VeryStrongFingers · July 31, 2020 13:25
diff --git a/helm-traefik-values.yaml b/helm-traefik-values.yaml
 # Default values for Traefik
 image:
  name: traefik
  tag: 2.2.5

 #
 # Configure the deployment
 #
 deployment:
  enabled: true
  # Number of pods of the deployment
  replicas: 1
  # Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
  annotations: {}
  # Additional pod annotations (e.g. for mesh injection or prometheus scraping)
  podAnnotations: {}
  # Additional containers (e.g. for metric offloading sidecars)
  additionalContainers: []
  # Additional initContainers (e.g. for setting file permission as shown below)
  initContainers:
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /data/*"]
      volumeMounts:
      - name: data
        mountPath: /data
    # The "volume-permissions" init container is required if you run into permission issues.
    # Related issue: https://github.com/containous/traefik/issues/6972


 # Pod disruption budget
 podDisruptionBudget:
  enabled: false
  # maxUnavailable: 1
  # minAvailable: 0

 # Create an IngressRoute for the dashboard
 ingressRoute:
  dashboard:
    enabled: true
    # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
    annotations: {}
    # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
    labels: {}

 rollingUpdate:
  maxUnavailable: 1
  maxSurge: 1


 #
 # Configure providers
 #
 providers:
  kubernetesCRD:
    enabled: true
  kubernetesIngress:
    enabled: true

 #
 # Add volumes to the traefik pod.
 # This can be used to mount a cert pair or a configmap that holds a config.toml file.
 # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
 # additionalArguments:
 # - "--providers.file.filename=/config/dynamic.toml"
 volumes: []
 # - name: public-cert
 #   mountPath: "/certs"
 #   type: secret
 # - name: configs
 #   mountPath: "/config"
 #   type: configMap

 globalArguments:
  - "--global.checknewversion"

 #
 # Configure Traefik static configuration
 # Additional arguments to be passed at Traefik's binary
 # All available options available on https://docs.traefik.io/reference/static-configuration/cli/
 ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
 additionalArguments:
  - "--certificatesresolvers.trackthiscf.acme.storage=/data/acme.json"
  - "--certificatesresolvers.trackthiscf.acme.dnschallenge=true"
  - "--certificatesresolvers.trackthiscf.acme.dnschallenge.provider=cloudflare"
  - "--certificatesresolvers.trackthiscf.acme.email=CHANGEME@EMAIL.COM"
 #  - "--providers.kubernetesingress.ingressclass=traefik-internal"
  - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
  - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
  - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32"
  - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32"

 # Environment variables to be passed to Traefik's binary
 env: 
  - name: CLOUDFLARE_DNS_API_TOKEN
    valueFrom:
      secretKeyRef:
        name: cloudflare
        key: CLOUDFLARE_DNS_API_TOKEN

 # - name: SOME_VAR
 #   value: some-var-value
 # - name: SOME_VAR_FROM_CONFIG_MAP
 #   valueFrom:
 #     configMapRef:
 #       name: configmap-name
 #       key: config-key
 # - name: SOME_SECRET
 #   valueFrom:
 #     secretKeyRef:
 #       name: secret-name
 #       key: secret-key

 envFrom: []
 # - configMapRef:
 #     name: config-map-name
 # - secretRef:
 #     name: secret-name

 # Configure ports
 ports:
  # The name of this one can't be changed as it is used for the readiness and
  # liveness probes, but you can adjust its config to your liking
  traefik:
    port: 9000
    # Use hostPort if set.
    # hostPort: 9000

    # Defines whether the port is exposed if service.type is LoadBalancer or
    # NodePort.
    #
    # You SHOULD NOT expose the traefik port on production deployments.
    # If you want to access it from outside of your cluster,
    # use `kubectl proxy` or create a secure ingress
    expose: false
    # The exposed port for this service
    exposedPort: 9000
    # The port protocol (TCP/UDP)
    protocol: TCP
  web:
    port: 8000
    # hostPort: 8000
    expose: true
    exposedPort: 80
    # The port protocol (TCP/UDP)
    protocol: TCP
    # Use nodeport if set. This is useful if you have configured Traefik in a
    # LoadBalancer
    # nodePort: 32080
  websecure:
    port: 8443
    # hostPort: 8443
    expose: true
    exposedPort: 443
    # The port protocol (TCP/UDP)
    protocol: TCP
    # nodePort: 32443

 # Options for the main traefik service, where the entrypoints traffic comes
 # from.
 service:
  enabled: true
  type: LoadBalancer
  # Additional annotations (e.g. for cloud provider specific config)
  annotations: {}
  # Additional entries here will be added to the service spec. Cannot contains
  # type, selector or ports entries.
  spec: {}
  externalTrafficPolicy: Local
    # loadBalancerIP: "1.2.3.4"
    # clusterIP: "2.3.4.5"
  loadBalancerSourceRanges: []
    # - 192.168.0.1/32
    # - 172.16.0.0/16
  externalIPs: []
    # - 1.2.3.4

 ## Create HorizontalPodAutoscaler object.
 ##
 autoscaling:
  enabled: false
 #   minReplicas: 1
 #   maxReplicas: 10
 #   metrics:
 #   - type: Resource
 #     resource:
 #       name: cpu
 #       targetAverageUtilization: 60
 #   - type: Resource
 #     resource:
 #       name: memory
 #       targetAverageUtilization: 60

 # Enable persistence using Persistent Volume Claims
 # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
 # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
 # additionalArguments:
 # - "--certificatesresolvers.le.acme.storage=/data/acme.json"
 # It will persist TLS certificates.
 persistence:
  enabled: true
 #  existingClaim: ""
  accessMode: ReadWriteOnce
  size: 128Mi
  # storageClass: ""
  path: /data
  annotations: {
    "pv.beta.kubernetes.io/gid": "65532"
  }
  # subPath: "" # only mount a subpath of the Volume into the pod

 # If hostNetwork is true, runs traefik in the host network namespace
 # To prevent unschedulabel pods due to port collisions, if hostNetwork=true
 # and replicas>1, a pod anti-affinity is recommended and will be set if the
 # affinity is left as default.
 hostNetwork: false

 # Whether Role Based Access Control objects like roles and rolebindings should be created
 rbac:
  enabled: true

  # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
  # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace
  namespaced: false

 # The service account the pods will use to interact with the Kubernetes API
 serviceAccount:
  # If set, an existing service account is used
  # If not set, a service account is created automatically using the fullname template
  name: ""

 # Additional serviceAccount annotations (e.g. for oidc authentication)
 serviceAccountAnnotations: {}

 resources: {}
  # requests:
  #   cpu: "100m"
  #   memory: "50Mi"
  # limits:
  #   cpu: "300m"
  #   memory: "150Mi"
 affinity: {}
 # # This example pod anti-affinity forces the scheduler to put traefik pods
 # # on nodes where no other traefik pods are scheduled.
 # # It should be used when hostNetwork: true to prevent port conflicts
 #   podAntiAffinity:
 #     requiredDuringSchedulingIgnoredDuringExecution:
 #     - labelSelector:
 #         matchExpressions:
 #         - key: app
 #           operator: In
 #           values:
 #           - {{ template "traefik.name" . }}
 #       topologyKey: failure-domain.beta.kubernetes.io/zone
 nodeSelector: {}
 tolerations: []

 # Pods can have priority.
 # Priority indicates the importance of a Pod relative to other Pods.
 priorityClassName: ""

 # Set the container security context
 # To run the container with ports below 1024 this will need to be adjust to run as root
 securityContext:
  capabilities:
    drop: [ALL]
  readOnlyRootFilesystem: true
  runAsGroup: 65532
  runAsNonRoot: true
  runAsUser: 65532

 podSecurityContext:
  fsGroup: 65532
	# Default values for Traefik
	image:
	name: traefik
	tag: 2.2.5

	#
	# Configure the deployment
	#
	deployment:
	enabled: true
	# Number of pods of the deployment
	replicas: 1
	# Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
	annotations: {}
	# Additional pod annotations (e.g. for mesh injection or prometheus scraping)
	podAnnotations: {}
	# Additional containers (e.g. for metric offloading sidecars)
	additionalContainers: []
	# Additional initContainers (e.g. for setting file permission as shown below)
	initContainers:
	- name: volume-permissions
	image: busybox:1.31.1
	command: ["sh", "-c", "chmod -Rv 600 /data/*"]
	volumeMounts:
	- name: data
	mountPath: /data
	# The "volume-permissions" init container is required if you run into permission issues.
	# Related issue: https://github.com/containous/traefik/issues/6972


	# Pod disruption budget
	podDisruptionBudget:
	enabled: false
	# maxUnavailable: 1
	# minAvailable: 0

	# Create an IngressRoute for the dashboard
	ingressRoute:
	dashboard:
	enabled: true
	# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
	annotations: {}
	# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
	labels: {}

	rollingUpdate:
	maxUnavailable: 1
	maxSurge: 1


	#
	# Configure providers
	#
	providers:
	kubernetesCRD:
	enabled: true
	kubernetesIngress:
	enabled: true

	#
	# Add volumes to the traefik pod.
	# This can be used to mount a cert pair or a configmap that holds a config.toml file.
	# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
	# additionalArguments:
	# - "--providers.file.filename=/config/dynamic.toml"
	volumes: []
	# - name: public-cert
	# mountPath: "/certs"
	# type: secret
	# - name: configs
	# mountPath: "/config"
	# type: configMap

	globalArguments:
	- "--global.checknewversion"

	#
	# Configure Traefik static configuration
	# Additional arguments to be passed at Traefik's binary
	# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
	## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
	additionalArguments:
	- "--certificatesresolvers.trackthiscf.acme.storage=/data/acme.json"
	- "--certificatesresolvers.trackthiscf.acme.dnschallenge=true"
	- "--certificatesresolvers.trackthiscf.acme.dnschallenge.provider=cloudflare"
	- "--certificatesresolvers.trackthiscf.acme.email=CHANGEME@EMAIL.COM"
	# - "--providers.kubernetesingress.ingressclass=traefik-internal"
	- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
	- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
	- "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32"
	- "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32"

	# Environment variables to be passed to Traefik's binary
	env:
	- name: CLOUDFLARE_DNS_API_TOKEN
	valueFrom:
	secretKeyRef:
	name: cloudflare
	key: CLOUDFLARE_DNS_API_TOKEN

	# - name: SOME_VAR
	# value: some-var-value
	# - name: SOME_VAR_FROM_CONFIG_MAP
	# valueFrom:
	# configMapRef:
	# name: configmap-name
	# key: config-key
	# - name: SOME_SECRET
	# valueFrom:
	# secretKeyRef:
	# name: secret-name
	# key: secret-key

	envFrom: []
	# - configMapRef:
	# name: config-map-name
	# - secretRef:
	# name: secret-name

	# Configure ports
	ports:
	# The name of this one can't be changed as it is used for the readiness and
	# liveness probes, but you can adjust its config to your liking
	traefik:
	port: 9000
	# Use hostPort if set.
	# hostPort: 9000

	# Defines whether the port is exposed if service.type is LoadBalancer or
	# NodePort.
	#
	# You SHOULD NOT expose the traefik port on production deployments.
	# If you want to access it from outside of your cluster,
	# use `kubectl proxy` or create a secure ingress
	expose: false
	# The exposed port for this service
	exposedPort: 9000
	# The port protocol (TCP/UDP)
	protocol: TCP
	web:
	port: 8000
	# hostPort: 8000
	expose: true
	exposedPort: 80
	# The port protocol (TCP/UDP)
	protocol: TCP
	# Use nodeport if set. This is useful if you have configured Traefik in a
	# LoadBalancer
	# nodePort: 32080
	websecure:
	port: 8443
	# hostPort: 8443
	expose: true
	exposedPort: 443
	# The port protocol (TCP/UDP)
	protocol: TCP
	# nodePort: 32443

	# Options for the main traefik service, where the entrypoints traffic comes
	# from.
	service:
	enabled: true
	type: LoadBalancer
	# Additional annotations (e.g. for cloud provider specific config)
	annotations: {}
	# Additional entries here will be added to the service spec. Cannot contains
	# type, selector or ports entries.
	spec: {}
	externalTrafficPolicy: Local
	# loadBalancerIP: "1.2.3.4"
	# clusterIP: "2.3.4.5"
	loadBalancerSourceRanges: []
	# - 192.168.0.1/32
	# - 172.16.0.0/16
	externalIPs: []
	# - 1.2.3.4

	## Create HorizontalPodAutoscaler object.
	##
	autoscaling:
	enabled: false
	# minReplicas: 1
	# maxReplicas: 10
	# metrics:
	# - type: Resource
	# resource:
	# name: cpu
	# targetAverageUtilization: 60
	# - type: Resource
	# resource:
	# name: memory
	# targetAverageUtilization: 60

	# Enable persistence using Persistent Volume Claims
	# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
	# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
	# additionalArguments:
	# - "--certificatesresolvers.le.acme.storage=/data/acme.json"
	# It will persist TLS certificates.
	persistence:
	enabled: true
	# existingClaim: ""
	accessMode: ReadWriteOnce
	size: 128Mi
	# storageClass: ""
	path: /data
	annotations: {
	"pv.beta.kubernetes.io/gid": "65532"
	}
	# subPath: "" # only mount a subpath of the Volume into the pod

	# If hostNetwork is true, runs traefik in the host network namespace
	# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
	# and replicas>1, a pod anti-affinity is recommended and will be set if the
	# affinity is left as default.
	hostNetwork: false

	# Whether Role Based Access Control objects like roles and rolebindings should be created
	rbac:
	enabled: true

	# If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
	# If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace
	namespaced: false

	# The service account the pods will use to interact with the Kubernetes API
	serviceAccount:
	# If set, an existing service account is used
	# If not set, a service account is created automatically using the fullname template
	name: ""

	# Additional serviceAccount annotations (e.g. for oidc authentication)
	serviceAccountAnnotations: {}

	resources: {}
	# requests:
	# cpu: "100m"
	# memory: "50Mi"
	# limits:
	# cpu: "300m"
	# memory: "150Mi"
	affinity: {}
	# # This example pod anti-affinity forces the scheduler to put traefik pods
	# # on nodes where no other traefik pods are scheduled.
	# # It should be used when hostNetwork: true to prevent port conflicts
	# podAntiAffinity:
	# requiredDuringSchedulingIgnoredDuringExecution:
	# - labelSelector:
	# matchExpressions:
	# - key: app
	# operator: In
	# values:
	# - {{ template "traefik.name" . }}
	# topologyKey: failure-domain.beta.kubernetes.io/zone
	nodeSelector: {}
	tolerations: []

	# Pods can have priority.
	# Priority indicates the importance of a Pod relative to other Pods.
	priorityClassName: ""

	# Set the container security context
	# To run the container with ports below 1024 this will need to be adjust to run as root
	securityContext:
	capabilities:
	drop: [ALL]
	readOnlyRootFilesystem: true
	runAsGroup: 65532
	runAsNonRoot: true
	runAsUser: 65532

	podSecurityContext:
	fsGroup: 65532