apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: traefik namespace: kube-system spec: valuesContent: |- ports: web: exposedPort: 8080 websecure: exposedPort: 8443 additionalArguments: # Auto cert renewal via cloudflare - "--certificatesresolvers.letsencrypt.acme.email=joshbicking@comcast.net" - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53" - "--entrypoints.websecure.http.tls.certResolver=letsencrypt" - "--entrypoints.websecure.http.tls.domains[0].main=s3.bnuuy.org" # debug, uncomment for testing # - "--log.level=DEBUG" # - "--certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory" env: - name: CLOUDFLARE_EMAIL valueFrom: secretKeyRef: name: cloudflare-secrets key: email optional: false - name: CLOUDFLARE_API_KEY valueFrom: secretKeyRef: name: cloudflare-secrets key: api-key optional: false persistence: enabled: true storageClass: local-path # Fix for acme.json file being changed to 660 from 600 # This can manifest as the incredibly unhelpful "the router uses a non-existent resolver: " # https://github.com/traefik/traefik/issues/10241 podSecurityContext: fsGroup: 65532 deployment: initContainers: # The "volume-permissions" init container is required if you run into permission issues. # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 - name: volume-permissions image: busybox:latest command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] securityContext: runAsNonRoot: true runAsGroup: 65532 runAsUser: 65532 volumeMounts: - name: data mountPath: /data service: spec: externalTrafficPolicy: Local