--- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: traefik namespace: networking spec: interval: 5m chart: spec: # renovate: registryUrl=https://helm.traefik.io/traefik chart: traefik version: 10.6.2 sourceRef: kind: HelmRepository name: traefik-charts namespace: flux-system interval: 5m values: deployment: kind: DaemonSet service: enabled: true type: LoadBalancer spec: externalIPs: - "${CLUSTER_LB_TRAEFIK}" externalTrafficPolicy: Local logs: general: format: json level: DEBUG access: enabled: true format: json ingressClass: enabled: false ingressRoute: dashboard: enabled: false globalArguments: - "--api.insecure=true" - "--serverstransport.insecureskipverify=true" - "--providers.kubernetesingress.ingressclass=traefik" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" additionalArguments: - "--providers.kubernetesingress.ingressendpoint.ip=${CLUSTER_LB_TRAEFIK}" ports: traefik: expose: true web: redirectTo: websecure websecure: tls: enabled: true options: "default" metrics: port: 8082 expose: true exposedPort: 8082 tlsOptions: default: minVersion: VersionTLS12 maxVersion: VersionTLS13 sniStrict: true pilot: enabled: true token: "${SECRET_TRAEFIK_PILOT_TOKEN}" experimental: plugins: enabled: true affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/name operator: In values: - traefik topologyKey: kubernetes.io/hostname resources: requests: memory: 100Mi cpu: 500m limits: memory: 500Mi