Skip to main content

Helm Chart Values

Configuration Options

FieldTypeDefaultDescription
additionalArgumentslist[]Additional arguments to be passed at Traefik's binary See CLI Reference Use curly braces to pass values: helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"
additionalVolumeMountslist[]Additional volumeMounts to add to the Traefik container
affinityobject{}on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts
autoscaling.enabledboolfalseCreate HorizontalPodAutoscaler object. See EXAMPLES.md for more details.
certificatesResolversobject{}Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details.
commonLabelsobject{}Add additional label to all resources
core.defaultRuleSyntaxstring""Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes
deployment.additionalContainerslist[]Additional containers (e.g. for metric offloading sidecars)
deployment.additionalVolumeslist[]Additional volumes available for use with initContainers and additionalContainers
deployment.annotationsobject{}Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
deployment.dnsConfigobject{}Custom pod DNS config
deployment.dnsPolicystring""Custom pod DNS policy. Apply if hostNetwork: true
deployment.enabledbooltrueEnable deployment
deployment.healthchecksHoststring""
deployment.healthchecksPortstringnil
deployment.healthchecksSchemestringnil
deployment.hostAliaseslist[]Custom host aliases
deployment.imagePullSecretslist[]Pull secret for fetching traefik container image
deployment.initContainerslist[]Additional initContainers (e.g. for setting file permission as shown below)
deployment.kindstring"Deployment"Deployment or DaemonSet
deployment.labelsobject{}Additional deployment labels (e.g. for filtering deployment by custom labels)
deployment.lifecycleobject{}Pod lifecycle actions
deployment.livenessPathstring""Override the liveness path. Default: /ping
deployment.minReadySecondsint0The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
deployment.podAnnotationsobject{}Additional pod annotations (e.g. for mesh injection or prometheus scraping) It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
deployment.podLabelsobject{}Additional Pod labels (e.g. for filtering Pod by custom labels)
deployment.readinessPathstring""
deployment.replicasint1Number of pods of the deployment (only applies when kind == Deployment)
deployment.revisionHistoryLimitstringnilNumber of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
deployment.runtimeClassNamestring""Set a runtimeClassName on pod
deployment.shareProcessNamespaceboolfalseUse process namespace sharing
deployment.terminationGracePeriodSecondsint60Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
envlistSee values.yamlAdditional Environment variables to be passed to Traefik's binary
envFromlist[]Environment variables to be passed to Traefik's binary from configMaps or secrets
experimental.abortOnPluginFailureboolfalseDefines whether all plugins must be loaded successfully for Traefik to start
experimental.kubernetesGateway.enabledboolfalseEnable traefik experimental GatewayClass CRD
experimental.pluginsobject{}Enable traefik experimental plugins
extraObjectslist[]Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example.
gateway.annotationsobject{}Additional gateway annotations (e.g. for cert-manager.io/issuer)
gateway.enabledbooltrueWhen providers.kubernetesGateway.enabled, deploy a default gateway
gateway.infrastructureobject{}Infrastructure
gateway.listenersobject{"web":{"hostname":"","namespacePolicy":null,"port":8000,"protocol":"HTTP"\}\}Define listeners
gateway.listeners.web.hostnamestring""Optional hostname. See Hostname
gateway.listeners.web.namespacePolicystringnilRoutes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces
gateway.listeners.web.portint8000Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. The port must match a port declared in ports section.
gateway.namestring""Set a custom name to gateway
gateway.namespacestring""By default, Gateway is created in the same Namespace than Traefik.
gatewayClass.enabledbooltrueWhen providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass
gatewayClass.labelsobject{}Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)
gatewayClass.namestring""Set a custom name to GatewayClass
globalArgumentslist["--global.checknewversion","--global.sendanonymoususage"]Global command arguments to be passed to all traefik's pods
hostNetworkboolfalseIf hostNetwork is true, runs traefik in the host network namespace To prevent unschedulable pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default.
hub.apimanagement.admission.listenAddrstring""WebHook admission server listen address. Default: "0.0.0.0:9943".
hub.apimanagement.admission.secretNamestring""Certificate of the WebHook admission server. Default: "hub-agent-cert".
hub.apimanagement.enabledboolfalseSet to true in order to enable API Management. Requires a valid license token.
hub.redis.clusterstringnilEnable Redis Cluster. Default: true.
hub.redis.databasestringnilDatabase used to store information. Default: "0".
hub.redis.endpointsstring""Endpoints of the Redis instances to connect to. Default: "".
hub.redis.passwordstring""The password to use when connecting to Redis endpoints. Default: "".
hub.redis.sentinel.mastersetstring""Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".
hub.redis.sentinel.passwordstring""Password to use for sentinel authentication (can be different from endpoint password). Default: "".
hub.redis.sentinel.usernamestring""Username to use for sentinel authentication (can be different from endpoint username). Default: "".
hub.redis.timeoutstring""Timeout applied on connection with redis. Default: "0s".
hub.redis.tls.castring""Path to the certificate authority used for the secured connection.
hub.redis.tls.certstring""Path to the public certificate used for the secure connection.
hub.redis.tls.insecureSkipVerifyboolfalseWhen insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.
hub.redis.tls.keystring""Path to the private key used for the secure connection.
hub.redis.usernamestring""The username to use when connecting to Redis endpoints. Default: "".
hub.sendlogsstringnil
hub.tokenstring""Name of Secret with key 'token' set to a valid license token. It enables API Gateway.
image.pullPolicystring"IfNotPresent"Traefik image pull policy
image.registrystring"docker.io"Traefik image host registry
image.repositorystring"traefik"Traefik image repository
image.tagstringnildefaults to appVersion
ingressClassobject{"enabled":true,"isDefaultClass":true,"name":""}Create a default IngressClass for Traefik
ingressRoute.dashboard.annotationsobject{}Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
ingressRoute.dashboard.enabledboolfalseCreate an IngressRoute for the dashboard
ingressRoute.dashboard.entryPointslist["traefik"]Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. /!\ Do not expose your dashboard without any protection over the internet /!\
ingressRoute.dashboard.labelsobject{}Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
ingressRoute.dashboard.matchRulestring"PathPrefix(/dashboard`)
ingressRoute.dashboard.middlewareslist[]Additional ingressRoute middlewares (e.g. for authentication)
ingressRoute.dashboard.serviceslist[{"kind":"TraefikService","name":"api@internal"}]The internal service used for the dashboard ingressRoute
ingressRoute.dashboard.tlsobject{}TLS options (e.g. secret containing certificate)
ingressRoute.healthcheck.annotationsobject{}Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
ingressRoute.healthcheck.enabledboolfalseCreate an IngressRoute for the healthcheck probe
ingressRoute.healthcheck.entryPointslist["traefik"]Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed.
ingressRoute.healthcheck.labelsobject{}Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
ingressRoute.healthcheck.matchRulestring"PathPrefix(/ping)"The router match rule used for the healthcheck ingressRoute
ingressRoute.healthcheck.middlewareslist[]Additional ingressRoute middlewares (e.g. for authentication)
ingressRoute.healthcheck.serviceslist[{"kind":"TraefikService","name":"ping@internal"}]The internal service used for the healthcheck ingressRoute
ingressRoute.healthcheck.tlsobject{}TLS options (e.g. secret containing certificate)
instanceLabelOverridestring""
livenessProbe.failureThresholdint3The number of consecutive failures allowed before considering the probe as failed.
livenessProbe.initialDelaySecondsint2The number of seconds to wait before starting the first probe.
livenessProbe.periodSecondsint10The number of seconds to wait between consecutive probes.
livenessProbe.successThresholdint1The minimum consecutive successes required to consider the probe successful.
livenessProbe.timeoutSecondsint2The number of seconds to wait for a probe response before considering it as failed.
logs.access.addInternalsboolfalseEnables accessLogs for internal resources. Default: false.
logs.access.bufferingSizestringnilSet bufferingSize
logs.access.enabledboolfalseTo enable access logs
logs.access.fields.general.defaultmodestring"keep"Set default mode for fields.names
logs.access.fields.general.namesobject{}Names of the fields to limit.
logs.access.fields.headersobject{"defaultmode":"drop","names":{\}\}Limit logged fields or headers
logs.access.fields.headers.defaultmodestring"drop"Set default mode for fields.headers
logs.access.filtersobject{"minduration":"","retryattempts":false,"statuscodes":""}Set filtering
logs.access.filters.mindurationstring""Set minDuration, to keep access logs when requests take longer than the specified duration
logs.access.filters.retryattemptsboolfalseSet retryAttempts, to keep the access logs when at least one retry has happened
logs.access.filters.statuscodesstring""Set statusCodes, to limit the access logs to requests with a status codes in the specified range
logs.access.formatstringnilSet access log format
logs.general.filePathstring""To write the logs into a log file, use the filePath option.
logs.general.formatstringnilSet logs format
logs.general.levelstring"INFO"Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC.
logs.general.noColorboolfalseWhen set to true and format is common, it disables the colorized output.
metrics.addInternalsboolfalse
metrics.otlp.addEntryPointsLabelsstringnilEnable metrics on entry points. Default: true
metrics.otlp.addRoutersLabelsstringnilEnable metrics on routers. Default: false
metrics.otlp.addServicesLabelsstringnilEnable metrics on services. Default: true
metrics.otlp.enabledboolfalseSet to true in order to enable the OpenTelemetry metrics
metrics.otlp.explicitBoundarieslist[]Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]
metrics.otlp.grpc.enabledboolfalseSet to true in order to send metrics to the OpenTelemetry Collector using gRPC
metrics.otlp.grpc.endpointstring""Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
metrics.otlp.grpc.insecureboolfalseAllows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
metrics.otlp.grpc.tls.castring""The path to the certificate authority, it defaults to the system bundle.
metrics.otlp.grpc.tls.certstring""The path to the public certificate. When using this option, setting the key option is required.
metrics.otlp.grpc.tls.insecureSkipVerifyboolfalseWhen set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
metrics.otlp.grpc.tls.keystring""The path to the private key. When using this option, setting the cert option is required.
metrics.otlp.http.enabledboolfalseSet to true in order to send metrics to the OpenTelemetry Collector using HTTP.
metrics.otlp.http.endpointstring""Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
metrics.otlp.http.headersobject{}Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
metrics.otlp.http.tls.castring""The path to the certificate authority, it defaults to the system bundle.
metrics.otlp.http.tls.certstring""The path to the public certificate. When using this option, setting the key option is required.
metrics.otlp.http.tls.insecureSkipVerifystringnilWhen set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
metrics.otlp.http.tls.keystring""The path to the private key. When using this option, setting the cert option is required.
metrics.otlp.pushIntervalstring""Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s
metrics.prometheus.addEntryPointsLabelsstringnil
metrics.prometheus.addRoutersLabelsstringnil
metrics.prometheus.addServicesLabelsstringnil
metrics.prometheus.bucketsstring""
metrics.prometheus.disableAPICheckstringnilWhen set to true, it won't check if Prometheus Operator CRDs are deployed
metrics.prometheus.entryPointstring"metrics"Entry point used to expose metrics.
metrics.prometheus.manualRoutingboolfalse
metrics.prometheus.prometheusRule.additionalLabelsobject{}
metrics.prometheus.prometheusRule.enabledboolfalseEnable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
metrics.prometheus.prometheusRule.namespacestring""
metrics.prometheus.service.annotationsobject{}
metrics.prometheus.service.enabledboolfalseCreate a dedicated metrics service to use with ServiceMonitor
metrics.prometheus.service.labelsobject{}
metrics.prometheus.serviceMonitor.additionalLabelsobject{}
metrics.prometheus.serviceMonitor.enableHttp2boolfalse
metrics.prometheus.serviceMonitor.enabledboolfalseEnable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
metrics.prometheus.serviceMonitor.followRedirectsboolfalse
metrics.prometheus.serviceMonitor.honorLabelsboolfalse
metrics.prometheus.serviceMonitor.honorTimestampsboolfalse
metrics.prometheus.serviceMonitor.intervalstring""
metrics.prometheus.serviceMonitor.jobLabelstring""
metrics.prometheus.serviceMonitor.metricRelabelingslist[]
metrics.prometheus.serviceMonitor.namespacestring""
metrics.prometheus.serviceMonitor.namespaceSelectorobject{}
metrics.prometheus.serviceMonitor.relabelingslist[]
metrics.prometheus.serviceMonitor.scrapeTimeoutstring""
namespaceOverridestring""This field override the default Release Namespace for Helm. It will not affect optional CRDs such as ServiceMonitor and PrometheusRules
nodeSelectorobject{}nodeSelector is the simplest recommended form of node selection constraint.
persistence.accessModestring"ReadWriteOnce"
persistence.annotationsobject{}
persistence.enabledboolfalseEnable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/. It can be used to store TLS certificates along with certificatesResolvers.\<name\>.acme.storage option
persistence.existingClaimstring""
persistence.namestring"data"
persistence.pathstring"/data"
persistence.sizestring"128Mi"
persistence.storageClassstring""
persistence.subPathstring""Only mount a subpath of the Volume into the pod
persistence.volumeNamestring""
podDisruptionBudgetobject{"enabled":false,"maxUnavailable":null,"minAvailable":null}Pod Disruption Budget
podSecurityContextobjectSee values.yamlPod Security Context
podSecurityPolicyobject{"enabled":false}Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
ports.metrics.exposeobject{"default":false}You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use kubectl port-forward or create a secure ingress
ports.metrics.exposedPortint9100The exposed port for this service
ports.metrics.portint9100When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations
ports.metrics.protocolstring"TCP"The port protocol (TCP/UDP)
ports.traefik.exposeobject{"default":false}You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use kubectl port-forward or create a secure ingress
ports.traefik.exposedPortint8080The exposed port for this service
ports.traefik.hostIPstringnilUse hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which means it's listening on all your interfaces and all your IPs. You may want to set this value if you need traefik to listen on specific interface only.
ports.traefik.hostPortstringnilUse hostPort if set.
ports.traefik.portint8080
ports.traefik.protocolstring"TCP"The port protocol (TCP/UDP)
ports.web.expose.defaultbooltrue
ports.web.exposedPortint80
ports.web.forwardedHeaders.insecureboolfalse
ports.web.forwardedHeaders.trustedIPslist[]Trust forwarded headers information (X-Forwarded-*).
ports.web.nodePortstringnilSee upstream documentation
ports.web.portint8000
ports.web.protocolstring"TCP"
ports.web.proxyProtocol.insecureboolfalse
ports.web.proxyProtocol.trustedIPslist[]Enable the Proxy Protocol header parsing for the entry point
ports.web.redirectToobject{}
ports.web.targetPortstringnil
ports.web.transportobject{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null\}\}Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport
ports.websecure.allowACMEByPassboolfalseSee upstream documentation
ports.websecure.appProtocolstringnilSee upstream documentation
ports.websecure.containerPortstringnil
ports.websecure.expose.defaultbooltrue
ports.websecure.exposedPortint443
ports.websecure.forwardedHeaders.insecureboolfalse
ports.websecure.forwardedHeaders.trustedIPslist[]Trust forwarded headers information (X-Forwarded-*).
ports.websecure.hostPortstringnil
ports.websecure.http3.advertisedPortstringnil
ports.websecure.http3.enabledboolfalse
ports.websecure.middlewareslist[]/!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace - namespace-name1@kubernetescrd - namespace-name2@kubernetescrd
ports.websecure.nodePortstringnilSee upstream documentation
ports.websecure.portint8443
ports.websecure.protocolstring"TCP"
ports.websecure.proxyProtocol.insecureboolfalse
ports.websecure.proxyProtocol.trustedIPslist[]Enable the Proxy Protocol header parsing for the entry point
ports.websecure.targetPortstringnil
ports.websecure.tlsobject{"certResolver":"","domains":[],"enabled":true,"options":""}See upstream documentation
ports.websecure.transportobject{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null\}\}See upstream documentation
priorityClassNamestring""Pod Priority and Preemption
providers.file.contentstring""File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/)
providers.file.enabledboolfalseCreate a file provider
providers.file.watchbooltrueAllows Traefik to automatically watch for file changes
providers.kubernetesCRD.allowCrossNamespaceboolfalseAllows IngressRoute to reference resources in namespace other than theirs
providers.kubernetesCRD.allowEmptyServicesbooltrueAllows to return 503 when there is no endpoints available
providers.kubernetesCRD.allowExternalNameServicesboolfalseAllows to reference ExternalName services in IngressRoute
providers.kubernetesCRD.enabledbooltrueLoad Kubernetes IngressRoute provider
providers.kubernetesCRD.ingressClassstring""When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.
providers.kubernetesCRD.namespaceslist[]Array of namespaces to watch. If left empty, Traefik watches all namespaces.
providers.kubernetesCRD.nativeLBByDefaultboolfalseDefines whether to use Native Kubernetes load-balancing mode by default.
providers.kubernetesGateway.enabledboolfalseEnable Traefik Gateway provider for Gateway API
providers.kubernetesGateway.experimentalChannelboolfalseToggles support for the Experimental Channel resources (Gateway API release channels documentation). This option currently enables support for TCPRoute and TLSRoute.
providers.kubernetesGateway.labelselectorstring""A label selector can be defined to filter on specific GatewayClass objects only.
providers.kubernetesGateway.namespaceslist[]Array of namespaces to watch. If left empty, Traefik watches all namespaces.
providers.kubernetesGateway.statusAddress.hostnamestring""This Hostname will get copied to the Gateway status.addresses.
providers.kubernetesGateway.statusAddress.ipstring""This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6).
providers.kubernetesGateway.statusAddress.serviceobject{"name":"\{\{ (include \"traefik.fullname\" .) \}\}","namespace":"\{\{ .Release.Namespace \}\}"}The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
providers.kubernetesIngress.allowEmptyServicesbooltrueAllows to return 503 when there is no endpoints available
providers.kubernetesIngress.allowExternalNameServicesboolfalseAllows to reference ExternalName services in Ingress
providers.kubernetesIngress.enabledbooltrueLoad Kubernetes Ingress provider
providers.kubernetesIngress.ingressClassstringnilWhen ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.
providers.kubernetesIngress.namespaceslist[]Array of namespaces to watch. If left empty, Traefik watches all namespaces.
providers.kubernetesIngress.nativeLBByDefaultboolfalseDefines whether to use Native Kubernetes load-balancing mode by default.
providers.kubernetesIngress.publishedService.enabledbooltrueEnable publishedService
providers.kubernetesIngress.publishedService.pathOverridestring""Override path of Kubernetes Service used to copy status from. Format: namespace/servicename. Default to Service deployed with this Chart.
rbacobject{"aggregateTo":[],"enabled":true,"namespaced":false,"secretResourceNames":[]}Whether Role Based Access Control objects like roles and rolebindings should be created
readinessProbe.failureThresholdint1The number of consecutive failures allowed before considering the probe as failed.
readinessProbe.initialDelaySecondsint2The number of seconds to wait before starting the first probe.
readinessProbe.periodSecondsint10The number of seconds to wait between consecutive probes.
readinessProbe.successThresholdint1The minimum consecutive successes required to consider the probe successful.
readinessProbe.timeoutSecondsint2The number of seconds to wait for a probe response before considering it as failed.
resourcesobject{}Resources for traefik container.
securityContextobjectSee values.yamlSecurityContext
service.additionalServicesobject{}
service.annotationsobject{}Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
service.annotationsTCPobject{}Additional annotations for TCP service only
service.annotationsUDPobject{}Additional annotations for UDP service only
service.enabledbooltrue
service.externalIPslist[]
service.labelsobject{}Additional service labels (e.g. for filtering Service by custom labels)
service.loadBalancerSourceRangeslist[]
service.singlebooltrue
service.specobject{}Cannot contain type, selector or ports entries.
service.typestring"LoadBalancer"
serviceAccountobject{"name":""}The service account the pods will use to interact with the Kubernetes API
serviceAccountAnnotationsobject{}Additional serviceAccount annotations (e.g. for oidc authentication)
startupProbeobject{}Define Startup Probe
tlsOptionsobject{}TLS Options are created as TLSOption CRDs When using labelSelector, you'll need to set labels on tlsOption accordingly. See EXAMPLE.md for details.
tlsStoreobject{}TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate. See EXAMPLE.md for details.
tolerationslist[]Tolerations allow the scheduler to schedule pods with matching taints.
topologySpreadConstraintslist[]You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains.
tracingobject{"addInternals":false,"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":"","insecure":false,"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""\}\},"http":{"enabled":false,"endpoint":"","headers":{},"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""\}\}\}\}https://doc.traefik.io/traefik/observability/tracing/overview/
tracing.addInternalsboolfalseEnables tracing for internal resources. Default: false.
tracing.otlp.enabledboolfalseSee https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/
tracing.otlp.grpc.enabledboolfalseSet to true in order to send metrics to the OpenTelemetry Collector using gRPC
tracing.otlp.grpc.endpointstring""Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
tracing.otlp.grpc.insecureboolfalseAllows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
tracing.otlp.grpc.tls.castring""The path to the certificate authority, it defaults to the system bundle.
tracing.otlp.grpc.tls.certstring""The path to the public certificate. When using this option, setting the key option is required.
tracing.otlp.grpc.tls.insecureSkipVerifyboolfalseWhen set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
tracing.otlp.grpc.tls.keystring""The path to the private key. When using this option, setting the cert option is required.
tracing.otlp.http.enabledboolfalseSet to true in order to send metrics to the OpenTelemetry Collector using HTTP.
tracing.otlp.http.endpointstring""Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics
tracing.otlp.http.headersobject{}Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
tracing.otlp.http.tls.castring""The path to the certificate authority, it defaults to the system bundle.
tracing.otlp.http.tls.certstring""The path to the public certificate. When using this option, setting the key option is required.
tracing.otlp.http.tls.insecureSkipVerifyboolfalseWhen set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
tracing.otlp.http.tls.keystring""The path to the private key. When using this option, setting the cert option is required.
updateStrategy.rollingUpdate.maxSurgeint1
updateStrategy.rollingUpdate.maxUnavailableint0
updateStrategy.typestring"RollingUpdate"Customize updateStrategy of Deployment or DaemonSet
volumeslist[]Add volumes to the traefik pod. The volume name will be passed to tpl. This can be used to mount a cert pair or a configmap that holds a config.toml file. After the volume has been mounted, add the configs into traefik by using the additionalArguments list below, eg: additionalArguments: - "--providers.file.filename=/config/dynamic.toml" - "--ping" - "--ping.entrypoint=web"