diff --git a/Traefik/IngressRoute/ingressRoute_nginx_template.yaml b/Traefik/IngressRoute/ingressRoute_nginx_template.yaml index 63317f10c1cdd62b4526bed0818ebf0c13015fa7..42e0b1be3bdb9fe2be117a2a4ff6f8307855408f 100644 --- a/Traefik/IngressRoute/ingressRoute_nginx_template.yaml +++ b/Traefik/IngressRoute/ingressRoute_nginx_template.yaml @@ -15,6 +15,8 @@ metadata: spec: entryPoints: - websecure + tls: + secretName: _TLS_CERT_ routes: - match: Host(`_INGRESS_HOST_`) && Path(`/nginx-green`) kind: Rule @@ -23,7 +25,7 @@ spec: services: - name: nginx-service-green port: 8080 - - match: Host(`dev-storage.informatik.fh-nuernberg.de`) && Path(`/nginx-blue`) + - match: Host(`_INGRESS_HOST_`) && Path(`/nginx-blue`) kind: Rule middlewares: - name: nginx-strip-path-prefix diff --git a/Traefik/IngressRoute/ingressRoute_whoami_template.yaml b/Traefik/IngressRoute/ingressRoute_whoami_template.yaml index 9e3825a371032e5da21a0a4ba90b4803922abbe9..0a4edc5e454e644b1600e4be2bdec1bfe7df7d85 100644 --- a/Traefik/IngressRoute/ingressRoute_whoami_template.yaml +++ b/Traefik/IngressRoute/ingressRoute_whoami_template.yaml @@ -5,6 +5,8 @@ metadata: spec: entryPoints: - websecure + tls: + secretName: _TLS_CERT_ routes: - match: Host(`_INGRESS_HOST_`) && Path(`/who`) kind: Rule diff --git a/Traefik/IngressRoute/install_ingressroutes.sh b/Traefik/IngressRoute/install_ingressroutes.sh index 93665d1a27a4e32366332d990125cc3409220e78..59d23b4f79052659070b85415325703ad624945e 100755 --- a/Traefik/IngressRoute/install_ingressroutes.sh +++ b/Traefik/IngressRoute/install_ingressroutes.sh @@ -1,6 +1,6 @@ #!/bin/bash if [ -z "$1" ]; then - echo "Error : Missing Ingress-Host parameter" + echo "Error : Missing FQN for Ingress-Host parameter" echo "Sample: $0 dev-storage.informatik.fh-nuernberg.de" exit 1 fi @@ -8,12 +8,16 @@ fi INGRESS_HOST=$1 echo $INGRESS_HOST HOSTNAME=$(echo $INGRESS_HOST | awk -v FS='.' '{print $1}') -echo "Hostname" : $HOSTNAME -echo "IingressRoute hosti : ${INGRESS_HOST}" +TLS_CERT=${HOSTNAME}-tls-cert +echo "Hostname :" ${HOSTNAME} +echo "IngressRoute host :" ${INGRESS_HOST} +echo "TLS Cert :" ${TLS_CERT} + rm -rf $HOSTNAME mkdir $HOSTNAME kubectl delete namespace testing kubectl create namespace testing + # # Create Pods / Servies kubectl -n testing apply -f nginx-deploy-green.yaml @@ -22,8 +26,11 @@ kubectl -n testing apply -f whoami-deploy.yaml # # Create ingressRoutes from template Files cd $HOSTNAME -cat ../ingressRoute_nginx_template.yaml | sed "s/_INGRESS_HOST_/$INGRESS_HOST/g" > ingressRoute_nginx.yaml -cat ../ingressRoute_whoami_template.yaml | sed "s/_INGRESS_HOST_/$INGRESS_HOST/g" > ingressRoute_whoami.yaml +openssl req -newkey rsa:2048 -x509 -sha256 -days 365 -nodes -out tls.crt -keyout tls.key -subj "/CN=${INGRESS_HOST}/emailAddress=Helmut.Hutzler@gmail.com" +kubectl -n testing create secret tls ${TLS_CERT} --key=tls.key --cert=tls.crt +kubectl -n testing describe secret ${TLS_CERT} +cat ../ingressRoute_nginx_template.yaml | sed "s/_INGRESS_HOST_/$INGRESS_HOST/g" | sed "s/_TLS_CERT_/$TLS_CERT/g" > ingressRoute_nginx.yaml +cat ../ingressRoute_whoami_template.yaml | sed "s/_INGRESS_HOST_/$INGRESS_HOST/g" | sed "s/_TLS_CERT_/$TLS_CERT/g" > ingressRoute_whoami.yaml kubectl -n testing apply -f ingressRoute_whoami.yaml kubectl -n testing apply -f ingressRoute_nginx.yaml diff --git a/Traefik/enable-dashboard-basic-auth-https.yaml b/Traefik/enable-dashboard-basic-auth-https.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8c83eff1bb87d36f462489e4efc099e53c9d9beb --- /dev/null +++ b/Traefik/enable-dashboard-basic-auth-https.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: dashboard-auth +spec: + basicAuth: + secret: dashboard-secret +--- +apiVersion: v1 +kind: Secret +metadata: + name: dashboard-secret +data: + # Here the encoded user:password is traefik:traefika + # htpasswd -nb traefik traefik | base64 + # dHJhZWZpazokYXByMSRnT3QvenIvaSQzZTJjQ080LzhvODVySzBlV3lPZ2suCgo= + users: | + dHJhZWZpazokYXByMSRnT3QvenIvaSQzZTJjQ080LzhvODVySzBlV3lPZ2suCgo= +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: dashboard +spec: + entryPoints: + - websecure + routes: + - match: Host (`kube-master.informatik.fh-nuernberg.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + kind: Rule + middlewares: + - name: dashboard-auth + services: + - name: api@internal + kind: TraefikService + tls: + secretName: kube-master-tls-cert diff --git a/Traefik/enable-dashboard.yaml b/Traefik/enable-dashboard.yaml index 53fb932ca6aa8e080e3607100f1ff09c6334a9dd..513652348e54d2cc60f78b860d7cac8827ca3ef1 100644 --- a/Traefik/enable-dashboard.yaml +++ b/Traefik/enable-dashboard.yaml @@ -6,7 +6,7 @@ spec: entryPoints: - web routes: - - match: Host (`dev-storage.informatik.fh-nuernberg.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + - match: Host (`kube-master.informatik.fh-nuernberg.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) kind: Rule services: - name: api@internal diff --git a/Traefik/traefik-chart-values.yaml b/Traefik/traefik-chart-values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c1bd198651bb91abc4f359b3579ad7f099404dc7 --- /dev/null +++ b/Traefik/traefik-chart-values.yaml @@ -0,0 +1,620 @@ +# Default values for Traefik +image: + name: traefik + # defaults to appVersion + tag: "" + pullPolicy: IfNotPresent + +# +# Configure the deployment +# +deployment: + enabled: true + # Can be either Deployment or DaemonSet + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy + # image: alpine/socat:1.0.5 + # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] + # volumeMounts: + # - name: dsdsocket + # mountPath: /socket + # Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik/issues/6825 + # - name: volume-permissions + # image: busybox:1.35 + # command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"] + # volumeMounts: + # - name: data + # mountPath: /data + # Use process namespace sharing + shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName + # Pod lifecycle actions + lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "sleep 40"] + # postStart: + # httpGet: + # path: /ping + # port: 9000 + # host: localhost + # scheme: HTTP + +# Pod disruption budget +podDisruptionBudget: + enabled: false + # maxUnavailable: 1 + # maxUnavailable: 33% + # minAvailable: 0 + # minAvailable: 25% + +# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x +ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" + fallbackApiVersion: "" + +# Activate Pilot integration +pilot: + enabled: false + token: "" + # Toggle Pilot Dashboard + # dashboard: false + +# Enable experimental features +experimental: + http3: + enabled: false + plugins: + enabled: false + kubernetesGateway: + enabled: false + gateway: + enabled: true + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + +# Create an IngressRoute for the dashboard +ingressRoute: + dashboard: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} + # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] + +rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + +# Customize liveness and readiness probe values. +readinessProbe: + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + +livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + +# +# Configure providers +# +providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" + +# +# Add volumes to the traefik pod. The volume name will be passed to tpl. +# This can be used to mount a cert pair or a configmap that holds a config.toml file. +# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +# additionalArguments: +# - "--providers.file.filename=/config/dynamic.toml" +# - "--ping" +# - "--ping.entrypoint=web" +volumes: [] +# - name: public-cert +# mountPath: "/certs" +# type: secret +# - name: '{{ printf "%s-configs" .Release.Name }}' +# mountPath: "/config" +# type: configMap + +# Additional volumeMounts to add to the Traefik container +additionalVolumeMounts: [] + # For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + +# Logs +# https://docs.traefik.io/observability/logs/ +logs: + # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs + enabled: false + # By default, logs are written using the Common Log Format (CLF). + # To write logs in JSON, use json in the format option. + # If the given format is unsupported, the default (CLF) is used instead. + # format: json + # To write the logs in an asynchronous fashion, specify a bufferingSize option. + # This option represents the number of log lines Traefik will keep in memory before writing + # them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + # Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + # Fields + # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} + # Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} + # Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + +metrics: + # datadog: + # address: 127.0.0.1:8125 + # influxdb: + # address: localhost:8089 + # protocol: udp + prometheus: + entryPoint: metrics + # addRoutersLabels: true + # statsd: + # address: localhost:8125 + +tracing: {} + # instana: + # localAgentHost: 127.0.0.1 + # localAgentPort: 42699 + # logLevel: info + # enableAutoProfile: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false + # jaeger: + # samplingServerURL: http://localhost:5778/sampling + # samplingType: const + # samplingParam: 1.0 + # localAgentHostPort: 127.0.0.1:6831 + # gen128Bit: false + # propagation: jaeger + # traceContextHeaderName: uber-trace-id + # disableAttemptReconnecting: true + # collector: + # endpoint: "" + # user: "" + # password: "" + # zipkin: + # httpEndpoint: http://localhost:9411/api/v2/spans + # sameSpan: false + # id128Bit: true + # sampleRate: 1.0 + # haystack: + # localAgentHost: 127.0.0.1 + # localAgentPort: 35000 + # globalTag: "" + # traceIDHeaderName: "" + # parentIDHeaderName: "" + # spanIDHeaderName: "" + # baggagePrefixHeaderName: "" + # elastic: + # serverURL: http://localhost:8200 + # secretToken: "" + # serviceEnvironment: "" + +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + +# +# Configure Traefik static configuration +# Additional arguments to be passed at Traefik's binary +# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` +additionalArguments: [] +# - "--providers.kubernetesingress.ingressclass=traefik-internal" +# - "--log.level=DEBUG" + +# Environment variables to be passed to Traefik's binary +env: [] +# - name: SOME_VAR +# value: some-var-value +# - name: SOME_VAR_FROM_CONFIG_MAP +# valueFrom: +# configMapRef: +# name: configmap-name +# key: config-key +# - name: SOME_SECRET +# valueFrom: +# secretKeyRef: +# name: secret-name +# key: secret-key + +envFrom: [] +# - configMapRef: +# name: config-map-name +# - secretRef: +# name: secret-name + +# Configure ports +ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 + # + # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. + # Default: ports.traefik.port + # healthchecksPort: 9000 + + # Override the liveness/readiness scheme. Useful for getting ping to + # respond on websecure entryPoint. + # healthchecksScheme: HTTPS + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + # The port protocol (TCP/UDP) + protocol: TCP + web: + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + # redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 + expose: true + exposedPort: 443 + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + # Enable HTTP/3. + # Requires enabling experimental http3 feature and tls. + # Note that you cannot have a UDP entrypoint with the same port. + # http3: true + # Set TLS at the entrypoint + # https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: true + # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] + # - main: example.com + # sans: + # - foo.example.com + # - bar.example.com + # + # One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: + # When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You may not want to expose the metrics port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9100 + # The port protocol (TCP/UDP) + protocol: TCP + +# TLS Options are created as TLSOption CRDs +# https://doc.traefik.io/traefik/https/tls/#tls-options +# Example: +# tlsOptions: +# default: +# sniStrict: true +# preferServerCipherSuites: true +# foobar: +# curvePreferences: +# - CurveP521 +# - CurveP384 +tlsOptions: {} + +# TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate +# https://doc.traefik.io/traefik/https/tls/#default-certificate +# Example: +# tlsStore: +# default: +# defaultCertificate: +# secretName: tls-cert +tlsStore: {} + +# Options for the main traefik service, where the entrypoints traffic comes +# from. +service: + enabled: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # Additional annotations for TCP service only + annotationsTCP: {} + # Additional annotations for UDP service only + annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # Additional entries here will be added to the service spec. + # Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 + # One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + # List of IP families (e.g. IPv4 and/or IPv6). + # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + +## Create HorizontalPodAutoscaler object. +## +autoscaling: + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# target: +# type: Utilization +# averageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# target: +# type: Utilization +# averageUtilization: 60 +# behavior: +# scaleDown: +# stabilizationWindowSeconds: 300 +# policies: +# - type: Pods +# value: 1 +# periodSeconds: 60 + +# Enable persistence using Persistent Volume Claims +# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +# additionalArguments: +# - "--certificatesresolvers.le.acme.storage=/data/acme.json" +# It will persist TLS certificates. +persistence: + enabled: false + name: data +# existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + +certResolvers: {} +# letsencrypt: +# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ +# email: email@example.com +# dnsChallenge: +# # also add the provider's required configuration under env +# # or expand then from secrets/configmaps with envfrom +# # cf. https://doc.traefik.io/traefik/https/acme/#providers +# provider: digitalocean +# # add futher options for the dns challenge as needed +# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge +# delayBeforeCheck: 30 +# resolvers: +# - 1.1.1.1 +# - 8.8.8.8 +# tlsChallenge: true +# httpChallenge: +# entryPoint: "web" +# # match the path to persistence +# storage: /data/acme.json + +# If hostNetwork is true, runs traefik in the host network namespace +# To prevent unschedulabel pods due to port collisions, if hostNetwork=true +# and replicas>1, a pod anti-affinity is recommended and will be set if the +# affinity is left as default. +hostNetwork: false + +# Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: + enabled: true + + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + +# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +podSecurityPolicy: + enabled: false + +# The service account the pods will use to interact with the Kubernetes API +serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +# Additional serviceAccount annotations (e.g. for oidc authentication) +serviceAccountAnnotations: {} + +resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" + +# This example pod anti-affinity forces the scheduler to put traefik pods +# on nodes where no other traefik pods are scheduled. +# It should be used when hostNetwork: true to prevent port conflicts +affinity: {} +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchLabels: +# app.kubernetes.io/name: '{{ template "traefik.name" . }}' +# app.kubernetes.io/instance: '{{ .Release.Name }}' +# topologyKey: kubernetes.io/hostname + +nodeSelector: {} +tolerations: [] + +# Pods can have priority. +# Priority indicates the importance of a Pod relative to other Pods. +priorityClassName: "" + +# Set the container security context +# To run the container with ports below 1024 this will need to be adjust to run as root +securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + +podSecurityContext: + fsGroup: 65532 + +# +# Extra objects to deploy (value evaluated as a template) +# +# In some cases, it can avoid the need for additional, extended or adhoc deployments. +# See #595 for more details and traefik/tests/extra.yaml for example. +extraObjects: [] +