k3s-infra/infrastructure/traefik-system/configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-config
data:
  traefik.toml: |
    [ping]

    [global]
      checkNewVersion = false
      # renovate does that
      sendAnonymousUsage = false

    [log]
      level = "INFO"

    [accessLog]
      [accessLog.fields]
        defaultMode = "keep"
        [accessLog.fields.names]
          "RequestProtocol" = "drop"
          "level" = "drop"
          "RequestContentSize" = "drop"
          "RequestScheme" = "drop"
          "StartLocal" = "drop"
          "StartUTC" = "drop"
        #   ClientUsername: drop
        #   DownstreamStatusLine: drop
        #   RequestAddr: drop
        #   RequestCount: drop
        #   RequestHost: drop
        #   RequestLine: drop
        #   UpstreamAddr: drop
        #   UpstreamStatusLine: drop
        #   duration: drop
        #   msg: drop
        #   time: drop
        #   upstream: drop
        #   user_agent: drop
    [api]
      dashboard = true
      insecure = true
      debug = false

    [providers]
      [providers.kubernetesCRD]
        allowCrossNamespace = true
      [providers.kubernetesIngress]
        allowExternalNameServices = true
        ingressClass = "traefik"

    [serversTransport]
      insecureSkipVerify = true

    [entryPoints]
      [entryPoints.web]
        address = ":8000"
        [entryPoints.web.http]
          [entryPoints.web.http.redirections]
            [entryPoints.web.http.redirections.entryPoint]
              to = ":443" # should be the same as websecure but the loadbalancer maps 443 -> 8443
              scheme = "https"

      [entryPoints.websecure]
        address = ":8443"
        [entryPoints.websecure.forwardedHeaders]
          insecure = true
          # forward ip headers no matter where they come from

      [entryPoints.metrics]
        address = ":9100"

      [entryPoints.traefik]
        address = ":8080"

      [entryPoints.dnsovertls]
        address = ":8853"
        # route dns over https to other pods but provide own certificate


    [metrics]
      [metrics.prometheus]
      # metrics are enabled and scraping is ensured through a servicemonitor
      entryPoint = "metrics"
      addEntryPointsLabels = true
      addServicesLabels = true


    [certificatesResolvers.default-tls.acme]
      email = "me@moll.re"
      storage = "/certs/acme.json"
      [certificatesResolvers.default-tls.acme.tlsChallenge]