traefik
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Default values for Traefik
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into templates
4
5
image: # @schema additionalProperties: false
6
# -- Traefik image host registry
7
registry: cgr.dev
8
# -- Traefik image repository
9
repository: chainguard-private/traefik
10
# -- defaults to appVersion. It's used for version checking, even prefixed with experimental- or latest-.
11
# When a digest is required, `versionOverride` can be used to set the version.
12
tag: latest@sha256:00c8d34e78e9be27dfefe0dbc607ca2733d37db51ad2f9e11570657667328fd6 # @schema type:[string, null]
13
# -- Traefik image pull policy
14
pullPolicy: IfNotPresent
15
# -- Add additional label to all resources
16
commonLabels: {}
17
deployment:
18
# -- Enable deployment
19
enabled: true
20
# -- Deployment or DaemonSet
21
kind: Deployment
22
# -- Number of pods of the deployment (only applies when kind == Deployment)
23
replicas: 1
24
# -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
25
revisionHistoryLimit: # @schema type:[integer, null];minimum:0
26
# -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
27
terminationGracePeriodSeconds: 60
28
# -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
29
minReadySeconds: 0
30
## -- Override the liveness/readiness port. This is useful to integrate traefik
31
## with an external Load Balancer that performs healthchecks.
32
## Default: ports.traefik.port
33
healthchecksPort: # @schema type:[integer, null];minimum:0
34
## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint.
35
## Default: ports.traefik.hostIP if set, otherwise Pod IP
36
healthchecksHost: ""
37
## -- Override the liveness/readiness scheme. Useful for getting ping to
38
## respond on websecure entryPoint.
39
healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP
40
## -- Override the readiness path.
41
## Default: /ping
42
readinessPath: ""
43
# -- Override the liveness path.
44
# Default: /ping
45
livenessPath: ""
46
# -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
47
annotations: {}
48
# -- Additional deployment labels (e.g. for filtering deployment by custom labels)
49
labels: {}
50
# -- Additional pod annotations (e.g. for mesh injection or prometheus scraping)
51
# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
52
podAnnotations: {}
53
# -- Additional Pod labels (e.g. for filtering Pod by custom labels)
54
# It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
55
podLabels: {}
56
# -- Additional containers (e.g. for metric offloading sidecars)
57
additionalContainers: []
58
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
59
# - name: socat-proxy
60
# image: alpine/socat:1.0.5
61
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
62
# volumeMounts:
63
# - name: dsdsocket
64
# mountPath: /socket
65
# -- Additional volumes available for use with initContainers and additionalContainers
66
additionalVolumes: []
67
# - name: dsdsocket
68
# hostPath:
69
# path: /var/run/statsd-exporter
70
# -- Additional initContainers (e.g. for setting file permission as shown below)
71
initContainers: []
72
# The "volume-permissions" init container is required if you run into permission issues.
73
# Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
74
# - name: volume-permissions
75
# image: busybox:latest
76
# command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
77
# volumeMounts:
78
# - name: data
79
# mountPath: /data
80
# -- Use process namespace sharing
81
shareProcessNamespace: false
82
# -- Custom pod DNS policy. Apply if `hostNetwork: true`
83
dnsPolicy: ""
84
# -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core)
85
dnsConfig: {}
86
# -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
87
hostAliases: []
88
# -- Pull secret for fetching traefik container image
89
imagePullSecrets: []
90
# -- Pod lifecycle actions
91
lifecycle: {}
92
# preStop:
93
# sleep:
94
# seconds: 20
95
# postStart:
96
# httpGet:
97
# path: /ping
98
# port: 8080
99
# host: localhost
100
# scheme: HTTP
101
# -- Set a runtimeClassName on pod
102
runtimeClassName: ""
103
# -- Percentage of memory limit to set for GOMEMLIMIT
104
# -- set as decimal (0.9 = 90%, 0.95 = 95% etc)
105
# -- only takes effect when resources.limits.memory is set
106
goMemLimitPercentage: 0.9
107
# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
108
# @default -- See _values.yaml_
109
podDisruptionBudget: # @schema additionalProperties: false
110
enabled: false
111
maxUnavailable: # @schema type:[string, integer, null];minimum:0
112
minAvailable: # @schema type:[string, integer, null];minimum:0
113
ingressClass: # @schema additionalProperties: false
114
# -- Create a default IngressClass for Traefik
115
enabled: true
116
isDefaultClass: true
117
name: ""
118
core: # @schema additionalProperties: false
119
# -- Can be used to use globally v2 router syntax. Deprecated since v3.4 /!\.
120
# See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes
121
defaultRuleSyntax: ""
122
# Traefik experimental features
123
experimental:
124
# -- Defines whether all plugins must be loaded successfully for Traefik to start
125
abortOnPluginFailure: false
126
fastProxy:
127
# -- Enables the FastProxy implementation.
128
enabled: false
129
# -- Enable debug mode for the FastProxy implementation.
130
debug: false
131
kubernetesGateway:
132
# -- Enable traefik experimental GatewayClass CRD
133
enabled: false
134
# -- Enable experimental plugins
135
plugins: {}
136
# -- Enable experimental local plugins
137
localPlugins: {}
138
# -- Enable OTLP logging experimental feature.
139
otlpLogs: false
140
# -- Enable Knative provider experimental feature.
141
knative: false
142
gateway:
143
# -- When providers.kubernetesGateway.enabled, deploy a default gateway
144
enabled: true
145
# -- Set a custom name to gateway
146
name: ""
147
# -- By default, Gateway is created in the same `Namespace` as Traefik.
148
namespace: ""
149
# -- Additional gateway annotations (e.g. for cert-manager.io/issuer)
150
annotations: {}
151
# -- [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels)
152
infrastructure: {}
153
# -- Configure this Gateway as a [Default Gateway](https://kubernetes.io/blog/2025/11/06/gateway-api-v1-4/#introducing-default-gateways)
154
# by setting the `defaultScope` field (e.g. `All` or `Namespace`).
155
defaultScope: null # @schema enum:["All", "None", null]; type:[string, null]; default: null
156
listeners:
157
web:
158
# -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
159
# The port must match a port declared in ports section.
160
port: 8000
161
# -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
162
hostname: ""
163
# Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
164
protocol: HTTP
165
# -- (object) Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces
166
namespacePolicy: # @schema type:[object, null]
167
# websecure listener is disabled by default because certificateRefs needs to be added,
168
# or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section.
169
# websecure:
170
# # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
171
# # The port must match a port declared in ports section.
172
# port: 8443
173
# # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
174
# hostname:
175
# # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
176
# protocol: HTTPS
177
# # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces)
178
# namespacePolicy:
179
# # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig)
180
# certificateRefs:
181
# # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType).
182
# mode:
183
gatewayClass: # @schema additionalProperties: false
184
# -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass
185
enabled: true
186
# -- Set a custom name to GatewayClass
187
name: ""
188
# -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)
189
labels: {}
190
api: # @schema additionalProperties: false
191
# -- Enable the dashboard
192
dashboard: true
193
# -- Enable the insecure API (HTTP)
194
insecure: # @schema type:[boolean, null]
195
# -- Enable the debug API
196
debug: # @schema type:[boolean, null]
197
# -- Configure API basePath
198
basePath: "" # @schema type:[string, null]; default: "/"
199
# -- Only dashboard & healthcheck IngressRoute are supported.
200
# It's recommended to create workloads CR outside of this Chart.
201
# @default -- See _values.yaml_
202
ingressRoute:
203
dashboard:
204
# -- Create an IngressRoute for the dashboard
205
enabled: false
206
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
207
annotations: {}
208
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
209
labels: {}
210
# -- The router match rule used for the dashboard ingressRoute
211
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
212
# -- The internal service used for the dashboard ingressRoute
213
# @default -- api@internal
214
services:
215
- name: api@internal
216
kind: TraefikService
217
# -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
218
# By default, it's using traefik entrypoint, which is not exposed.
219
# /!\ Do not expose your dashboard without any protection over the internet /!\
220
entryPoints: ["traefik"]
221
# -- Additional ingressRoute middlewares (e.g. for authentication)
222
middlewares: []
223
# -- TLS options (e.g. secret containing certificate)
224
tls: {}
225
healthcheck:
226
# -- Create an IngressRoute for the healthcheck probe
227
enabled: false
228
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
229
annotations: {}
230
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
231
labels: {}
232
# -- The router match rule used for the healthcheck ingressRoute
233
matchRule: PathPrefix(`/ping`)
234
# -- The internal service used for the healthcheck ingressRoute
235
# @default -- ping@internal
236
services:
237
- name: ping@internal
238
kind: TraefikService
239
# -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure).
240
# By default, it's using traefik entrypoint, which is not exposed.
241
entryPoints: ["traefik"]
242
# -- Additional ingressRoute middlewares (e.g. for authentication)
243
middlewares: []
244
# -- TLS options (e.g. secret containing certificate)
245
tls: {}
246
updateStrategy: # @schema additionalProperties: false
247
# -- Customize updateStrategy of Deployment or DaemonSet
248
type: RollingUpdate
249
rollingUpdate:
250
maxUnavailable: 0 # @schema type:[integer, string, null]
251
maxSurge: 1 # @schema type:[integer, string, null]
252
readinessProbe: # @schema additionalProperties: false
253
# -- The number of consecutive failures allowed before considering the probe as failed.
254
failureThreshold: 1
255
# -- The number of seconds to wait before starting the first probe.
256
initialDelaySeconds: 2
257
# -- The number of seconds to wait between consecutive probes.
258
periodSeconds: 10
259
# -- The minimum consecutive successes required to consider the probe successful.
260
successThreshold: 1
261
# -- The number of seconds to wait for a probe response before considering it as failed.
262
timeoutSeconds: 2
263
livenessProbe: # @schema additionalProperties: false
264
# -- The number of consecutive failures allowed before considering the probe as failed.
265
failureThreshold: 3
266
# -- The number of seconds to wait before starting the first probe.
267
initialDelaySeconds: 2
268
# -- The number of seconds to wait between consecutive probes.
269
periodSeconds: 10
270
# -- The minimum consecutive successes required to consider the probe successful.
271
successThreshold: 1
272
# -- The number of seconds to wait for a probe response before considering it as failed.
273
timeoutSeconds: 2
274
# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)
275
startupProbe: {}
276
# @schema additionalProperties: false
277
providers:
278
# @schema additionalProperties: false
279
kubernetesCRD:
280
# -- Load Kubernetes IngressRoute provider
281
enabled: true
282
# -- Allows IngressRoute to reference resources in namespace other than theirs
283
allowCrossNamespace: false
284
# -- Allows to reference ExternalName services in IngressRoute
285
allowExternalNameServices: false
286
# -- Allows to return 503 when there are no endpoints available
287
allowEmptyServices: true
288
# -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.
289
ingressClass: ""
290
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-labelselector)
291
labelSelector: ""
292
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
293
namespaces: []
294
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
295
nativeLBByDefault: false
296
# @schema additionalProperties: false
297
kubernetesIngress:
298
# -- Load Kubernetes Ingress provider
299
enabled: true
300
# -- Allows to reference ExternalName services in Ingress
301
allowExternalNameServices: false
302
# -- Allows to return 503 when there are no endpoints available
303
allowEmptyServices: true
304
# -- Only for Traefik v3.0, Deprecated since v3.1. See [upstream documentation](https://doc.traefik.io/traefik/v3.0/providers/kubernetes-ingress/#disableingressclasslookup)
305
disableIngressClassLookup: false
306
# -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.
307
ingressClass: # @schema type:[string, null]
308
labelSelector: # @schema type:[string, null]
309
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
310
namespaces: []
311
# IP used for Kubernetes Ingress endpoints
312
publishedService:
313
# -- Enable [publishedService](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#publishedservice),
314
# usually with the Service provided by this Chart. It's possible to use it with an external Service using pathOverride.
315
enabled: true
316
# -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.
317
# Default to Service deployed with this Chart.
318
pathOverride: ""
319
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
320
nativeLBByDefault: false
321
# -- Defines whether to make prefix matching strictly comply with the Kubernetes Ingress specification.
322
strictPrefixMatching: false
323
# @schema additionalProperties: false
324
kubernetesGateway:
325
# -- Enable Traefik Gateway provider for Gateway API
326
enabled: false
327
# -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation).
328
# This option currently enables support for TCPRoute and TLSRoute.
329
experimentalChannel: false
330
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
331
namespaces: []
332
# -- A label selector can be defined to filter on specific GatewayClass objects only.
333
labelSelector: ""
334
# -- Defines whether to use Native Kubernetes load-balancing mode by default.
335
nativeLBByDefault: false
336
statusAddress:
337
# -- This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6).
338
ip: ""
339
# -- This Hostname will get copied to the Gateway status.addresses.
340
hostname: ""
341
service:
342
# -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
343
enabled: true
344
name: ""
345
namespace: ""
346
# @schema additionalProperties: false
347
file:
348
# -- Create a file provider
349
enabled: false
350
# -- Allows Traefik to automatically watch for file changes
351
watch: true
352
# -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/)
353
content: ""
354
# @schema additionalProperties: false
355
kubernetesIngressNginx:
356
# -- Enable Kubernetes Ingress NGINX provider (experimental)
357
enabled: false
358
# -- Ingress Class Controller value this controller satisfies
359
controllerClass: "k8s.io/ingress-nginx"
360
# -- Name of the ingress class this controller satisfies
361
ingressClass: "nginx"
362
# -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class
363
ingressClassByName: false
364
# -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified
365
watchIngressWithoutClass: false
366
# -- Namespace the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespaceSelector.
367
watchNamespace: ""
368
# -- Select namespaces the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespace.
369
watchNamespaceSelector: ""
370
publishService:
371
# -- Service fronting the Ingress controller. Takes the form 'namespace/name'
372
enabled: false
373
pathOverride: ""
374
# -- Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies
375
publishStatusAddress: ""
376
# -- Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'
377
defaultBackendService: ""
378
# -- Disable support for Services of type ExternalName
379
disableSvcExternalName: false
380
# -- Ingress refresh throttle duration
381
throttleDuration: ""
382
# -- Kubernetes certificate authority file path (not needed for in-cluster client)
383
certAuthFilePath: ""
384
# -- Kubernetes server endpoint (required for external cluster client)
385
endpoint: ""
386
# -- Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token
387
token: ""
388
# @schema additionalProperties: false
389
knative:
390
# -- Enable Knative provider
391
enabled: false
392
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
393
namespaces: []
394
# -- Allow filtering Knative Ingress objects
395
labelSelector: ""
396
# -- Add volumes to the traefik pod. The volume name will be passed to tpl.
397
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
398
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
399
# `additionalArguments:
400
# - "--providers.file.filename=/config/dynamic.toml"
401
# - "--ping"
402
# - "--ping.entrypoint=web"`
403
volumes: []
404
# - name: public-cert
405
# mountPath: "/certs"
406
# type: secret
407
# - name: '{{ printf "%s-configs" .Release.Name }}'
408
# mountPath: "/config"
409
# type: configMap
410
411
# -- Additional volumeMounts to add to the Traefik container
412
additionalVolumeMounts: []
413
# -- For instance when using a logshipper for access logs
414
# - name: traefik-logs
415
# mountPath: /var/log/traefik
416
417
logs:
418
general:
419
# -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
420
format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
421
# By default, the level is set to INFO.
422
# -- Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC.
423
level: "INFO" # @schema enum:[TRACE,DEBUG,INFO,WARN,ERROR,FATAL,PANIC]; default: "INFO"
424
# -- To write the logs into a log file, use the filePath option.
425
filePath: ""
426
# -- When set to true and format is common, it disables the colorized output.
427
noColor: false
428
otlp:
429
# -- Set to true in order to enable OpenTelemetry on logs. Note that experimental.otlpLogs needs to be enabled.
430
enabled: false
431
# -- Service name used in OTLP backend. Default: traefik.
432
serviceName: # @schema type:[string, null]
433
http:
434
# -- Set to true in order to send logs to the OpenTelemetry Collector using HTTP.
435
enabled: false
436
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
437
endpoint: ""
438
# -- Additional headers sent with logs by the reporter to the OpenTelemetry Collector.
439
headers: {}
440
## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
441
tls:
442
# -- The path to the certificate authority, it defaults to the system bundle.
443
ca: ""
444
# -- The path to the public certificate. When using this option, setting the key option is required.
445
cert: ""
446
# -- The path to the private key. When using this option, setting the cert option is required.
447
key: ""
448
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
449
insecureSkipVerify: # @schema type:[boolean, null]
450
grpc:
451
# -- Set to true in order to send logs to the OpenTelemetry Collector using gRPC
452
enabled: false
453
# -- Format: <host>:<port>. Default: "localhost:4317"
454
endpoint: ""
455
# -- Allows reporter to send logs to the OpenTelemetry Collector without using a secured protocol.
456
insecure: false
457
## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
458
tls:
459
# -- The path to the certificate authority, it defaults to the system bundle.
460
ca: ""
461
# -- The path to the public certificate. When using this option, setting the key option is required.
462
cert: ""
463
# -- The path to the private key. When using this option, setting the cert option is required.
464
key: ""
465
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
466
insecureSkipVerify: # @schema type:[boolean, null]
467
# -- Defines additional resource attributes to be sent to the collector.
468
resourceAttributes: {}
469
access:
470
# -- To enable access logs
471
enabled: false
472
# -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format)
473
format: # @schema enum:["common", "genericCLF", "json", null]; type:[string, null]; default: "common"
474
# filePath: "/var/log/traefik/access.log
475
# -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize)
476
bufferingSize: # @schema type:[integer, null]
477
# -- Set [timezone](https://doc.traefik.io/traefik/observability/access-logs/#time-zones)
478
timezone: ""
479
# -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering)
480
# @default -- See below
481
filters: # @schema additionalProperties: false
482
# -- Set statusCodes, to limit the access logs to requests with a status codes in the specified range
483
statuscodes: ""
484
# -- Set retryAttempts, to keep the access logs when at least one retry has happened
485
retryattempts: false
486
# -- Set minDuration, to keep access logs when requests take longer than the specified duration
487
minduration: ""
488
# -- Enables accessLogs for internal resources. Default: false.
489
addInternals: false
490
fields:
491
general:
492
# -- Set default mode for fields.names
493
defaultmode: keep # @schema enum:[keep, drop, redact]; default: keep
494
# -- Names of the fields to limit.
495
names: {}
496
headers:
497
# -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers)
498
defaultmode: drop # @schema enum:[keep, drop, redact]; default: drop
499
names: {}
500
otlp:
501
# -- Set to true in order to enable OpenTelemetry on access logs. Note that experimental.otlpLogs needs to be enabled.
502
enabled: false
503
# -- Service name used in OTLP backend. Default: traefik.
504
serviceName: # @schema type:[string, null]
505
http:
506
# -- Set to true in order to send access logs to the OpenTelemetry Collector using HTTP.
507
enabled: false
508
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
509
endpoint: ""
510
# -- Additional headers sent with access logs by the reporter to the OpenTelemetry Collector.
511
headers: {}
512
## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
513
tls:
514
# -- The path to the certificate authority, it defaults to the system bundle.
515
ca: ""
516
# -- The path to the public certificate. When using this option, setting the key option is required.
517
cert: ""
518
# -- The path to the private key. When using this option, setting the cert option is required.
519
key: ""
520
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
521
insecureSkipVerify: # @schema type:[boolean, null]
522
grpc:
523
# -- Set to true in order to send access logs to the OpenTelemetry Collector using gRPC
524
enabled: false
525
# -- Format: <host>:<port>. Default: "localhost:4317"
526
endpoint: ""
527
# -- Allows reporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
528
insecure: false
529
## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
530
tls:
531
# -- The path to the certificate authority, it defaults to the system bundle.
532
ca: ""
533
# -- The path to the public certificate. When using this option, setting the key option is required.
534
cert: ""
535
# -- The path to the private key. When using this option, setting the cert option is required.
536
key: ""
537
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
538
insecureSkipVerify: # @schema type:[boolean, null]
539
# -- Defines additional resource attributes to be sent to the collector.
540
resourceAttributes: {}
541
metrics:
542
# -- Enable metrics for internal resources. Default: false
543
addInternals: false
544
## Prometheus is enabled by default.
545
## It can be disabled by setting "prometheus: null"
546
prometheus:
547
# -- Entry point used to expose metrics.
548
entryPoint: metrics
549
# -- Enable metrics on entry points. Default: true
550
addEntryPointsLabels: # @schema type:[boolean, null]
551
# -- Enable metrics on routers. Default: false
552
addRoutersLabels: # @schema type:[boolean, null]
553
# -- Enable metrics on services. Default: true
554
addServicesLabels: # @schema type:[boolean, null]
555
# -- Buckets for latency metrics. Default="0.1,0.3,1.2,5.0"
556
buckets: ""
557
# -- When manualRouting is true, it disables the default internal router in
558
## order to allow creating a custom router for prometheus@internal service.
559
manualRouting: false
560
# -- Add HTTP header labels to metrics. See EXAMPLES.md or upstream doc for usage.
561
headerLabels: {} # @schema type:[object, null]
562
service:
563
# -- Create a dedicated metrics service to use with ServiceMonitor
564
enabled: false
565
labels: {}
566
annotations: {}
567
# -- When set to true, it won't check if Prometheus Operator CRDs are deployed
568
disableAPICheck: # @schema type:[boolean, null]
569
serviceMonitor:
570
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
571
enabled: false
572
apiVersion: "monitoring.coreos.com/v1"
573
metricRelabelings: []
574
relabelings: []
575
jobLabel: ""
576
interval: ""
577
honorLabels: false
578
scrapeTimeout: ""
579
honorTimestamps: false
580
enableHttp2: false
581
followRedirects: false
582
additionalLabels: {}
583
namespace: ""
584
namespaceSelector: {}
585
prometheusRule:
586
# -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
587
enabled: false
588
apiVersion: "monitoring.coreos.com/v1"
589
additionalLabels: {}
590
namespace: ""
591
# datadog:
592
# ## Address instructs exporter to send metrics to datadog-agent at this address.
593
# address: "127.0.0.1:8125"
594
# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s
595
# # pushInterval: 30s
596
# ## The prefix to use for metrics collection. Default="traefik"
597
# # prefix: traefik
598
# ## Enable metrics on entry points. Default=true
599
# # addEntryPointsLabels: false
600
# ## Enable metrics on routers. Default=false
601
# # addRoutersLabels: true
602
# ## Enable metrics on services. Default=true
603
# # addServicesLabels: false
604
# influxdb2:
605
# ## Address instructs exporter to send metrics to influxdb v2 at this address.
606
# address: localhost:8086
607
# ## Token with which to connect to InfluxDB v2.
608
# token: xxx
609
# ## Organisation where metrics will be stored.
610
# org: ""
611
# ## Bucket where metrics will be stored.
612
# bucket: ""
613
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
614
# # pushInterval: 30s
615
# ## Additional labels (influxdb tags) on all metrics.
616
# # additionalLabels:
617
# # env: production
618
# # foo: bar
619
# ## Enable metrics on entry points. Default=true
620
# # addEntryPointsLabels: false
621
# ## Enable metrics on routers. Default=false
622
# # addRoutersLabels: true
623
# ## Enable metrics on services. Default=true
624
# # addServicesLabels: false
625
# statsd:
626
# ## Address instructs exporter to send metrics to statsd at this address.
627
# address: localhost:8125
628
# ## The interval used by the exporter to push metrics to influxdb. Default=10s
629
# # pushInterval: 30s
630
# ## The prefix to use for metrics collection. Default="traefik"
631
# # prefix: traefik
632
# ## Enable metrics on entry points. Default=true
633
# # addEntryPointsLabels: false
634
# ## Enable metrics on routers. Default=false
635
# # addRoutersLabels: true
636
# ## Enable metrics on services. Default=true
637
# # addServicesLabels: false
638
otlp:
639
# -- Set to true in order to enable the OpenTelemetry metrics
640
enabled: false
641
# -- Enable metrics on entry points. Default: true
642
addEntryPointsLabels: # @schema type:[boolean, null]
643
# -- Enable metrics on routers. Default: false
644
addRoutersLabels: # @schema type:[boolean, null]
645
# -- Enable metrics on services. Default: true
646
addServicesLabels: # @schema type:[boolean, null]
647
# -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]
648
explicitBoundaries: []
649
# -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s
650
pushInterval: ""
651
# -- Service name used in OTLP backend. Default: traefik.
652
serviceName: # @schema type:[string, null]
653
http:
654
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
655
enabled: false
656
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/metrics
657
endpoint: ""
658
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
659
headers: {}
660
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
661
tls:
662
# -- The path to the certificate authority, it defaults to the system bundle.
663
ca: ""
664
# -- The path to the public certificate. When using this option, setting the key option is required.
665
cert: ""
666
# -- The path to the private key. When using this option, setting the cert option is required.
667
key: ""
668
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
669
insecureSkipVerify: # @schema type:[boolean, null]
670
grpc:
671
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
672
enabled: false
673
# -- Format: <host>:<port>. Default: "localhost:4317"
674
endpoint: ""
675
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
676
insecure: false
677
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
678
tls:
679
# -- The path to the certificate authority, it defaults to the system bundle.
680
ca: ""
681
# -- The path to the public certificate. When using this option, setting the key option is required.
682
cert: ""
683
# -- The path to the private key. When using this option, setting the cert option is required.
684
key: ""
685
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
686
insecureSkipVerify: # @schema type:[boolean, null]
687
# -- Defines additional resource attributes to be sent to the collector.
688
resourceAttributes: {}
689
ocsp:
690
# -- Enable OCSP stapling support.
691
# See https://doc.traefik.io/traefik/https/ocsp/#overview
692
enabled: false
693
# -- Defines the OCSP responder URLs to use instead of the one provided by the certificate.
694
responderOverrides: {}
695
## Tracing
696
# -- https://doc.traefik.io/traefik/observability/tracing/overview/
697
# @default -- See _values.yaml_
698
tracing: # @schema additionalProperties: false
699
# -- Enables tracing for internal resources. Default: false.
700
addInternals: false
701
# -- Service name used in selected backend. Default: traefik.
702
serviceName: # @schema type:[string, null]
703
# -- Defines additional resource attributes to be sent to the collector.
704
resourceAttributes: {}
705
# -- Defines the list of request headers to add as attributes. It applies to client and server kind spans.
706
capturedRequestHeaders: []
707
# -- Defines the list of response headers to add as attributes. It applies to client and server kind spans.
708
capturedResponseHeaders: []
709
# -- By default, all query parameters are redacted. Defines the list of query parameters to not redact.
710
safeQueryParams: []
711
# -- The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0.
712
sampleRate: # @schema type:[number, null]; minimum:0; maximum:1
713
otlp:
714
# -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/
715
enabled: false
716
http:
717
# -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
718
enabled: false
719
# -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/tracing
720
endpoint: ""
721
# -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
722
headers: {}
723
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
724
tls:
725
# -- The path to the certificate authority, it defaults to the system bundle.
726
ca: ""
727
# -- The path to the public certificate. When using this option, setting the key option is required.
728
cert: ""
729
# -- The path to the private key. When using this option, setting the cert option is required.
730
key: ""
731
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
732
insecureSkipVerify: # @schema type:[boolean, null]
733
grpc:
734
# -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
735
enabled: false
736
# -- Format: <host>:<port>. Default: "localhost:4317"
737
endpoint: ""
738
# -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
739
insecure: false
740
## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
741
tls:
742
# -- The path to the certificate authority, it defaults to the system bundle.
743
ca: ""
744
# -- The path to the public certificate. When using this option, setting the key option is required.
745
cert: ""
746
# -- The path to the private key. When using this option, setting the cert option is required.
747
key: ""
748
# -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
749
insecureSkipVerify: # @schema type:[boolean, null]
750
global:
751
checkNewVersion: true
752
# -- Please take time to consider whether or not you wish to share anonymous data with us
753
# See https://doc.traefik.io/traefik/contributing/data-collection/
754
sendAnonymousUsage: false
755
# -- Required for Azure Marketplace integration.
756
# See https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-technical-assets-kubernetes?tabs=linux,linux2#update-the-helm-chart
757
# @default -- See _values.yaml_
758
azure:
759
enabled: false
760
images:
761
proxy:
762
image: chainguard-private/traefik
763
tag: latest@sha256:00c8d34e78e9be27dfefe0dbc607ca2733d37db51ad2f9e11570657667328fd6
764
registry: cgr.dev
765
hub:
766
image: chainguard-private/traefik
767
tag: latest@sha256:00c8d34e78e9be27dfefe0dbc607ca2733d37db51ad2f9e11570657667328fd6
768
registry: cgr.dev
769
# -- Additional arguments to be passed at Traefik's binary
770
# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)
771
# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
772
additionalArguments: []
773
# - "--providers.kubernetesingress.ingressclass=traefik-internal"
774
# - "--log.level=DEBUG"
775
776
# -- Additional Environment variables to be passed to Traefik's binary
777
env: []
778
# -- Environment variables to be passed to Traefik's binary from configMaps or secrets
779
envFrom: []
780
# @schema mergeProperties: true
781
ports:
782
# @schema additionalProperties: false
783
traefik:
784
port: 8080
785
# -- Use hostPort if set.
786
hostPort: # @schema type:[integer, null]; minimum:0
787
# -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
788
# means it's listening on all your interfaces and all your IPs. You may want
789
# to set this value if you need traefik to listen on specific interface
790
# only.
791
hostIP: # @schema type:[string, null]
792
# Defines whether the port is exposed if service.type is LoadBalancer or
793
# NodePort.
794
#
795
# -- You SHOULD NOT expose the traefik port on production deployments.
796
# If you want to access it from outside your cluster,
797
# use `kubectl port-forward` or create a secure ingress
798
expose:
799
default: false
800
# -- The exposed port for this service
801
exposedPort: 8080
802
# -- The port protocol (TCP/UDP)
803
protocol: TCP
804
observability: # @schema additionalProperties: false
805
# -- Defines whether a router attached to this EntryPoint produces metrics by default.
806
metrics: # @schema type:[boolean, null]; default: true
807
# -- Defines whether a router attached to this EntryPoint produces access-logs by default.
808
accessLogs: # @schema type:[boolean, null]; default: true
809
# -- Defines whether a router attached to this EntryPoint produces traces by default.
810
tracing: # @schema type:[boolean, null]; default: true
811
# -- Defines the tracing verbosity level for routers attached to this EntryPoint.
812
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
813
web:
814
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
815
asDefault: # @schema type: [boolean, null]; default: null
816
port: 8000
817
# hostPort: 8000
818
# containerPort: 8000
819
expose:
820
default: true
821
exposedPort: 80
822
## -- Different target traefik port on the cluster, useful for IP type LB
823
targetPort: # @schema type:[string, integer, null]; minimum:0
824
# The port protocol (TCP/UDP)
825
protocol: TCP
826
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
827
nodePort: # @schema type:[integer, null]; minimum:0
828
http:
829
redirections:
830
# -- Port Redirections
831
# Added in 2.2, one can make permanent redirects via entrypoints.
832
# Same sets of parameters: to, scheme, permanent and priority.
833
# https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#configuration-example
834
entryPoint: {}
835
forwardedHeaders:
836
# -- Trust forwarded headers information (X-Forwarded-*).
837
trustedIPs: []
838
insecure: false
839
proxyProtocol:
840
# -- Enable the Proxy Protocol header parsing for the entry point
841
trustedIPs: []
842
insecure: false
843
# -- Set transport settings for the entrypoint; see also
844
# https://doc.traefik.io/traefik/routing/entrypoints/#transport
845
# @default -- nil
846
transport:
847
respondingTimeouts:
848
readTimeout: # @schema type:[string, integer, null]
849
writeTimeout: # @schema type:[string, integer, null]
850
idleTimeout: # @schema type:[string, integer, null]
851
lifeCycle:
852
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
853
graceTimeOut: # @schema type:[string, integer, null]
854
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
855
keepAliveMaxTime: # @schema type:[string, integer, null]
856
observability: # @schema additionalProperties: false
857
# -- Enables metrics for this entryPoint.
858
metrics: # @schema type:[boolean, null]; default: true
859
# -- Enables access-logs for this entryPoint.
860
accessLogs: # @schema type:[boolean, null]; default: true
861
# -- Enables tracing for this entryPoint.
862
tracing: # @schema type:[boolean, null]; default: true
863
# -- Defines the tracing verbosity level for this entryPoint.
864
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
865
websecure:
866
## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
867
# asDefault: true
868
port: 8443
869
hostPort: # @schema type:[integer, null]; minimum:0
870
containerPort: # @schema type:[integer, null]; minimum:0
871
expose:
872
default: true
873
exposedPort: 443
874
## -- Different target traefik port on the cluster, useful for IP type LB
875
targetPort: # @schema type:[string, integer, null]; minimum:0
876
## -- The port protocol (TCP/UDP)
877
protocol: TCP
878
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
879
nodePort: # @schema type:[integer, null]; minimum:0
880
# -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)
881
appProtocol: # @schema type:[string, null]
882
# -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass)
883
allowACMEByPass: false
884
http:
885
# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering)
886
# @default -- nil
887
encodedCharacters: # @schema additionalProperties: false
888
allowEncodedSlash: # @schema type:[boolean, null]
889
allowEncodedBackSlash: # @schema type:[boolean, null]
890
allowEncodedNullCharacter: # @schema type:[boolean, null]
891
allowEncodedSemicolon: # @schema type:[boolean, null]
892
allowEncodedPercent: # @schema type:[boolean, null]
893
allowEncodedQuestionMark: # @schema type:[boolean, null]
894
allowEncodedHash: # @schema type:[boolean, null]
895
# -- Maximum size of request headers in bytes. Default: 1048576 (1 MB)
896
maxHeaderBytes: # @schema type:[integer, null]; minimum:0
897
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#httpmiddlewares)
898
middlewares: [] # @schema type: [array, null]
899
# -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#path-sanitization)
900
sanitizePath: # @schema type:[boolean, null]
901
tls:
902
# -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http-tls)
903
# @default -- true
904
enabled: true
905
options: ""
906
certResolver: ""
907
domains: []
908
http3:
909
## -- Enable HTTP/3 on the entrypoint
910
## Enabling it will also enable http3 experimental feature
911
## https://doc.traefik.io/traefik/routing/entrypoints/#http3
912
## There are known limitations when trying to listen on same ports for
913
## TCP & UDP (Http3). There is a workaround in this chart using dual Service.
914
## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741
915
enabled: false
916
advertisedPort: # @schema type:[integer, null]; minimum:0
917
forwardedHeaders:
918
# -- Trust forwarded headers information (X-Forwarded-*).
919
trustedIPs: []
920
insecure: false
921
proxyProtocol:
922
# -- Enable the Proxy Protocol header parsing for the entry point
923
trustedIPs: []
924
insecure: false
925
# -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport)
926
# @default -- nil
927
transport:
928
respondingTimeouts:
929
readTimeout: # @schema type:[string, integer, null]
930
writeTimeout: # @schema type:[string, integer, null]
931
idleTimeout: # @schema type:[string, integer, null]
932
lifeCycle:
933
requestAcceptGraceTimeout: # @schema type:[string, integer, null]
934
graceTimeOut: # @schema type:[string, integer, null]
935
keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
936
keepAliveMaxTime: # @schema type:[string, integer, null]
937
observability: # @schema additionalProperties: false
938
# -- Enables metrics for this entryPoint.
939
metrics: # @schema type:[boolean, null]; default: true
940
# -- Enables access-logs for this entryPoint.
941
accessLogs: # @schema type:[boolean, null]; default: true
942
# -- Enables tracing for this entryPoint.
943
tracing: # @schema type:[boolean, null]; default: true
944
# -- Defines the tracing verbosity level for this entryPoint.
945
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
946
metrics:
947
# -- When using hostNetwork, use another port to avoid conflict with node exporter:
948
# https://github.com/prometheus/prometheus/wiki/Default-port-allocations
949
port: 9100
950
# -- You may not want to expose the metrics port on production deployments.
951
# If you want to access it from outside your cluster,
952
# use `kubectl port-forward` or create a secure ingress
953
expose:
954
default: false
955
# -- The exposed port for this service
956
exposedPort: 9100
957
# -- The port protocol (TCP/UDP)
958
protocol: TCP
959
observability: # @schema additionalProperties: false
960
# -- Enables metrics for this entryPoint.
961
metrics: # @schema type:[boolean, null]; default: true
962
# -- Enables access-logs for this entryPoint.
963
accessLogs: # @schema type:[boolean, null]; default: true
964
# -- Enables tracing for this entryPoint.
965
tracing: # @schema type:[boolean, null]; default: true
966
# -- Defines the tracing verbosity level for this entryPoint.
967
traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
968
# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options)
969
# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
970
# See EXAMPLE.md for details.
971
tlsOptions: {}
972
# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details.
973
tlsStore: {}
974
service:
975
enabled: true
976
## -- Single service is using `MixedProtocolLBService` feature gate.
977
## -- When set to false, it will create two Service, one for TCP and one for UDP.
978
single: true
979
type: LoadBalancer
980
# -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
981
annotations: {}
982
# -- Additional annotations for TCP service only
983
annotationsTCP: {}
984
# -- Additional annotations for UDP service only
985
annotationsUDP: {}
986
# -- Additional service labels (e.g. for filtering Service by custom labels)
987
labels: {}
988
# -- Additional entries here will be added to the service spec.
989
# -- Cannot contain type, selector or ports entries.
990
spec: {}
991
# externalTrafficPolicy: Cluster
992
# loadBalancerIP: "1.2.3.4"
993
# clusterIP: "2.3.4.5"
994
loadBalancerSourceRanges: []
995
# - 192.168.0.1/32
996
# - 172.16.0.0/16
997
## -- Class of the load balancer implementation
998
# loadBalancerClass: service.k8s.aws/nlb
999
externalIPs: []
1000
# - 1.2.3.4
1001
## One of SingleStack, PreferDualStack, or RequireDualStack.
1002
# ipFamilyPolicy: SingleStack
1003
## List of IP families (e.g. IPv4 and/or IPv6).
1004
## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
1005
# ipFamilies:
1006
# - IPv4
1007
# - IPv6
1008
##
1009
additionalServices: {}
1010
## -- An additional and optional internal Service.
1011
## Same parameters as external Service
1012
# internal:
1013
# type: ClusterIP
1014
# # labels: {}
1015
# # annotations: {}
1016
# # spec: {}
1017
# # loadBalancerSourceRanges: []
1018
# # externalIPs: []
1019
# # ipFamilies: [ "IPv4","IPv6" ]
1020
autoscaling: # @schema additionalProperties: false
1021
# -- Create HorizontalPodAutoscaler object.
1022
# See EXAMPLES.md for more details.
1023
enabled: false
1024
# -- minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod.
1025
minReplicas: # @schema type:[integer, null]; minimum:0
1026
# -- maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
1027
maxReplicas: # @schema type:[integer, null]; minimum:0
1028
# -- metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).
1029
metrics: []
1030
# -- behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).
1031
behavior: {}
1032
# -- scaleTargetRef points to the target resource to scale, and is used for the pods for which metrics should be collected, as well as to actually change the replica count.
1033
# @default -- Traefik Deployment
1034
scaleTargetRef:
1035
apiVersion: apps/v1
1036
kind: Deployment
1037
name: "{{ template \"traefik.fullname\" . }}"
1038
persistence:
1039
# -- Enable persistence using Persistent Volume Claims
1040
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.
1041
# It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option
1042
enabled: false
1043
name: data
1044
existingClaim: ""
1045
accessMode: ReadWriteOnce
1046
size: 128Mi
1047
storageClass: # @schema type:[string, null]
1048
volumeName: ""
1049
path: /data
1050
annotations: {}
1051
# -- Only mount a subpath of the Volume into the pod
1052
subPath: ""
1053
# -- Certificates resolvers configuration.
1054
# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
1055
# See EXAMPLES.md for more details.
1056
certificatesResolvers: {}
1057
# -- If hostNetwork is true, runs traefik in the host network namespace
1058
# To prevent unschedulable pods due to port collisions, if hostNetwork=true
1059
# and replicas>1, a pod anti-affinity is recommended and will be set if the
1060
# affinity is left as default.
1061
hostNetwork: false
1062
rbac: # @schema additionalProperties: false
1063
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
1064
enabled: true
1065
# When set to true:
1066
# 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`.
1067
# 2. It adds `disableIngressClassLookup` on Kubernetes Ingress with Traefik Proxy v3 until v3.1.4
1068
# 3. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers with Traefik Proxy v3.1.2+
1069
# **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC.
1070
# See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details.
1071
namespaced: false
1072
# Enable user-facing roles
1073
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
1074
aggregateTo: []
1075
# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
1076
podSecurityPolicy:
1077
enabled: false
1078
# -- The service account the pods will use to interact with the Kubernetes API
1079
serviceAccount: # @schema additionalProperties: false
1080
# If set, an existing service account is used
1081
# If not set, a service account is created automatically using the fullname template
1082
name: ""
1083
# -- Additional serviceAccount annotations (e.g. for oidc authentication)
1084
serviceAccountAnnotations: {}
1085
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
1086
resources: {}
1087
# -- This example pod anti-affinity forces the scheduler to put traefik pods
1088
# -- on nodes where no other traefik pods are scheduled.
1089
# It should be used when hostNetwork: true to prevent port conflicts
1090
affinity: {}
1091
# podAntiAffinity:
1092
# requiredDuringSchedulingIgnoredDuringExecution:
1093
# - labelSelector:
1094
# matchLabels:
1095
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
1096
# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
1097
# topologyKey: kubernetes.io/hostname
1098
1099
# -- nodeSelector is the simplest recommended form of node selection constraint.
1100
nodeSelector: {}
1101
# -- Tolerations allow the scheduler to schedule pods with matching taints.
1102
tolerations: []
1103
# -- You can use topology spread constraints to control
1104
# how Pods are spread across your cluster among failure-domains.
1105
topologySpreadConstraints: []
1106
# This example topologySpreadConstraints forces the scheduler to put traefik pods
1107
# on nodes where no other traefik pods are scheduled.
1108
# - labelSelector:
1109
# matchLabels:
1110
# app.kubernetes.io/name: '{{ template "traefik.name" . }}'
1111
# maxSkew: 1
1112
# topologyKey: kubernetes.io/hostname
1113
# whenUnsatisfiable: DoNotSchedule
1114
1115
# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
1116
priorityClassName: ""
1117
# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
1118
# @default -- See _values.yaml_
1119
securityContext:
1120
allowPrivilegeEscalation: false
1121
capabilities:
1122
drop: [ALL]
1123
readOnlyRootFilesystem: true
1124
# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
1125
# @default -- See _values.yaml_
1126
podSecurityContext:
1127
runAsGroup: 65532
1128
runAsNonRoot: true
1129
runAsUser: 65532
1130
seccompProfile:
1131
type: RuntimeDefault
1132
#
1133
# -- Extra objects to deploy (value evaluated as a template)
1134
#
1135
# In some cases, it can avoid the need for additional, extended or adhoc deployments.
1136
# See #595 for more details and traefik/tests/values/extra.yaml for example.
1137
extraObjects: []
1138
# -- This field overrides the default Release Namespace for Helm.
1139
# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
1140
namespaceOverride: ""
1141
# -- This field overrides the default app.kubernetes.io/instance label for all Objects.
1142
instanceLabelOverride: ""
1143
# -- This field overrides the default version extracted from image.tag
1144
versionOverride: ""
1145
# -- overrides the app.kubernetes.io/name label
1146
nameOverride: ""
1147
# -- Overrides the resource name for templates (i.e deployment, service, etc..)
1148
fullnameOverride: ""
1149
# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
1150
hub:
1151
# -- Name of `Secret` with key 'token' set to a valid license token.
1152
# It enables API Gateway.
1153
token: ""
1154
# -- Mount path for token secret.
1155
tokenMountPath: "/etc/secrets"
1156
# -- Disables all external network connections.
1157
offline: # @schema type:[boolean, null]
1158
# -- By default, Traefik Hub provider watches all namespaces. When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
1159
namespaces: [] # @schema required:true
1160
apimanagement:
1161
# -- Set to true in order to enable API Management. Requires a valid license token.
1162
enabled: false
1163
admission:
1164
# -- WebHook admission server listen address. Default: "0.0.0.0:9943".
1165
listenAddr: ""
1166
# -- Certificate name of the WebHook admission server. Default: "hub-agent-cert".
1167
secretName: "hub-agent-cert"
1168
# -- By default, this chart handles directly the tls certificate required for the admission webhook. It's possible to disable this behavior and handle it outside of the chart. See EXAMPLES.md for more details.
1169
selfManagedCertificate: false
1170
# -- Set custom certificate for the WebHook admission server. The certificate should be specified with _tls.crt_ and _tls.key_ in base64 encoding.
1171
customWebhookCertificate: {}
1172
# -- Set it to false if you need to disable Traefik Hub pod restart when mutating webhook certificate is updated. It's done with a label update.
1173
restartOnCertificateChange: true
1174
# -- Set custom annotations.
1175
annotations: {}
1176
openApi:
1177
# -- When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification
1178
validateRequestMethodAndPath: false
1179
mcpgateway:
1180
# -- Set to true in order to enable AI MCP Gateway. Requires a valid license token.
1181
enabled: false
1182
# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
1183
maxRequestBodySize: # @schema type:[integer, null]; minimum:0
1184
aigateway:
1185
# -- Set to true in order to enable AI Gateway. Requires a valid license token.
1186
enabled: false
1187
# -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
1188
maxRequestBodySize: # @schema type:[integer, null]; minimum:0
1189
providers:
1190
consulCatalogEnterprise:
1191
# -- Enable Consul Catalog Enterprise backend with default settings.
1192
enabled: false
1193
# -- Use local agent caching for catalog reads.
1194
cache: false
1195
# -- Enable Consul Connect support.
1196
connectAware: false
1197
# -- Consider every service as Connect capable by default.
1198
connectByDefault: false
1199
# -- Constraints is an expression that Traefik matches against the container's labels
1200
constraints: ""
1201
# -- Default rule.
1202
defaultRule: "Host(`{{ normalize .Name }}`)"
1203
endpoint:
1204
# -- The address of the Consul server
1205
address: ""
1206
# -- Data center to use. If not provided, the default agent data center is used
1207
datacenter: ""
1208
# -- WaitTime limits how long a Watch will block. If not provided, the agent default
1209
endpointWaitTime: 0
1210
httpauth:
1211
# -- Basic Auth password
1212
password: ""
1213
# -- Basic Auth username
1214
username: ""
1215
# -- The URI scheme for the Consul server
1216
scheme: ""
1217
tls:
1218
# -- TLS CA
1219
ca: ""
1220
# -- TLS cert
1221
cert: ""
1222
# -- TLS insecure skip verify
1223
insecureSkipVerify: false
1224
# -- TLS key
1225
key: ""
1226
# -- Token is used to provide a per-request ACL token which overrides the agent's
1227
token: ""
1228
# -- Expose containers by default.
1229
exposedByDefault: true
1230
# -- Sets the namespaces used to discover services (Consul Enterprise only).
1231
namespaces: ""
1232
# -- Sets the partition used to discover services (Consul Enterprise only).
1233
partition: ""
1234
# -- Prefix for consul service tags.
1235
prefix: "traefik"
1236
# -- Interval for checking Consul API.
1237
refreshInterval: 15
1238
# -- Forces the read to be fully consistent.
1239
requireConsistent: false
1240
# -- Name of the Traefik service in Consul Catalog (needs to be registered via the
1241
serviceName: "traefik"
1242
# -- Use stale consistency for catalog reads.
1243
stale: false
1244
# -- A list of service health statuses to allow taking traffic.
1245
strictChecks: "passing, warning"
1246
# -- Watch Consul API events.
1247
watch: false
1248
microcks:
1249
# -- Enable Microcks provider.
1250
enabled: false
1251
auth:
1252
# -- Microcks API client ID.
1253
clientId: ""
1254
# -- Microcks API client secret.
1255
clientSecret: ""
1256
# -- Microcks API endpoint.
1257
endpoint: ""
1258
# -- Microcks API token.
1259
token: ""
1260
# -- Microcks API endpoint.
1261
endpoint: ""
1262
# -- Polling interval for Microcks API.
1263
pollInterval: 30
1264
# -- Polling timeout for Microcks API.
1265
pollTimeout: 5
1266
tls:
1267
# -- TLS CA
1268
ca: ""
1269
# -- TLS cert
1270
cert: ""
1271
# -- TLS insecure skip verify
1272
insecureSkipVerify: false
1273
# -- TLS key
1274
key: ""
1275
redis:
1276
# -- Enable Redis Cluster. Default: true.
1277
cluster: # @schema type:[boolean, null]
1278
# -- Database used to store information. Default: "0".
1279
database: # @schema type:[string, null]
1280
# -- Endpoints of the Redis instances to connect to. Default: "".
1281
endpoints: ""
1282
# -- The username to use when connecting to Redis endpoints. Default: "".
1283
username: ""
1284
# -- The password to use when connecting to Redis endpoints. Default: "".
1285
password: ""
1286
sentinel:
1287
# -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".
1288
masterset: ""
1289
# -- Username to use for sentinel authentication (can be different from endpoint username). Default: "".
1290
username: ""
1291
# -- Password to use for sentinel authentication (can be different from endpoint password). Default: "".
1292
password: ""
1293
# -- Timeout applied on connection with redis. Default: "0s".
1294
timeout: ""
1295
tls:
1296
# -- Path to the certificate authority used for the secured connection.
1297
ca: ""
1298
# -- Path to the public certificate used for the secure connection.
1299
cert: ""
1300
# -- Path to the private key used for the secure connection.
1301
key: ""
1302
# -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.
1303
insecureSkipVerify: false
1304
# Enable export of error logs to the platform. Default: true.
1305
sendlogs: # @schema type:[boolean, null]
1306
tracing:
1307
additionalTraceHeaders:
1308
# -- Tracing headers to duplicate.
1309
# To configure the following, tracing.otlp.enabled needs to be set to true.
1310
# @default -- See below
1311
enabled: false
1312
traceContext:
1313
# -- Name of the header that will contain the parent-id header copy.
1314
parentId: ""
1315
# -- Name of the header that will contain the trace-id copy.
1316
traceId: ""
1317
# -- Name of the header that will contain the traceparent copy.
1318
traceParent: ""
1319
# -- Name of the header that will contain the tracestate copy.
1320
traceState: ""
1321
# Define private plugin sources
1322
pluginRegistry:
1323
sources: {}
1324
# -- Required for OCI Marketplace integration.
1325
# See https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Marketplace/understanding-helm-charts.htm
1326
# @default -- See _values.yaml_
1327
oci_meta:
1328
# -- Enable specific values for Oracle Cloud Infrastructure
1329
enabled: false
1330
# -- It needs to be an ocir repo
1331
repo: cgr.dev
1332
images:
1333
proxy:
1334
image: chainguard-private/traefik
1335
tag: latest@sha256:00c8d34e78e9be27dfefe0dbc607ca2733d37db51ad2f9e11570657667328fd6
1336
hub:
1337
image: chainguard-private/traefik
1338
tag: latest@sha256:00c8d34e78e9be27dfefe0dbc607ca2733d37db51ad2f9e11570657667328fd6
1339
# -- Required for IBM Cloud Marketplace integration.
1340
# Injected by IBM Cloud Catalog when deploying via IBM Cloud Schematics. This value is not used by the chart.
1341
offering_version: "" # @schema type:[string, null]
1342
# -- Allow the Helm chart to be used as optional subchart.
1343
enabled: true # @schema type:boolean; const:true
1344
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.