image: registry: mirror.gcr.io/library tag: "3.1.0" pullPolicy: IfNotPresent websecure: tls: enabled: true providers: kubernetesCRD: enabled: true allowEmptyServices: true allowExternalNameServices: true kubernetesIngress: allowEmptyServices: true allowExternalNameServices: true publishedService: enabled: true deployment: replicas: 4 annotations: keel.sh/policy: minor keel.sh/trigger: patch keel.sh/pollSchedule: "@midnight" affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: '{{ template "traefik.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' topologyKey: topology.kubernetes.io/zone updateStrategy: type: Recreate rollingUpdate: maxUnavailable: 1 maxSurge: 1 accessLog: format: json # Globally redirect to https:// globalArguments: - --entryPoints.web.http.redirections.entryPoint.to=:443 - --entryPoints.web.http.redirections.entryPoint.scheme=https service: annotations: external-dns.alpha.kubernetes.io/hostname: traefik.k-space.ee spec: externalTrafficPolicy: Local ingressRoute: dashboard: enabled: true domain: traefik.k-space.ee matchRule: Host(`traefik.k-space.ee`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) entryPoints: ["websecure"] middlewares: - name: "dashboard" - name: "dashboard-redirect" tlsOptions: default: minVersion: VersionTLS12 cipherSuites: # TLS 1.1 and 1.2 ciphers - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.3 ciphers - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256