DirectorySecurity AdvisoriesPricing
Sign in
Directory
traefik logoHELM

traefik

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
# Default values for Traefik
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into templates
4
5
image: # @schema additionalProperties: false
6
# -- Traefik image host registry. Defaults to `docker.io` for Traefik Proxy and `ghcr.io` for Traefik Hub (when `hub.token` is set).
7
registry: cgr.dev # @schema type:[string, null]
8
# -- Traefik image repository. Defaults to `traefik` for Traefik Proxy and `traefik/traefik-hub` for Traefik Hub (when `hub.token` is set).
9
repository: chainguard-private/traefik # @schema type:[string, null]
10
# -- defaults to appVersion. It's used for version checking, even prefixed with experimental- or latest-.
11
# To pin by digest, prefer `image.digest`. A `<version>@<digest>` combo is also accepted here; in that case the digest is what Kubernetes verifies and the version is informational (and can drift from the underlying image).
12
tag: latest@sha256:cf9f07aaf3f4358fecfca60f4feac4a8428b6d212b8fe35a94c84cd5a5e2b540 # @schema type:[string, null]
13
# -- Traefik image digest (e.g. `sha256:abc...`). When set, takes precedence over `tag`. Set `versionOverride` alongside it so the chart's version-checking logic knows the version (it cannot be derived from the digest).
14
digest: # @schema type:[string, null]; pattern:^sha256:[a-f0-9]{64}$
15
# -- Traefik image pull policy
16
pullPolicy: IfNotPresent
17
# -- Add additional label to all resources
18
commonLabels: {}
19
deployment:
20
# -- Enable deployment
21
enabled: true
22
# -- Deployment or DaemonSet
23
kind: Deployment
24
# -- Number of pods of the deployment (only applies when kind == Deployment).
25
# Set to null to omit spec.replicas, e.g. when an external controller (HPA/KEDA) owns scaling.
26
replicas: 1 # @schema type:[integer, null];minimum:0
27
# -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
28
revisionHistoryLimit: # @schema type:[integer, null];minimum:0
29
# -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
30
terminationGracePeriodSeconds: 60
31
# -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
32
minReadySeconds: 0
33
## -- Override the liveness/readiness port. This is useful to integrate traefik
34
## with an external Load Balancer that performs healthchecks.
35
## Default: ports.traefik.port
36
healthchecksPort: # @schema type:[integer, null];minimum:0
37
## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint.
38
## Default: ports.traefik.hostIP if set, otherwise Pod IP
39
healthchecksHost: ""
40
## -- Override the liveness/readiness scheme. Useful for getting ping to
41
## respond on websecure entryPoint.
42
healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP
43
## -- Override the readiness path.
44
## Default: /ping
45
readinessPath: ""
46
# -- Override the liveness path.
47
# Default: /ping
48
livenessPath: ""
49
# -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
50
annotations: {}
51
# -- Additional deployment labels (e.g. for filtering deployment by custom labels)
52
labels: {}
53
# -- Additional pod annotations (e.g. for mesh injection or prometheus scraping)
54
# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
55
podAnnotations: {}
56
# -- Additional Pod labels (e.g. for filtering Pod by custom labels)
57
# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
58
podLabels: {}
59
# -- Additional containers (e.g. for metric offloading sidecars)
60
additionalContainers: []
61
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
62
# - name: socat-proxy
63
# image: alpine/socat:1.0.5
64
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
65
# volumeMounts:
66
# - name: dsdsocket
67
# mountPath: /socket
68
# -- Additional volumes available for use with initContainers and additionalContainers
69
additionalVolumes: []
70
# - name: dsdsocket
71
# hostPath:
72
# path: /var/run/statsd-exporter
73
# -- Additional initContainers (e.g. for setting file permission as shown below)
74
initContainers: []
75
# The "volume-permissions" init container is required if you run into permission issues.
76
# Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
77
# - name: volume-permissions
78
# image: busybox:latest
79
# command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
80
# volumeMounts:
81
# - name: data
82
# mountPath: /data
83
# -- Use process namespace sharing
84
shareProcessNamespace: false
85
# @schema type: [boolean, null]
86
# -- Whether to use the host user namespace. Setting this to false enables user namespaces,
87
# which can improve security by isolating the pod's users from the host.
88
# See https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
89
# @default -- unset (inherits cluster default)
90
hostUsers:
91
# -- Custom pod DNS policy. Apply if `hostNetwork: true`
92
dnsPolicy: ""
93
# -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core)
94
dnsConfig: {}
95
# -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
96
hostAliases: []
97
# -- Pull secret for fetching traefik container image
98
imagePullSecrets: []
99
# -- Pod lifecycle actions
100
lifecycle: {}
101
# preStop:
102
# sleep:
103
# seconds: 20
104
# postStart:
105
# httpGet:
106
# path: /ping
107
# port: 8080
108
# host: localhost
109
# scheme: HTTP
110
# -- Set a runtimeClassName on pod
111
runtimeClassName: ""
112
# -- Percentage of memory limit to set for GOMEMLIMIT, set as decimal (0.9 = 90%, 0.95 = 95% etc). Only takes effect when resources.limits.memory is set. Set to 0 to disable (e.g. when using VPA or setting it via env)
113
goMemLimitPercentage: 0.9
114
# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
115
# @default -- See _values.yaml_
116
podDisruptionBudget: # @schema additionalProperties: false
117
enabled: false
118
maxUnavailable: # @schema type:[string, integer, null];minimum:0
119
minAvailable: # @schema type:[string, integer, null];minimum:0
120
ingressClass: # @schema additionalProperties: false
121
# -- Create a default IngressClass for Traefik
122
enabled: true
123
isDefaultClass: true
124
name: ""
125
core: # @schema additionalProperties: false
126
# -- Can be used to use globally v2 router syntax. Deprecated since v3.4 /!\.
127
# See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes
128
defaultRuleSyntax: ""
129
# Traefik experimental features
130
experimental:
131
# -- Defines whether all plugins must be loaded successfully for Traefik to start
132
abortOnPluginFailure: false
133
fastProxy:
134
# -- Enables the FastProxy implementation.
135
enabled: false
136
# -- Enable debug mode for the FastProxy implementation.
137
debug: false
138
kubernetesGateway:
139
# -- Enable traefik experimental GatewayClass CRD
140
enabled: false
141
# -- Enable experimental plugins
142
plugins: {}
143
# -- Enable experimental local plugins
144
localPlugins: {}
145
# -- Enable OTLP logging experimental feature.
146
otlpLogs: false
147
# -- Enable Knative provider experimental feature.
148
knative: false
149
gateway:
150
# -- When providers.kubernetesGateway.enabled, deploy a default gateway
151
enabled: true
152
# -- Set a custom name to gateway
153
name: ""
154
# -- By default, Gateway is created in the same `Namespace` as Traefik.
155
namespace: ""
156
# -- Additional gateway annotations (e.g. for cert-manager.io/issuer)
157
annotations: {}
158
# -- [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels)
159
infrastructure: {}
160
# -- Configure this Gateway as a [Default Gateway](https://kubernetes.io/blog/2025/11/06/gateway-api-v1-4/#introducing-default-gateways)
161
# by setting the `defaultScope` field (e.g. `All` or `Namespace`).
162
defaultScope: null # @schema enum:["All", "None", null]; type:[string, null]; default: null
163
listeners:
164
web:
165
# -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
166
# The port must match a port declared in ports section.
167
port: 8000
168
# -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
169
hostname: ""
170
# Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
171
protocol: HTTP
172
# -- (object) Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces
173
namespacePolicy: # @schema type:[object, null]
174
# websecure listener is disabled by default because certificateRefs needs to be added,
175
# or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section.
176
# websecure:
177
# # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
178
# # The port must match a port declared in ports section.
179
# port: 8443
180
# # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
181
# hostname:
182
# # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
183
# protocol: HTTPS
184
# # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces)
185
# namespacePolicy:
186
# # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig)
187
# certificateRefs:
188
# # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType).
189
# mode:
190
gatewayClass: # @schema additionalProperties: false
191
# -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass
192
enabled: true
193
# -- Set a custom name to GatewayClass
194
name: ""
195
# -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)
196
labels: {}
197
api: # @schema additionalProperties: false
198
# -- Enable the dashboard
199
dashboard: true
200
# -- Custom name for the dashboard (v3.7+).
201
dashboardName: "" # @schema type:[string, null]
202
# -- Disable the advertisement from the dashboard.
203
disableDashboardAd: # @schema type:[boolean, null]
204
# -- Enable the insecure API (HTTP)
205
insecure: # @schema type:[boolean, null]
206
# -- Enable the debug API
207
debug: # @schema type:[boolean, null]
208
# -- Configure API basePath
209
basePath: "" # @schema type:[string, null]; default: "/"
210
# -- Only dashboard & healthcheck IngressRoute are supported.
211
# It's recommended to create workloads CR outside of this Chart.
212
# @default -- See _values.yaml_
213
ingressRoute:
214
dashboard:
215
# -- Create an IngressRoute for the dashboard
216
enabled: false
217
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
218
annotations: {}
219
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
220
labels: {}
221
# -- The router match rule used for the dashboard ingressRoute
222
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
223
# -- The internal service used for the dashboard ingressRoute
224
# @default -- api@internal
225
services:
226
- name: api@internal
227
kind: TraefikService
228
# -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
229
# By default, it's using traefik entrypoint, which is not exposed.
230
# /!\ Do not expose your dashboard without any protection over the internet /!\
231
entryPoints: ["traefik"]
232
# -- Additional ingressRoute middlewares (e.g. for authentication)
233
middlewares: []
234
# -- TLS options (e.g. secret containing certificate)
235
tls: {}
236
healthcheck:
237
# -- Create an IngressRoute for the healthcheck probe
238
enabled: false
239
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
240
annotations: {}
241
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
242
labels: {}
243
# -- The router match rule used for the healthcheck ingressRoute
244
matchRule: PathPrefix(`/ping`)
245
# -- The internal service used for the healthcheck ingressRoute
246
# @default -- ping@internal
247
services:
248
- name: ping@internal
249
kind: TraefikService
250
# -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure).
251
# By default, it's using traefik entrypoint, which is not exposed.
252
entryPoints: ["traefik"]
253
# -- Additional ingressRoute middlewares (e.g. for authentication)
254
middlewares: []
255
# -- TLS options (e.g. secret containing certificate)
256
tls: {}
257
updateStrategy: # @schema additionalProperties: false
258
# -- Customize updateStrategy of Deployment or DaemonSet
259
type: RollingUpdate
260
rollingUpdate:
261
maxUnavailable: 0 # @schema type:[integer, string, null]
262
maxSurge: 1 # @schema type:[integer, string, null]
263
readinessProbe: # @schema additionalProperties: false
264
# -- The number of consecutive failures allowed before considering the probe as failed.
265
failureThreshold: 1
266
# -- The number of seconds to wait before starting the first probe.
267
initialDelaySeconds: 2
268
# -- The number of seconds to wait between consecutive probes.
269
periodSeconds: 10
270
# -- The minimum consecutive successes required to consider the probe successful.
271
successThreshold: 1
272
# -- The number of seconds to wait for a probe response before considering it as failed.
273
timeoutSeconds: 2
274
livenessProbe: # @schema additionalProperties: false
275
# -- The number of consecutive failures allowed before considering the probe as failed.
276
failureThreshold: 3
277
# -- The number of seconds to wait before starting the first probe.
278
initialDelaySeconds: 2
279
# -- The number of seconds to wait between consecutive probes.
280
periodSeconds: 10
281
# -- The minimum consecutive successes required to consider the probe successful.
282
successThreshold: 1
283
# -- The number of seconds to wait for a probe response before considering it as failed.
284
timeoutSeconds: 2
285
# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)
286
startupProbe: {}
287
# @schema additionalProperties: false
288
providers:
289
# -- Defines the routing precedence between providers. See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/#routing-precedence) for the default order.
290
precedence: []
291
# @schema additionalProperties: false
292
kubernetesCRD:
293
# -- Load Kubernetes IngressRoute provider
294
enabled: true
295
# -- Allows IngressRoute to reference resources in namespace other than theirs
296
allowCrossNamespace: false
297
# -- Allows to reference ExternalName services in IngressRoute
298
allowExternalNameServices: false
299
# -- Allows to return 503 when there are no endpoints available
300
allowEmptyServices: true
301
# -- List of namespaces from which IngressRoute, IngressRouteTCP, IngressRouteUDP, and TraefikService are allowed to declare cross-provider references. Requires traefik v3.7.1+.
302
crossProviderNamespaces: []
303
# -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.
304
ingressClass: ""
305
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-labelselector)
306
labelSelector: ""
307
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
308
namespaces: []
309
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
310
nativeLBByDefault: false
311
# @schema additionalProperties: false
312
kubernetesIngress:
313
# -- Load Kubernetes Ingress provider
314
enabled: true
315
# -- Allows to reference ExternalName services in Ingress
316
allowExternalNameServices: false
317
# -- Allows to return 503 when there are no endpoints available
318
allowEmptyServices: true
319
# -- List of namespaces from which Ingresses or Services are allowed to declare Middlewares, TLSOptions, or ServersTransport references. Requires traefik v3.7.1+.
320
crossProviderNamespaces: []
321
# -- Only for Traefik v3.0, Deprecated since v3.1. See [upstream documentation](https://doc.traefik.io/traefik/v3.0/providers/kubernetes-ingress/#disableingressclasslookup)
322
disableIngressClassLookup: false
323
# -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.
324
ingressClass: # @schema type:[string, null]
325
labelSelector: # @schema type:[string, null]
326
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
327
namespaces: []
328
# IP used for Kubernetes Ingress endpoints
329
publishedService:
330
# -- Enable [publishedService](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#ingressendpointpublishedservice),
331
# usually with the Service provided by this Chart. It's possible to use it with an external Service using pathOverride.
332
enabled: true
333
# -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.
334
# Default to Service deployed with this Chart.
335
pathOverride: ""
336
# @schema additionalProperties: false
337
ingressEndpoint:
338
# -- Hostname used for Kubernetes Ingress endpoints
339
hostname: "" # @schema type:[string, null]
340
# -- IP used for Kubernetes Ingress endpoints
341
ip: "" # @schema type:[string, null]
342
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
343
nativeLBByDefault: false
344
# -- Defines whether to make prefix matching strictly comply with the Kubernetes Ingress specification.
345
strictPrefixMatching: false
346
# @schema additionalProperties: false
347
kubernetesGateway:
348
# -- Enable Traefik Gateway provider for Gateway API
349
enabled: false
350
# -- List of namespaces from which Gateway API routes are allowed to declare TraefikService backendRef references. Requires traefik v3.7.1+.
351
crossProviderNamespaces: []
352
# -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation).
353
# This option currently enables support for TCPRoute and TLSRoute.
354
experimentalChannel: false
355
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. kubernetesGateway provider requires ClusterRole and as a consequence `rbac.namespaced` is not supported.
356
namespaces: []
357
# -- A label selector can be defined to filter on specific GatewayClass objects only.
358
labelSelector: ""
359
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
360
nativeLBByDefault: false
361
# -- Maximum QPS to the Kubernetes API server. A negative value disables client-side ratelimiting (v3.7.3+). Defaults to 50.
362
qps: # @schema type:[integer, null]
363
# -- Maximum burst of requests to the Kubernetes API server (v3.7.3+). Defaults to 100.
364
burst: # @schema type:[integer, null]
365
statusAddress:
366
# -- This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6).
367
ip: ""
368
# -- This Hostname will get copied to the Gateway status.addresses.
369
hostname: ""
370
service:
371
# -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
372
enabled: true
373
name: ""
374
namespace: ""
375
# @schema additionalProperties: false
376
file:
377
# -- Create a file provider
378
enabled: false
379
# -- Allows Traefik to automatically watch for file changes
380
watch: true
381
# -- File content as an object (will be YAML-formatted, go template supported) (see https://doc.traefik.io/traefik/reference/install-configuration/providers/others/file/)
382
content: {}
383
# @schema additionalProperties: false
384
kubernetesIngressNGINX:
385
# -- Enable Kubernetes Ingress NGINX provider
386
enabled: false
387
# -- Ingress Class Controller value this controller satisfies
388
controllerClass: "k8s.io/ingress-nginx"
389
# -- Name of the ingress class this controller satisfies
390
ingressClass: "nginx"
391
# -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class
392
ingressClassByName: false
393
# -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified
394
watchIngressWithoutClass: false
395
# -- Single namespace the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespaceSelector.
396
watchNamespace: ""
397
# -- Select namespaces the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespace.
398
watchNamespaceSelector: ""
399
publishService:
400
# -- Enable publishService. Service fronting the Ingress controller, used to set the load-balancer status of Ingress objects.
401
# Usually the Service provided by this Chart. It's possible to use it with an external Service using pathOverride.
402
enabled: false
403
# -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.
404
# Default to Service deployed with this Chart.
405
pathOverride: ""
406
# -- Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies
407
publishStatusAddress: ""
408
# -- Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'
409
defaultBackendService: ""
410
# -- Disable support for Services of type ExternalName
411
disableSvcExternalName: false
412
# -- Ingress refresh throttle duration
413
throttleDuration: ""
414
# -- Kubernetes certificate authority file path (not needed for in-cluster client)
415
certAuthFilePath: ""
416
# -- Kubernetes server endpoint (required for external cluster client)
417
endpoint: ""
418
# -- Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token
419
token: ""
420
# -- Defines whether to enable request buffering (default: false)
421
proxyRequestBuffering: null # @schema type:[boolean, null]
422
# -- Default buffer size for reading client request body in bytes (default: 16384)
423
clientBodyBufferSize: # @schema type:[integer, null]
424
# -- Default maximum size of a client request body in bytes (default: 1048576)
425
proxyBodySize: # @schema type:[integer, null]
426
# -- Defines whether to enable response buffering (default: false)
427
proxyBuffering: null # @schema type:[boolean, null]
428
# -- Default buffer size for reading the response body in bytes (default: 8192)
429
proxyBufferSize: # @schema type:[integer, null]
430
# -- Default number of buffers for reading a response (default: 4)
431
proxyBuffersNumber: # @schema type:[integer, null]
432
# -- Amount of time to wait until a connection to a server can be established. Unitless, in seconds (default: 60)
433
proxyConnectTimeout: # @schema type:[integer, null]
434
# -- Amount of time between two successive read operations. Unitless, in seconds (default: 60)
435
proxyReadTimeout: # @schema type:[integer, null]
436
# -- Amount of time between two successive write operations. Unitless, in seconds (default: 60)
437
proxySendTimeout: # @schema type:[integer, null]
438
# -- Defines in which cases a request should be retried (default: "error timeout")
439
proxyNextUpstream: ""
440
# -- Limits the number of possible tries if the backend server does not reply (default: 3)
441
proxyNextUpstreamTries: # @schema type:[integer, null]
442
# -- Limits the total elapsed time to retry the request. Unitless, in seconds (default: 0)
443
proxyNextUpstreamTimeout: # @schema type:[integer, null]
444
# -- Defines which HTTP status codes should result in calling the default backend to return an error page
445
customHTTPErrors: []
446
# -- Defines the idle timeout for keep-alive connections to upstream servers. Unitless, in seconds (default: 60)
447
upstreamKeepaliveTimeout: # @schema type:[integer, null]
448
# -- Allow Ingress to reference resources (e.g. ConfigMaps, Secrets) in different namespaces (default: false)
449
allowCrossNamespaceResources: null # @schema type:[boolean, null]
450
# -- List of allowed response headers inside the custom headers annotations
451
globalAllowedResponseHeaders: []
452
# -- URL to the service that provides authentication for all the locations. Per ingress auth-url annotation has precedence over this option.
453
globalAuthUrl: ""
454
# -- When set, the strategy is applied to every generated IPAllowList middleware.
455
# @default -- See below
456
ipAllowListStrategy:
457
# -- Number of trusted proxy hops to skip when extracting the client IP from the X-Forwarded-For header. 0 disables depth-based extraction. (default: 0)
458
depth: 0
459
# -- List of IPs to exclude when scanning the X-Forwarded-For header to find the client IP.
460
excludedIPS: []
461
# -- IPv6 subnet size used to group IPv6 addresses when checking the allow list. 0 disables subnet grouping.
462
ipv6Subnet: 0
463
# -- Enables parsing and adding -snippet annotations/directives (default: false)
464
allowSnippetAnnotations: null # @schema type:[boolean, null]
465
# -- Defines whether to reject the entire ingress when any path contains regex characters and pathType is Prefix or Exact (default: true)
466
strictValidatePathType: null # @schema type:[boolean, null]
467
# -- Defines the EntryPoint to use for HTTP requests
468
httpEntryPoint: "web"
469
# -- Defines the EntryPoint to use for HTTPS requests
470
httpsEntryPoint: "websecure"
471
# @schema additionalProperties: false
472
modsec:
473
# -- Enable ModSec engine. Requires Traefik Hub >= v3.20.0-ea.8.
474
enabled: false
475
# -- Enable OWASP Core Rules.
476
owaspCoreRules: false
477
# -- Custom ModSec rules snippet.
478
snippet: ""
479
# @schema additionalProperties: false
480
knative:
481
# -- Enable Knative provider
482
enabled: false
483
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
484
namespaces: []
485
# -- Allow filtering Knative Ingress objects
486
labelSelector: ""
487
# -- Add volumes to the traefik pod. The volume name will be passed to tpl.
488
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
489
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
490
# `additionalArguments:
491
# - "--providers.file.filename=/config/dynamic.toml"
492
# - "--ping"
493
# - "--ping.entrypoint=web"`
494
volumes: []
495
# - name: public-cert
496
# mountPath: "/certs"
497
# type: secret
498
# - name: '{{ printf "%s-configs" .Release.Name }}'
499
# mountPath: "/config"
500
# type: configMap
501
502
# -- Additional volumeMounts to add to the Traefik container
503
additionalVolumeMounts: []
504
# -- For instance when using a logshipper for access logs
505
# - name: traefik-logs
506
# mountPath: /var/log/traefik
507
508
# -- See [logs reference](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/)
509
log:
510
# -- Set [logs format](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-log-format)
511
format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
512
# By default, the level is set to INFO.
513
# -- Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC.
514
level: "INFO" # @schema enum:[TRACE,DEBUG,INFO,WARN,ERROR,FATAL,PANIC]; default: "INFO"
515
# -- To write the logs into a log file, use the filePath option.
516
filePath: ""
517
# -- When set to true and format is common, it disables the colorized output.
518
noColor: false
519
otlp:
520
# -- Set to true in order to enable OpenTelemetry on logs. Note that experimental.otlpLogs needs to be enabled.
521
enabled: false
522
# -- Service name used in OTLP backend. Default: traefik.
523
serviceName: # @schema type:[string, null]
524
http:
525
# -- Set to true in order to send logs to the OpenTelemetry Collector using HTTP.
526
enabled: false
527
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
528
endpoint: ""
529
# -- Additional headers sent with logs by the reporter to the OpenTelemetry Collector.
530
headers: {}
531
## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
532
tls:
533
# -- The path to the certificate authority, it defaults to the system bundle.
534
ca: ""
535
# -- The path to the public certificate. When using this option, setting the key option is required.
536
cert: ""
537
# -- The path to the private key. When using this option, setting the cert option is required.
538
key: ""
539
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
540
insecureSkipVerify: # @schema type:[boolean, null]
541
grpc:
542
# -- Set to true in order to send logs to the OpenTelemetry Collector using gRPC
543
enabled: false
544
# -- Format: <host>:<port>. Default: "localhost:4317"
545
endpoint: ""
546
# -- Allows reporter to send logs to the OpenTelemetry Collector without using a secured protocol.
547
insecure: false
548
## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
549
tls:
550
# -- The path to the certificate authority, it defaults to the system bundle.
551
ca: ""
552
# -- The path to the public certificate. When using this option, setting the key option is required.
553
cert: ""
554
# -- The path to the private key. When using this option, setting the cert option is required.
555
key: ""
556
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
557
insecureSkipVerify: # @schema type:[boolean, null]
558
# -- Defines additional resource attributes to be sent to the collector.
559
resourceAttributes: {}
560
# -- See [access logs reference](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/)
561
accessLog:
562
# -- To enable access logs
563
enabled: false
564
# -- Set [access log format](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-accesslog-format)
565
format: # @schema enum:["common", "genericCLF", "json", null]; type:[string, null]; default: "common"
566
# filePath: "/var/log/traefik/access.log
567
# -- Set [bufferingSize](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#opt-accesslog-bufferingSize)
568
bufferingSize: # @schema type:[integer, null]
569
# -- Set [timezone](https://doc.traefik.io/traefik/reference/install-configuration/observability/logs-and-accesslogs/#time-zones)
570
timezone: ""
571
# -- Set [filtering](https://doc.traefik.io/traefik/observe/logs-and-access-logs/#access-log-filters)
572
# @default -- See below
573
filters: # @schema additionalProperties: false
574
# -- Set statusCodes, to limit the access logs to requests with a status codes in the specified range
575
statusCodes: ""
576
# -- Set retryAttempts, to keep the access logs when at least one retry has happened
577
retryAttempts: false
578
# -- Set minDuration, to keep access logs when requests take longer than the specified duration
579
minDuration: ""
580
# -- Enables accessLogs for internal resources. Default: false.
581
addInternals: false
582
# -- Enables access log output alongside OTLP (v3.7+).
583
dualOutput: false
584
fields:
585
# -- Set default mode for fields.names
586
defaultMode: keep # @schema enum:[keep, drop, redact]; default: keep
587
# -- Names of the fields to limit.
588
names: {}
589
headers:
590
# -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observe/logs-and-access-logs/#log-fields-customization)
591
defaultMode: drop # @schema enum:[keep, drop, redact]; default: drop
592
names: {}
593
queryParameters:
594
# -- Keep or drop all query parameters in the RequestPath access log field (v3.7.3+).
595
defaultMode: # @schema enum:[keep, drop, null]; type:[string, null]; default: null
596
otlp:
597
# -- Set to true in order to enable OpenTelemetry on access logs. Note that experimental.otlpLogs needs to be enabled.
598
enabled: false
599
# -- Service name used in OTLP backend. Default: traefik.
600
serviceName: # @schema type:[string, null]
601
http:
602
# -- Set to true in order to send access logs to the OpenTelemetry Collector using HTTP.
603
enabled: false
604
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
605
endpoint: ""
606
# -- Additional headers sent with access logs by the reporter to the OpenTelemetry Collector.
607
headers: {}
608
## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
609
tls:
610
# -- The path to the certificate authority, it defaults to the system bundle.
611
ca: ""
612
# -- The path to the public certificate. When using this option, setting the key option is required.
613
cert: ""
614
# -- The path to the private key. When using this option, setting the cert option is required.
615
key: ""
616
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
617
insecureSkipVerify: # @schema type:[boolean, null]
618
grpc:
619
# -- Set to true in order to send access logs to the OpenTelemetry Collector using gRPC
620
enabled: false
621
# -- Format: <host>:<port>. Default: "localhost:4317"
622
endpoint: ""
623
# -- Allows reporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
624
insecure: false
625
## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
626
tls:
627
# -- The path to the certificate authority, it defaults to the system bundle.
628
ca: ""
629
# -- The path to the public certificate. When using this option, setting the key option is required.
630
cert: ""
631
# -- The path to the private key. When using this option, setting the cert option is required.
632
key: ""
633
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
634
insecureSkipVerify: # @schema type:[boolean, null]
635
# -- Defines additional resource attributes to be sent to the collector.
636
resourceAttributes: {}
637
metrics:
638
# -- Enable metrics for internal resources. Default: false
639
addInternals: false
640
## Prometheus is enabled by default.
641
## It can be disabled by setting "prometheus: null"
642
prometheus:
643
# -- Entry point used to expose metrics.
644
entryPoint: metrics
645
# -- Enable metrics on entry points. Default: true
646
addEntryPointsLabels: # @schema type:[boolean, null]
647
# -- Enable metrics on routers. Default: false
648
addRoutersLabels: # @schema type:[boolean, null]
649
# -- Enable metrics on services. Default: true
650
addServicesLabels: # @schema type:[boolean, null]
651
# -- Buckets for latency metrics. Default="0.1,0.3,1.2,5.0"
652
buckets: ""
653
# -- When manualRouting is true, it disables the default internal router in
654
## order to allow creating a custom router for prometheus@internal service.
655
manualRouting: false
656
# -- Add HTTP header labels to metrics. See EXAMPLES.md or upstream doc for usage.
657
headerLabels: {} # @schema type:[object, null]
658
service:
659
# -- Create a dedicated metrics service to use with ServiceMonitor
660
enabled: false
661
labels: {}
662
annotations: {}
663
# -- When set to true, it won't check if Prometheus Operator CRDs are deployed
664
disableAPICheck: # @schema type:[boolean, null]
665
serviceMonitor:
666
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
667
enabled: false
668
apiVersion: "monitoring.coreos.com/v1"
669
metricRelabelings: []
670
relabelings: []
671
jobLabel: ""
672
interval: ""
673
honorLabels: false
674
scrapeTimeout: ""
675
honorTimestamps: false
676
enableHttp2: false
677
followRedirects: false
678
additionalLabels: {}
679
namespace: ""
680
namespaceSelector: {}
681
prometheusRule:
682
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
683
enabled: false
684
apiVersion: "monitoring.coreos.com/v1"
685
additionalLabels: {}
686
namespace: ""
687
# datadog:
688
# ## Address instructs exporter to send metrics to datadog-agent at this address.
689
# address: "127.0.0.1:8125"
690
# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s
691
# # pushInterval: 30s
692
# ## The prefix to use for metrics collection. Default="traefik"
693
# # prefix: traefik
694
# ## Enable metrics on entry points. Default=true
695
# # addEntryPointsLabels: false
696
# ## Enable metrics on routers. Default=false
697
# # addRoutersLabels: true
698
# ## Enable metrics on services. Default=true
699
# # addServicesLabels: false
700
# influxdb2:
701
# ## Address instructs exporter to send metrics to influxdb v2 at this address.
702
# address: localhost:8086
703
# ## Token with which to connect to InfluxDB v2.
704
# token: xxx
705
# ## Organisation where metrics will be stored.
706
# org: ""
707
# ## Bucket where metrics will be stored.
708
# bucket: ""
709
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
710
# # pushInterval: 30s
711
# ## Additional labels (influxdb tags) on all metrics.
712
# # additionalLabels:
713
# # env: production
714
# # foo: bar
715
# ## Enable metrics on entry points. Default=true
716
# # addEntryPointsLabels: false
717
# ## Enable metrics on routers. Default=false
718
# # addRoutersLabels: true
719
# ## Enable metrics on services. Default=true
720
# # addServicesLabels: false
721
# statsd:
722
# ## Address instructs exporter to send metrics to statsd at this address.
723
# address: localhost:8125
724
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
725
# # pushInterval: 30s
726
# ## The prefix to use for metrics collection. Default="traefik"
727
# # prefix: traefik
728
# ## Enable metrics on entry points. Default=true
729
# # addEntryPointsLabels: false
730
# ## Enable metrics on routers. Default=false
731
# # addRoutersLabels: true
732
# ## Enable metrics on services. Default=true
733
# # addServicesLabels: false
734
otlp:
735
# -- Set to true in order to enable the OpenTelemetry metrics
736
enabled: false
737
# -- Enable metrics on entry points. Default: true
738
addEntryPointsLabels: # @schema type:[boolean, null]
739
# -- Enable metrics on routers. Default: false
740
addRoutersLabels: # @schema type:[boolean, null]
741
# -- Enable metrics on services. Default: true
742
addServicesLabels: # @schema type:[boolean, null]
743
# -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]
744
explicitBoundaries: []
745
# -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s
746
pushInterval: ""
747
# -- Service name used in OTLP backend. Default: traefik.
748
serviceName: # @schema type:[string, null]
749
http:
750
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
751
enabled: false
752
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/metrics
753
endpoint: ""
754
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
755
headers: {}
756
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
757
tls:
758
# -- The path to the certificate authority, it defaults to the system bundle.
759
ca: ""
760
# -- The path to the public certificate. When using this option, setting the key option is required.
761
cert: ""
762
# -- The path to the private key. When using this option, setting the cert option is required.
763
key: ""
764
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
765
insecureSkipVerify: # @schema type:[boolean, null]
766
grpc:
767
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
768
enabled: false
769
# -- Format: <host>:<port>. Default: "localhost:4317"
770
endpoint: ""
771
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
772
insecure: false
773
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
774
tls:
775
# -- The path to the certificate authority, it defaults to the system bundle.
776
ca: ""
777
# -- The path to the public certificate. When using this option, setting the key option is required.
778
cert: ""
779
# -- The path to the private key. When using this option, setting the cert option is required.
780
key: ""
781
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
782
insecureSkipVerify: # @schema type:[boolean, null]
783
# -- Defines additional resource attributes to be sent to the collector.
784
resourceAttributes: {}
785
ocsp:
786
# -- Enable OCSP stapling support.
787
# See https://doc.traefik.io/traefik/reference/install-configuration/tls/ocsp/
788
enabled: false
789
# -- Defines the OCSP responder URLs to use instead of the one provided by the certificate.
790
responderOverrides: {}
791
## Tracing
792
# -- https://doc.traefik.io/traefik/reference/install-configuration/observability/tracing/
793
# @default -- See _values.yaml_
794
tracing: # @schema additionalProperties: false
795
# -- Enables tracing for internal resources. Default: false.
796
addInternals: false
797
# -- Service name used in selected backend. Default: traefik.
798
serviceName: # @schema type:[string, null]
799
# -- Defines additional resource attributes to be sent to the collector.
800
resourceAttributes: {}
801
# -- Defines the list of request headers to add as attributes. It applies to client and server kind spans.
802
capturedRequestHeaders: []
803
# -- Defines the list of response headers to add as attributes. It applies to client and server kind spans.
804
capturedResponseHeaders: []
805
# -- By default, all query parameters are redacted. Defines the list of query parameters to not redact.
806
safeQueryParams: []
807
# -- The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0.
808
sampleRate: # @schema type:[number, null]; minimum:0; maximum:1
809
otlp:
810
# -- See https://doc.traefik.io/traefik/reference/install-configuration/observability/tracing/#configuration-options
811
enabled: false
812
http:
813
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
814
enabled: false
815
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/tracing
816
endpoint: ""
817
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
818
headers: {}
819
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
820
tls:
821
# -- The path to the certificate authority, it defaults to the system bundle.
822
ca: ""
823
# -- The path to the public certificate. When using this option, setting the key option is required.
824
cert: ""
825
# -- The path to the private key. When using this option, setting the cert option is required.
826
key: ""
827
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
828
insecureSkipVerify: # @schema type:[boolean, null]
829
grpc:
830
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
831
enabled: false
832
# -- Format: <host>:<port>. Default: "localhost:4317"
833
endpoint: ""
834
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
835
insecure: false
836
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
837
tls:
838
# -- The path to the certificate authority, it defaults to the system bundle.
839
ca: ""
840
# -- The path to the public certificate. When using this option, setting the key option is required.
841
cert: ""
842
# -- The path to the private key. When using this option, setting the cert option is required.
843
key: ""
844
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
845
insecureSkipVerify: # @schema type:[boolean, null]
846
global:
847
checkNewVersion: true
848
# -- Please take time to consider whether or not you wish to share anonymous data with us
849
# See https://doc.traefik.io/traefik/contributing/data-collection/
850
sendAnonymousUsage: false
851
# -- Disable appending RemoteAddr to X-Forwarded-For header globally (v3.7+).
852
notAppendXForwardedFor: false
853
# -- Required for Azure Marketplace integration.
854
# See https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-technical-assets-kubernetes?tabs=linux,linux2#update-the-helm-chart
855
# @default -- See _values.yaml_
856
azure:
857
enabled: false
858
images:
859
proxy:
860
image: chainguard-private/traefik
861
tag: latest@sha256:cf9f07aaf3f4358fecfca60f4feac4a8428b6d212b8fe35a94c84cd5a5e2b540
862
registry: cgr.dev
863
hub:
864
image: chainguard-private/traefik
865
tag: latest@sha256:cf9f07aaf3f4358fecfca60f4feac4a8428b6d212b8fe35a94c84cd5a5e2b540
866
registry: cgr.dev
867
# -- Additional arguments to be passed at Traefik's binary
868
# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)
869
# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
870
additionalArguments: []
871
# - "--providers.kubernetesingress.ingressclass=traefik-internal"
872
# - "--log.level=DEBUG"
873
874
# -- Additional Environment variables to be passed to Traefik's binary
875
env: []
876
# -- Environment variables to be passed to Traefik's binary from configMaps or secrets
877
envFrom: []
878
# @schema mergeProperties: true
879
ports:
880
# @schema additionalProperties: false
881
traefik:
882
port: 8080
883
# -- Use hostPort if set.
884
hostPort: # @schema type:[integer, null]; minimum:0
885
# -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
886
# means it's listening on all your interfaces and all your IPs. You may want
887
# to set this value if you need traefik to listen on specific interface
888
# only.
889
hostIP: # @schema type:[string, null]
890
# Defines whether the port is exposed if service.type is LoadBalancer or
891
# NodePort.
892
#
893
# -- You SHOULD NOT expose the traefik port on production deployments.
894
# If you want to access it from outside your cluster,
895
# use `kubectl port-forward` or create a secure ingress
896
expose:
897
default: false
898
# -- The exposed port for this service
899
exposedPort: 8080
900
# -- The port protocol (TCP/UDP)
901
protocol: TCP
902
observability: # @schema additionalProperties: false
903
# -- Defines whether a router attached to this EntryPoint produces metrics by default.
904
metrics: # @schema type:[boolean, null]; default: true
905
# -- Defines whether a router attached to this EntryPoint produces access-logs by default.
906
accessLogs: # @schema type:[boolean, null]; default: true
907
# -- Defines whether a router attached to this EntryPoint produces traces by default.
908
tracing: # @schema type:[boolean, null]; default: true
909
# -- Defines the tracing verbosity level for routers attached to this EntryPoint.
910
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
911
web:
912
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
913
asDefault: # @schema type: [boolean, null]; default: null
914
port: 8000
915
# hostPort: 8000
916
# containerPort: 8000
917
expose:
918
default: true
919
exposedPort: 80
920
## -- Different target traefik port on the cluster, useful for IP type LB
921
targetPort: # @schema type:[string, integer, null]; minimum:0
922
# The port protocol (TCP/UDP)
923
protocol: TCP
924
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
925
nodePort: # @schema type:[integer, null]; minimum:0
926
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#allowacmebypass)
927
allowACMEByPass: false
928
http:
929
redirections:
930
# -- Port Redirections
931
# Added in 2.2, one can make permanent redirects via entrypoints.
932
# Same sets of parameters: to, scheme, permanent and priority.
933
# https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#configuration-example
934
entryPoint: {}
935
forwardedHeaders:
936
# -- Trust forwarded headers information (X-Forwarded-*).
937
trustedIPs: []
938
insecure: false
939
# -- Disable appending RemoteAddr to X-Forwarded-For header (v3.7+).
940
notAppendXForwardedFor: false
941
proxyProtocol:
942
# -- Enable the Proxy Protocol header parsing for the entry point
943
trustedIPs: []
944
insecure: false
945
# -- Set transport settings for the entrypoint
946
# @default -- nil
947
transport:
948
respondingTimeouts:
949
readTimeout: # @schema type:[string, integer, null]
950
writeTimeout: # @schema type:[string, integer, null]
951
idleTimeout: # @schema type:[string, integer, null]
952
lifeCycle:
953
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
954
graceTimeOut: # @schema type:[string, integer, null]
955
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
956
keepAliveMaxTime: # @schema type:[string, integer, null]
957
# -- Enable this port as an uplink for multi cluster.
958
# ⚠️ This feature is experimental and requires Traefik Hub with a specific subscription.
959
uplink: # @schema type: [boolean, null]; default: null
960
observability: # @schema additionalProperties: false
961
# -- Enables metrics for this entryPoint.
962
metrics: # @schema type:[boolean, null]; default: true
963
# -- Enables access-logs for this entryPoint.
964
accessLogs: # @schema type:[boolean, null]; default: true
965
# -- Enables tracing for this entryPoint.
966
tracing: # @schema type:[boolean, null]; default: true
967
# -- Defines the tracing verbosity level for this entryPoint.
968
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
969
websecure:
970
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
971
# asDefault: true
972
port: 8443
973
hostPort: # @schema type:[integer, null]; minimum:0
974
containerPort: # @schema type:[integer, null]; minimum:0
975
expose:
976
default: true
977
exposedPort: 443
978
## -- Different target traefik port on the cluster, useful for IP type LB
979
targetPort: # @schema type:[string, integer, null]; minimum:0
980
## -- The port protocol (TCP/UDP)
981
protocol: TCP
982
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
983
nodePort: # @schema type:[integer, null]; minimum:0
984
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)
985
appProtocol: # @schema type:[string, null]
986
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#allowacmebypass)
987
allowACMEByPass: false
988
http:
989
# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering)
990
# @default -- nil
991
encodedCharacters: # @schema additionalProperties: false
992
allowEncodedSlash: # @schema type:[boolean, null]
993
allowEncodedBackSlash: # @schema type:[boolean, null]
994
allowEncodedNullCharacter: # @schema type:[boolean, null]
995
allowEncodedSemicolon: # @schema type:[boolean, null]
996
allowEncodedPercent: # @schema type:[boolean, null]
997
allowEncodedQuestionMark: # @schema type:[boolean, null]
998
allowEncodedHash: # @schema type:[boolean, null]
999
# -- Maximum size of request headers in bytes. Default: 1048576 (1 MB)
1000
maxHeaderBytes: # @schema type:[integer, null]; minimum:0
1001
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#httpmiddlewares)
1002
middlewares: [] # @schema type: [array, null]
1003
# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#path-sanitization)
1004
sanitizePath: # @schema type:[boolean, null]
1005
# -- Defines how request headers with underscores in their names are handled (v3.7.6+).
1006
# See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#underscoreheadersstrategy)
1007
underscoreHeadersStrategy: # @schema enum:[keep, delete, reject, null]; type:[string, null]
1008
tls:
1009
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http-tls)
1010
# @default -- true
1011
enabled: true
1012
options: ""
1013
certResolver: ""
1014
domains: []
1015
http3:
1016
## -- Enable HTTP/3 on the entrypoint
1017
## Enabling it will also enable http3 experimental feature
1018
## https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http3
1019
## There are known limitations when trying to listen on same ports for
1020
## TCP & UDP (Http3). There is a workaround in this chart using dual Service.
1021
## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741
1022
enabled: false
1023
advertisedPort: # @schema type:[integer, null]; minimum:0
1024
forwardedHeaders:
1025
# -- Trust forwarded headers information (X-Forwarded-*).
1026
trustedIPs: []
1027
insecure: false
1028
# -- Disable appending RemoteAddr to X-Forwarded-For header (v3.7+).
1029
notAppendXForwardedFor: false
1030
proxyProtocol:
1031
# -- Enable the Proxy Protocol header parsing for the entry point
1032
trustedIPs: []
1033
insecure: false
1034
# @default -- nil
1035
transport:
1036
respondingTimeouts:
1037
readTimeout: # @schema type:[string, integer, null]
1038
writeTimeout: # @schema type:[string, integer, null]
1039
idleTimeout: # @schema type:[string, integer, null]
1040
lifeCycle:
1041
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
1042
graceTimeOut: # @schema type:[string, integer, null]
1043
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
1044
keepAliveMaxTime: # @schema type:[string, integer, null]
1045
observability: # @schema additionalProperties: false
1046
# -- Enables metrics for this entryPoint.
1047
metrics: # @schema type:[boolean, null]; default: true
1048
# -- Enables access-logs for this entryPoint.
1049
accessLogs: # @schema type:[boolean, null]; default: true
1050
# -- Enables tracing for this entryPoint.
1051
tracing: # @schema type:[boolean, null]; default: true
1052
# -- Defines the tracing verbosity level for this entryPoint.
1053
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
1054
metrics:
1055
# -- When using hostNetwork, use another port to avoid conflict with node exporter:
1056
# https://github.com/prometheus/prometheus/wiki/Default-port-allocations
1057
port: 9100
1058
# -- You may not want to expose the metrics port on production deployments.
1059
# If you want to access it from outside your cluster,
1060
# use `kubectl port-forward` or create a secure ingress
1061
expose:
1062
default: false
1063
# -- The exposed port for this service
1064
exposedPort: 9100
1065
# -- The port protocol (TCP/UDP)
1066
protocol: TCP
1067
observability: # @schema additionalProperties: false
1068
# -- Enables metrics for this entryPoint.
1069
metrics: # @schema type:[boolean, null]; default: true
1070
# -- Enables access-logs for this entryPoint.
1071
accessLogs: # @schema type:[boolean, null]; default: true
1072
# -- Enables tracing for this entryPoint.
1073
tracing: # @schema type:[boolean, null]; default: true
1074
# -- Defines the tracing verbosity level for this entryPoint.
1075
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
1076
# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/tls/tlsoption/)
1077
# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
1078
# See EXAMPLE.md for details.
1079
tlsOptions: {}
1080
# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/tls/tlsstore/).
1081
# This is useful if you want to set a default certificate. See EXAMPLE.md for details.
1082
tlsStore: {}
1083
service:
1084
enabled: true
1085
# -- Override the default Service name. Useful for adopting an existing Service (e.g., during migration from another ingress controller).
1086
nameOverride: "" # @schema type:[string, null]
1087
## -- Single service is using `MixedProtocolLBService` feature gate.
1088
## -- When set to false, it will create two Service, one for TCP and one for UDP.
1089
single: true
1090
# -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
1091
annotations: {}
1092
# -- Additional annotations for TCP service only
1093
annotationsTCP: {}
1094
# -- Additional annotations for UDP service only
1095
annotationsUDP: {}
1096
# -- Additional service labels (e.g. for filtering Service by custom labels)
1097
labels: {}
1098
# -- Additional entries here will be added to the Service [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#servicespec-v1-core).
1099
# Cannot contain selector or ports entries.
1100
spec:
1101
type: LoadBalancer
1102
# -- Can be used to create multiple Service.
1103
# See EXAMPLES.md for more details.
1104
additionalServices: {}
1105
autoscaling: # @schema additionalProperties: false
1106
# -- Create HorizontalPodAutoscaler object.
1107
# See EXAMPLES.md for more details.
1108
enabled: false
1109
# -- minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod.
1110
minReplicas: # @schema type:[integer, null]; minimum:0
1111
# -- maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
1112
maxReplicas: # @schema type:[integer, null]; minimum:0
1113
# -- metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).
1114
metrics: []
1115
# -- behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).
1116
behavior: {}
1117
# -- scaleTargetRef points to the target resource to scale, and is used for the pods for which metrics should be collected, as well as to actually change the replica count.
1118
# @default -- Traefik Deployment
1119
scaleTargetRef:
1120
apiVersion: apps/v1
1121
kind: Deployment
1122
name: "{{ template \"traefik.fullname\" . }}"
1123
persistence:
1124
# -- Enable persistence using Persistent Volume Claims
1125
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.
1126
# It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option
1127
enabled: false
1128
name: data
1129
existingClaim: ""
1130
accessMode: ReadWriteOnce
1131
size: 128Mi
1132
storageClass: # @schema type:[string, null]
1133
volumeName: ""
1134
path: /data
1135
annotations: {}
1136
# -- Only mount a subpath of the Volume into the pod
1137
subPath: ""
1138
# -- Certificates resolvers configuration.
1139
# Ref: https://doc.traefik.io/traefik/reference/install-configuration/tls/certificate-resolvers/acme/
1140
# See EXAMPLES.md for more details.
1141
certificatesResolvers: {}
1142
# -- If hostNetwork is true, runs traefik in the host network namespace
1143
# To prevent unschedulable pods due to port collisions, if hostNetwork=true
1144
# and replicas>1, a pod anti-affinity is recommended and will be set if the
1145
# affinity is left as default.
1146
hostNetwork: false
1147
rbac: # @schema additionalProperties: false
1148
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
1149
enabled: true
1150
# -- When set to true: <br />
1151
# 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`.<br />
1152
# 2. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers<br />
1153
# **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. <br />
1154
# See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-disableClusterScopeResources) for more details.
1155
namespaced: false
1156
# -- Enable user-facing roles
1157
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
1158
aggregateTo: []
1159
# -- The service account the pods will use to interact with the Kubernetes API
1160
serviceAccount: # @schema additionalProperties: false
1161
# If set, an existing service account is used
1162
# If not set, a service account is created automatically using the fullname template
1163
name: ""
1164
# -- Additional serviceAccount annotations (e.g. for oidc authentication)
1165
serviceAccountAnnotations: {}
1166
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
1167
resources: {}
1168
# -- This example pod anti-affinity forces the scheduler to put traefik pods
1169
# -- on nodes where no other traefik pods are scheduled.
1170
# It should be used when hostNetwork: true to prevent port conflicts
1171
affinity: {}
1172
# podAntiAffinity:
1173
# requiredDuringSchedulingIgnoredDuringExecution:
1174
# - labelSelector:
1175
# matchLabels:
1176
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
1177
# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
1178
# topologyKey: kubernetes.io/hostname
1179
1180
# -- nodeSelector is the simplest recommended form of node selection constraint.
1181
nodeSelector: {}
1182
# -- Tolerations allow the scheduler to schedule pods with matching taints.
1183
tolerations: []
1184
# -- You can use topology spread constraints to control
1185
# how Pods are spread across your cluster among failure-domains.
1186
topologySpreadConstraints: []
1187
# This example topologySpreadConstraints forces the scheduler to put traefik pods
1188
# on nodes where no other traefik pods are scheduled.
1189
# - labelSelector:
1190
# matchLabels:
1191
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
1192
# maxSkew: 1
1193
# topologyKey: kubernetes.io/hostname
1194
# whenUnsatisfiable: DoNotSchedule
1195
1196
# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
1197
priorityClassName: ""
1198
# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
1199
# @default -- See _values.yaml_
1200
securityContext:
1201
allowPrivilegeEscalation: false
1202
capabilities:
1203
drop: [ALL]
1204
readOnlyRootFilesystem: true
1205
# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
1206
# @default -- See _values.yaml_
1207
podSecurityContext:
1208
runAsGroup: 65532
1209
runAsNonRoot: true
1210
runAsUser: 65532
1211
seccompProfile:
1212
type: RuntimeDefault
1213
#
1214
# -- Extra objects to deploy (value evaluated as a template)
1215
#
1216
# In some cases, it can avoid the need for additional, extended or adhoc deployments.
1217
# See #595 for more details and traefik/tests/values/extra.yaml for example.
1218
extraObjects: []
1219
# -- This field overrides the default Release Namespace for Helm.
1220
# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
1221
namespaceOverride: ""
1222
# -- This field overrides the default app.kubernetes.io/instance label for all Objects.
1223
instanceLabelOverride: ""
1224
# -- This field overrides the default version extracted from image.tag. Required when pinning by `image.digest`, since the version cannot be derived from a digest.
1225
versionOverride: ""
1226
# -- overrides the app.kubernetes.io/name label
1227
nameOverride: ""
1228
# -- Overrides the resource name for templates (i.e deployment, service, etc..)
1229
fullnameOverride: ""
1230
# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
1231
hub: # @schema additionalProperties: false
1232
# -- Name of `Secret` with key 'token' set to a valid license token.
1233
# It enables API Gateway.
1234
token: ""
1235
# -- Mount path for token secret.
1236
tokenMountPath: "/etc/secrets"
1237
# -- Disables all external network connections.
1238
offline: # @schema type:[boolean, null]
1239
# -- By default, Traefik Hub provider watches all namespaces. When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
1240
namespaces: [] # @schema required:true
1241
apimanagement:
1242
# -- Set to true in order to enable API Management. Requires a valid license token.
1243
enabled: false
1244
admission:
1245
# -- WebHook admission server listen address. Default: "0.0.0.0:9943".
1246
listenAddr: ""
1247
# -- Certificate name of the WebHook admission server. Default: "hub-agent-cert".
1248
secretName: "hub-agent-cert"
1249
# -- By default, this chart handles directly the tls certificate required for the admission webhook. It's possible to disable this behavior and handle it outside of the chart. See EXAMPLES.md for more details.
1250
selfManagedCertificate: false
1251
# -- Set custom certificate for the WebHook admission server. The certificate should be specified with _tls.crt_ and _tls.key_ in base64 encoding.
1252
customWebhookCertificate: {}
1253
# -- Set it to false if you need to disable Traefik Hub pod restart when mutating webhook certificate is updated. It's done with a label update.
1254
restartOnCertificateChange: true
1255
# -- Set custom annotations.
1256
annotations: {}
1257
openApi:
1258
# -- When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification
1259
validateRequestMethodAndPath: false
1260
mcpgateway:
1261
# -- Set to true in order to enable AI MCP Gateway. Requires a valid license token.
1262
enabled: false
1263
# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
1264
maxRequestBodySize: # @schema type:[integer, null]; minimum:0
1265
aigateway:
1266
# -- Set to true in order to enable AI Gateway. Requires a valid license token.
1267
enabled: false
1268
# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
1269
maxRequestBodySize: # @schema type:[integer, null]; minimum:0
1270
providers:
1271
consulCatalogEnterprise:
1272
# -- Enable Consul Catalog Enterprise backend with default settings.
1273
enabled: false
1274
# -- Use local agent caching for catalog reads.
1275
cache: false
1276
# -- Enable Consul Connect support.
1277
connectAware: false
1278
# -- Consider every service as Connect capable by default.
1279
connectByDefault: false
1280
# -- Constraints is an expression that Traefik matches against the container's labels
1281
constraints: ""
1282
# -- Default rule.
1283
defaultRule: "Host(`{{ normalize .Name }}`)"
1284
endpoint:
1285
# -- The address of the Consul server
1286
address: ""
1287
# -- Data center to use. If not provided, the default agent data center is used
1288
datacenter: ""
1289
# -- WaitTime limits how long a Watch will block. If not provided, the agent default
1290
endpointWaitTime: # @schema type:[integer, null]
1291
httpauth:
1292
# -- Basic Auth password
1293
password: ""
1294
# -- Basic Auth username
1295
username: ""
1296
# -- The URI scheme for the Consul server
1297
scheme: ""
1298
tls:
1299
# -- TLS CA
1300
ca: ""
1301
# -- TLS cert
1302
cert: ""
1303
# -- TLS insecure skip verify
1304
insecureSkipVerify: false
1305
# -- TLS key
1306
key: ""
1307
# -- Token is used to provide a per-request ACL token which overrides the agent's
1308
token: ""
1309
# -- Expose containers by default.
1310
exposedByDefault: true
1311
# -- Sets the namespaces used to discover services (Consul Enterprise only).
1312
namespaces: ""
1313
# -- Sets the partition used to discover services (Consul Enterprise only).
1314
partition: ""
1315
# -- Prefix for consul service tags.
1316
prefix: "traefik"
1317
# -- Interval for checking Consul API.
1318
refreshInterval: 15
1319
# -- Forces the read to be fully consistent.
1320
requireConsistent: false
1321
# -- Name of the Traefik service in Consul Catalog (needs to be registered via the
1322
serviceName: "traefik"
1323
# -- Use stale consistency for catalog reads.
1324
stale: false
1325
# -- A list of service health statuses to allow taking traffic.
1326
strictChecks: "passing, warning"
1327
# -- Watch Consul API events.
1328
watch: false
1329
microcks:
1330
# -- Enable Microcks provider.
1331
enabled: false
1332
auth:
1333
# -- Microcks API client ID.
1334
clientId: ""
1335
# -- Microcks API client secret.
1336
clientSecret: ""
1337
# -- Microcks API endpoint.
1338
endpoint: ""
1339
# -- Microcks API token.
1340
token: ""
1341
# -- Microcks API endpoint.
1342
endpoint: ""
1343
# -- Polling interval for Microcks API.
1344
pollInterval: 30
1345
# -- Polling timeout for Microcks API.
1346
pollTimeout: 5
1347
tls:
1348
# -- TLS CA
1349
ca: ""
1350
# -- TLS cert
1351
cert: ""
1352
# -- TLS insecure skip verify
1353
insecureSkipVerify: false
1354
# -- TLS key
1355
key: ""
1356
multicluster:
1357
# -- Enable Multi-cluster provider.
1358
enabled: false
1359
# -- Polling interval for Multi-cluster.
1360
pollInterval: 5
1361
# -- Polling timeout for Multi-cluster.
1362
pollTimeout: 5
1363
# @schema mergeProperties: true
1364
# -- Child cluster configurations, keyed by a unique name.
1365
# @default -- {}
1366
children:
1367
# @schema additionalProperties: false
1368
cluster-1:
1369
# -- URL of the child cluster's uplink entrypoint.
1370
address: ""
1371
# -- TLS and transport configuration for connecting to this child.
1372
# @default -- {}
1373
serversTransport:
1374
# @schema type:[boolean, null]
1375
# -- Disable TLS certificate verification. **Not recommended for production.**
1376
# @default -- false
1377
insecureSkipVerify:
1378
# -- Server name used for SNI and certificate verification.
1379
serverName: ""
1380
rootCAs: []
1381
certificates: []
1382
# @schema type:[integer, null]
1383
# -- Maximum idle connections per host.
1384
# @default -- 200
1385
maxIdleConnsPerHost:
1386
# @schema type:[boolean, null]
1387
# -- Disable HTTP/2 for connections to this child.
1388
# @default -- false
1389
disableHTTP2:
1390
# -- Minimum TLS version (e.g. `VersionTLS12`, `VersionTLS13`).
1391
minVersion: ""
1392
# -- Maximum TLS version (e.g. `VersionTLS12`, `VersionTLS13`).
1393
maxVersion: ""
1394
# -- List of supported cipher suites for TLS versions up to 1.2.
1395
cipherSuites: []
1396
# -- URI used to match against SAN URIs during the server's certificate verification.
1397
peerCertURI: ""
1398
forwardingTimeouts:
1399
# @schema type:[string, integer, null]
1400
# -- Timeout for establishing connections.
1401
# @default -- 30s
1402
dialTimeout:
1403
# @schema type:[string, integer, null]
1404
# -- Timeout for reading response headers.
1405
# @default -- 0s
1406
responseHeaderTimeout:
1407
# @schema type:[string, integer, null]
1408
# -- Timeout for idle connections.
1409
# @default -- 90s
1410
idleConnTimeout:
1411
# @schema type:[string, integer, null]
1412
# -- Timeout for HTTP/2 server ping frames.
1413
# @default -- 15s
1414
pingTimeout:
1415
# @schema type:[string, integer, null]
1416
# -- Timeout for HTTP/2 connection idle reads.
1417
# @default -- 0s
1418
readIdleTimeout:
1419
# @schema type:[string, integer, null]
1420
# -- Timeout for reading the request body.
1421
# @default -- 0s
1422
readTimeout:
1423
# @schema type:[string, integer, null]
1424
# -- Timeout for writing the response.
1425
# @default -- 0s
1426
writeTimeout:
1427
spiffe:
1428
ids: []
1429
# @schema type:[string, integer, null]
1430
# -- SPIFFE trust domain.
1431
trustDomain: ""
1432
# @schema additionalProperties: false
1433
nutanixPrismCentral:
1434
# -- Enable Nutanix Prism Central provider.
1435
enabled: false
1436
# -- Prism Central endpoint.
1437
endpoint: ""
1438
# -- Prism Central username.
1439
username: ""
1440
# -- Prism Central password.
1441
password: ""
1442
# -- Prism Central API key.
1443
apiKey: ""
1444
# -- Base configuration file path.
1445
filename: ""
1446
# -- Polling interval for Nutanix Prism Central API.
1447
pollInterval: 30
1448
# -- Polling timeout for Nutanix Prism Central API.
1449
pollTimeout: 5
1450
# -- Category key used to derive the service name.
1451
serviceNameCategoryKey: "TraefikServiceName"
1452
# -- Filter VMs by VPCs. List of `{ uuid: "<vpc-uuid>" }` entries.
1453
allowedVpcs: []
1454
tls:
1455
# -- TLS CA
1456
ca: ""
1457
# -- TLS cert
1458
cert: ""
1459
# -- TLS key
1460
key: ""
1461
# -- TLS insecure skip verify
1462
insecureSkipVerify: false
1463
redis:
1464
# -- Enable Redis Cluster. Default: true.
1465
cluster: # @schema type:[boolean, null]
1466
# -- Database used to store information. Default: "0".
1467
database: # @schema type:[string, null]
1468
# -- Endpoints of the Redis instances to connect to. Default: "".
1469
endpoints: ""
1470
# -- The username to use when connecting to Redis endpoints. Default: "".
1471
username: ""
1472
# -- The password to use when connecting to Redis endpoints. Default: "".
1473
password: ""
1474
sentinel:
1475
# -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".
1476
masterset: ""
1477
# -- Username to use for sentinel authentication (can be different from endpoint username). Default: "".
1478
username: ""
1479
# -- Password to use for sentinel authentication (can be different from endpoint password). Default: "".
1480
password: ""
1481
# -- Timeout applied on connection with redis. Default: "0s".
1482
timeout: ""
1483
tls:
1484
# -- Path to the certificate authority used for the secured connection.
1485
ca: ""
1486
# -- Path to the public certificate used for the secure connection.
1487
cert: ""
1488
# -- Path to the private key used for the secure connection.
1489
key: ""
1490
# -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.
1491
insecureSkipVerify: false
1492
# Enable export of error logs to the platform. Default: true.
1493
sendlogs: # @schema type:[boolean, null]
1494
tracing:
1495
additionalTraceHeaders:
1496
# -- Tracing headers to duplicate.
1497
# To configure the following, tracing.otlp.enabled needs to be set to true.
1498
# @default -- See below
1499
enabled: false
1500
traceContext:
1501
# -- Name of the header that will contain the parent-id header copy.
1502
parentId: ""
1503
# -- Name of the header that will contain the trace-id copy.
1504
traceId: ""
1505
# -- Name of the header that will contain the traceparent copy.
1506
traceParent: ""
1507
# -- Name of the header that will contain the tracestate copy.
1508
traceState: ""
1509
# Define private plugin sources
1510
pluginRegistry:
1511
sources: {}
1512
# -- Required for OCI Marketplace integration.
1513
# See https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Marketplace/understanding-helm-charts.htm
1514
# @default -- See _values.yaml_
1515
oci_meta:
1516
# -- Enable specific values for Oracle Cloud Infrastructure
1517
enabled: false
1518
# -- It needs to be an ocir repo
1519
repo: cgr.dev
1520
images:
1521
proxy:
1522
image: chainguard-private/traefik
1523
tag: latest@sha256:cf9f07aaf3f4358fecfca60f4feac4a8428b6d212b8fe35a94c84cd5a5e2b540
1524
hub:
1525
image: chainguard-private/traefik
1526
tag: latest@sha256:cf9f07aaf3f4358fecfca60f4feac4a8428b6d212b8fe35a94c84cd5a5e2b540
1527
# -- Required for IBM Cloud Marketplace integration.
1528
# Injected by IBM Cloud Catalog when deploying via IBM Cloud Schematics. This value is not used by the chart.
1529
offering_version: "" # @schema type:[string, null]
1530
# -- Allow the Helm chart to be used as optional subchart.
1531
enabled: true # @schema type:boolean; const:true
1532

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.