apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: traefik namespace: kube-system spec: valuesContent: |- additionalArguments: - "--entrypoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,172.16.69.0/24" - "--entrypoints.web.http.redirections.entryPoint.to=:443" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Auto cert renewal via cloudflare - "--certificatesresolvers.letsencrypt.acme.email=joshbicking@comcast.net" - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53" - "--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Main - "--entrypoints.websecure.http.tls.domains[0].main=jibby.org" - "--entrypoints.websecure.http.tls.domains[0].sans=*.jibby.org" # LAN-only - "--entrypoints.websecure.http.tls.domains[1].main=lan.jibby.org" - "--entrypoints.websecure.http.tls.domains[1].sans=*.lan.jibby.org" # Configuration for extra routers - "--providers.file.directory=/config" - "--log.level=INFO" # debug, uncomment for testing #- "--log.level=DEBUG" #- "--certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory" ports: metrics: expose: true exposedPort: 9101 volumes: - name: traefik-config mountPath: "/config" type: configMap env: - name: CLOUDFLARE_EMAIL valueFrom: secretKeyRef: name: cloudflare-secrets key: email optional: false - name: CLOUDFLARE_API_KEY valueFrom: secretKeyRef: name: cloudflare-secrets key: api-key optional: false persistence: enabled: true storageClass: ceph-block # Fix for acme.json file being changed to 660 from 600 # This can manifest as the incredibly unhelpful "the router uses a non-existent resolver: " # https://github.com/traefik/traefik/issues/10241 podSecurityContext: fsGroup: 65532 deployment: initContainers: # The "volume-permissions" init container is required if you run into permission issues. # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 - name: volume-permissions image: busybox:latest command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] securityContext: runAsNonRoot: true runAsGroup: 65532 runAsUser: 65532 volumeMounts: - name: data mountPath: /data # ACME functionality is not supported when running Traefik as a DaemonSet #deployment: # kind: DaemonSet service: spec: # Required to show real IP to proxied services externalTrafficPolicy: Local providers: kubernetesCRD: # Allows IngressRoutes to use middleware from a different namespace allowCrossNamespace: true # pin pod to cluster-ingress node, so ServiceLB gives it the right external IP affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cluster-ingress operator: In values: - "true"