apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-config
data:
traefik.toml: |
[ping]
[global]
checkNewVersion = false
# renovate does that
sendAnonymousUsage = false
[log]
level = "INFO"
[accessLog]
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"RequestProtocol" = "drop"
"level" = "drop"
"RequestContentSize" = "drop"
"RequestScheme" = "drop"
"StartLocal" = "drop"
"StartUTC" = "drop"
# ClientUsername: drop
# DownstreamStatusLine: drop
# RequestAddr: drop
# RequestCount: drop
# RequestHost: drop
# RequestLine: drop
# UpstreamAddr: drop
# UpstreamStatusLine: drop
# duration: drop
# msg: drop
# time: drop
# upstream: drop
# user_agent: drop
[api]
dashboard = true
insecure = true
debug = false
[providers]
[providers.kubernetesCRD]
allowCrossNamespace = true
[providers.kubernetesIngress]
allowExternalNameServices = true
ingressClass = "traefik"
[serversTransport]
insecureSkipVerify = true
[entryPoints]
[entryPoints.web]
address = ":8000"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = ":443" # should be the same as websecure but the loadbalancer maps 443 -> 8443
scheme = "https"
[entryPoints.websecure]
address = ":8443"
[entryPoints.websecure.forwardedHeaders]
insecure = true
# forward ip headers no matter where they come from
[entryPoints.metrics]
address = ":9100"
[entryPoints.traefik]
address = ":9000"
[entryPoints.dnsovertls]
address = ":8853"
# route dns over https to other pods but provide own certificate
[metrics]
[metrics.prometheus]
# metrics are enabled and scraping is ensured through a servicemonitor
entryPoint = "metrics"
addEntryPointsLabels = true
addServicesLabels = true
[certificatesResolvers.default-tls.acme]
email = "me@moll.re"
storage = "/certs/acme.json"
[certificatesResolvers.default-tls.acme.tlsChallenge]