default app.kubernetes.io/instance label for all Objects.
1209
instanceLabelOverride: ""
1210
# -- This field overrides the default version extracted from image.tag. Required when pinning by `image.digest`, since the version cannot be derived from a digest.
1211
versionOverride: ""
1212
# -- overrides the app.kubernetes.io/name label
1213
nameOverride: ""
1214
# -- Overrides the resource name for templates (i.e deployment, service, etc..)
1215
fullnameOverride: ""
1216
# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
1217
hub: # @schema additionalProperties: false
1218
# -- Name of `Secret` with key 'token' set to a valid license token.
1219
# It enables API Gateway.
1220
token: ""
1221
# -- Mount path for token secret.
1222
tokenMountPath: "/etc/secrets"
1223
# -- Disables all external network connections.
1224
offline: # @schema type:[boolean, null]
1225
# -- By default, Traefik Hub provider watches all namespaces. When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
1226
namespaces: [] # @schema required:true
1227
apimanagement:
1228
# -- Set to true in order to enable API Management. Requires a valid license token.
1229
enabled: false
1230
admission:
1231
# -- WebHook admission server listen address. Default: "0.0.0.0:9943".
1232
listenAddr: ""
1233
# -- Certificate name of the WebHook admission server. Default: "hub-agent-cert".
1234
secretName: "hub-agent-cert"
1235
# -- By default, this chart handles directly the tls certificate required for the admission webhook. It's possible to disable this behavior and handle it outside of the chart. See EXAMPLES.md for more details.
1236
selfManagedCertificate: false
1237
# -- Set custom certificate for the WebHook admission server. The certificate should be specified with _tls.crt_ and _tls.key_ in base64 encoding.
1238
customWebhookCertificate: {}
1239
# -- Set it to false if you need to disable Traefik Hub pod restart when mutating webhook certificate is updated. It's done with a label update.
1240
restartOnCertificateChange: true
1241
# -- Set custom annotations.
1242
annotations: {}
1243
openApi:
1244
# -- When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification
1245
validateRequestMethodAndPath: false
1246
mcpgateway:
1247
# -- Set to true in order to enable AI MCP Gateway. Requires a valid license token.
1248
enabled: false
1249
# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
1250
maxRequestBodySize: # @schema type:[integer, null]; minimum:0
1251
aigateway:
1252
# -- Set to true in order to enable AI Gateway. Requires a valid license token.
1253
enabled: false
1254
# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
1255
maxRequestBodySize: # @schema type:[integer, null]; minimum:0
1256
providers:
1257
consulCatalogEnterprise:
1258
# -- Enable Consul Catalog Enterprise backend with default settings.
1259
enabled: false
1260
# -- Use local agent caching for catalog reads.
1261
cache: false
1262
# -- Enable Consul Connect support.
1263
connectAware: false
1264
# -- Consider every service as Connect capable by default.
1265
connectByDefault: false
1266
# -- Constraints is an expression that Traefik matches against the container's labels
1267
constraints: ""
1268
# -- Default rule.
1269
defaultRule: "Host(`{{ normalize .Name }}`)"
1270
endpoint:
1271
# -- The address of the Consul server
1272
address: ""
1273
# -- Data center to use. If not provided, the default agent data center is used
1274
datacenter: ""
1275
# -- WaitTime limits how long a Watch will block. If not provided, the agent default
1276
endpointWaitTime: # @schema type:[integer, null]
1277
httpauth:
1278
# -- Basic Auth password
1279
password: ""
1280
# -- Basic Auth username
1281
username: ""
1282
# -- The URI scheme for the Consul server
1283
scheme: ""
1284
tls:
1285
# -- TLS CA
1286
ca: ""
1287
# -- TLS cert
1288
cert: ""
1289
# -- TLS insecure skip verify
1290
insecureSkipVerify: false
1291
# -- TLS key
1292
key: ""
1293
# -- Token is used to provide a per-request ACL token which overrides the agent's
1294
token: ""
1295
# -- Expose containers by default.
1296
exposedByDefault: true
1297
# -- Sets the namespaces used to discover services (Consul Enterprise only).
1298
namespaces: ""
1299
# -- Sets the partition used to discover services (Consul Enterprise only).
1300
partition: ""
1301
# -- Prefix for consul service tags.
1302
prefix: "traefik"
1303
# -- Interval for checking Consul API.
1304
refreshInterval: 15
1305
# -- Forces the read to be fully consistent.
1306
requireConsistent: false
1307
# -- Name of the Traefik service in Consul Catalog (needs to be registered via the
1308
serviceName: "traefik"
1309
# -- Use stale consistency for catalog reads.
1310
stale: false
1311
# -- A list of service health statuses to allow taking traffic.
1312
strictChecks: "passing, warning"
1313
# -- Watch Consul API events.
1314
watch: false
1315
microcks:
1316
# -- Enable Microcks provider.
1317
enabled: false
1318
auth:
1319
# -- Microcks API client ID.
1320
clientId: ""
1321
# -- Microcks API client secret.
1322
clientSecret: ""
1323
# -- Microcks API endpoint.
1324
endpoint: ""
1325
# -- Microcks API token.
1326
token: ""
1327
# -- Microcks API endpoint.
1328
endpoint: ""
1329
# -- Polling interval for Microcks API.
1330
pollInterval: 30
1331
# -- Polling timeout for Microcks API.
1332
pollTimeout: 5
1333
tls:
1334
# -- TLS CA
1335
ca: ""
1336
# -- TLS cert
1337
cert: ""
1338
# -- TLS insecure skip verify
1339
insecureSkipVerify: false
1340
# -- TLS key
1341
key: ""
1342
multicluster:
1343
# -- Enable Multi-cluster provider.
1344
enabled: false
1345
# -- Polling interval for Multi-cluster.
1346
pollInterval: 5
1347
# -- Polling timeout for Multi-cluster.
1348
pollTimeout: 5
1349
# @schema mergeProperties: true
1350
# -- Child cluster configurations, keyed by a unique name.
1351
# @default -- {}
1352
children:
1353
# @schema additionalProperties: false
1354
cluster-1:
1355
# -- URL of the child cluster's uplink entrypoint.
1356
address: ""
1357
# -- TLS and transport configuration for connecting to this child.
1358
# @default -- {}
1359
serversTransport:
1360
# @schema type:[boolean, null]
1361
# -- Disable TLS certificate verification. **Not recommended for production.**
1362
# @default -- false
1363
insecureSkipVerify:
1364
# -- Server name used for SNI and certificate verification.
1365
serverName: ""
1366
rootCAs: []
1367
certificates: []
1368
# @schema type:[integer, null]
1369
# -- Maximum idle connections per host.
1370
# @default -- 200
1371
maxIdleConnsPerHost:
1372
# @schema type:[boolean, null]
1373
# -- Disable HTTP/2 for connections to this child.
1374
# @default -- false
1375
disableHTTP2:
1376
# -- Minimum TLS version (e.g. `VersionTLS12`, `VersionTLS13`).
1377
minVersion: ""
1378
# -- Maximum TLS version (e.g. `VersionTLS12`, `VersionTLS13`).
1379
maxVersion: ""
1380
# -- List of supported cipher suites for TLS versions up to 1.2.
1381
cipherSuites: []
1382
# -- URI used to match against SAN URIs during the server's certificate verification.
1383
peerCertURI: ""
1384
forwardingTimeouts:
1385
# @schema type:[string, integer, null]
1386
# -- Timeout for establishing connections.
1387
# @default -- 30s
1388
dialTimeout:
1389
# @schema type:[string, integer, null]
1390
# -- Timeout for reading response headers.
1391
# @default -- 0s
1392
responseHeaderTimeout:
1393
# @schema type:[string, integer, null]
1394
# -- Timeout for idle connections.
1395
# @default -- 90s
1396
idleConnTimeout:
1397
# @schema type:[string, integer, null]
1398
# -- Timeout for HTTP/2 server ping frames.
1399
# @default -- 15s
1400
pingTimeout:
1401
# @schema type:[string, integer, null]
1402
# -- Timeout for HTTP/2 connection idle reads.
1403
# @default -- 0s
1404
readIdleTimeout:
1405
# @schema type:[string, integer, null]
1406
# -- Timeout for reading the request body.
1407
# @default -- 0s
1408
readTimeout:
1409
# @schema type:[string, integer, null]
1410
# -- Timeout for writing the response.
1411
# @default -- 0s
1412
writeTimeout:
1413
spiffe:
1414
ids: []
1415
# @schema type:[string, integer, null]
1416
# -- SPIFFE trust domain.
1417
trustDomain: ""
1418
# @schema additionalProperties: false
1419
nutanixPrismCentral:
1420
# -- Enable Nutanix Prism Central provider.
1421
enabled: false
1422
# -- Prism Central endpoint.
1423
endpoint: ""
1424
# -- Prism Central username.
1425
username: ""
1426
# -- Prism Central password.
1427
password: ""
1428
# -- Prism Central API key.
1429
apiKey: ""
1430
# -- Base configuration file path.
1431
filename: ""
1432
# -- Polling interval for Nutanix Prism Central API.
1433
pollInterval: 30
1434
# -- Polling timeout for Nutanix Prism Central API.
1435
pollTimeout: 5
1436
# -- Category key used to derive the service name.
1437
serviceNameCategoryKey: "TraefikServiceName"
1438
# -- Filter VMs by VPCs. List of `{ uuid: "<vpc-uuid>" }` entries.
1439
allowedVpcs: []
1440
tls:
1441
# -- TLS CA
1442
ca: ""
1443
# -- TLS cert
1444
cert: ""
1445
# -- TLS key
1446
key: ""
1447
# -- TLS insecure skip verify
1448
insecureSkipVerify: false
1449
redis:
1450
# -- Enable Redis Cluster. Default: true.
1451
cluster: # @schema type:[boolean, null]
1452
# -- Database used to store information. Default: "0".
1453
database: # @schema type:[string, null]
1454
# -- Endpoints of the Redis instances to connect to. Default: "".
1455
endpoints: ""
1456
# -- The username to use when connecting to Redis endpoints. Default: "".
1457
username: ""
1458
# -- The password to use when connecting to Redis endpoints. Default: "".
1459
password: ""
1460
sentinel:
1461
# -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".
1462
masterset: ""
1463
# -- Username to use for sentinel authentication (can be different from endpoint username). Default: "".
1464
username: ""
1465
# -- Password to use for sentinel authentication (can be different from endpoint password). Default: "".
1466
password: ""
1467
# -- Timeout applied on connection with redis. Default: "0s".
1468
timeout: ""
1469
tls:
1470
# -- Path to the certificate authority used for the secured connection.
1471
ca: ""
1472
# -- Path to the public certificate used for the secure connection.
1473
cert: ""
1474
# -- Path to the private key used for the secure connection.
1475
key: ""
1476
# -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.
1477
insecureSkipVerify: false
1478
# Enable export of error logs to the platform. Default: true.
1479
sendlogs: # @schema type:[boolean, null]
1480
tracing:
1481
additionalTraceHeaders:
1482
# -- Tracing headers to duplicate.
1483
# To configure the following, tracing.otlp.enabled needs to be set to true.
1484
# @default -- See below
1485
enabled: false
1486
traceContext:
1487
# -- Name of the header that will contain the parent-id header copy.
1488
parentId: ""
1489
# -- Name of the header that will contain the trace-id copy.
1490
traceId: ""
1491
# -- Name of the header that will contain the traceparent copy.
1492
traceParent: ""
1493
# -- Name of the header that will contain the tracestate copy.
1494
traceState: ""
1495
# Define private plugin sources
1496
pluginRegistry:
1497
sources: {}
1498
# -- Required for OCI Marketplace integration.
1499
# See https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Marketplace/understanding-helm-charts.htm
1500
# @default -- See _values.yaml_
1501
oci_meta:
1502
# -- Enable specific values for Oracle Cloud Infrastructure
1503
enabled: false
1504
# -- It needs to be an ocir repo
1505
repo: cgr.dev
1506
images:
1507
proxy:
1508
image: chainguard-private/traefik
1509
tag: latest@sha256:a1d046ceb7669fc10bb53d509b21a4f8835e69db8b510195de29fa582aa5f08b
1510
hub:
1511
image: chainguard-private/traefik
1512
tag: latest@sha256:a1d046ceb7669fc10bb53d509b21a4f8835e69db8b510195de29fa582aa5f08b
1513
# -- Required for IBM Cloud Marketplace integration.
1514
# Injected by IBM Cloud Catalog when deploying via IBM Cloud Schematics. This value is not used by the chart.
1515
offering_version: "" # @schema type:[string, null]
1516
# -- Allow the Helm chart to be used as optional subchart.
1517
enabled: true # @schema type:boolean; const:true
1518

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.