Skip to content

Traefik

Setup

For Traefik you will need to install the upstream traefik chart. Our advised solution for Traefik is to not differentiate between internal and external. Instead we advice using an IP-Whitelist or use tunneling to limit access for some domains to local.

Example values

# https://artifacthub.io/packages/helm/traefik/traefik?modal=values
deployment:
enabled: true
replicas: 2
service:
enabled: true
type: LoadBalancer
annotations:
metallb.io/ip-allocated-from-pool: main
metallb.io/loadBalancerIPs: ${TRAEFIK_IP}
metallb.universe.tf/ip-allocated-from-pool: main
spec:
externalTrafficPolicy: Local
logs:
general:
level: INFO
access:
enabled: true
ingressClass:
enabled: true
isDefaultClass: true
tlsOptions:
default:
minVersion: VersionTLS12
maxVersion: VersionTLS13
sniStrict: true
providers:
kubernetesCRD:
enabled: true
allowCrossNamespace: true
allowExternalNameServices: true
tlsStore:
default:
defaultCertificate:
secretName: "${SECRET_PUBLIC_DOMAIN/./-}-tls"
ports:
traefik:
expose:
default: true
web:
redirections:
port: websecure
websecure:
tls:
enabled: true
options: "default"

Middleware Examples

Here we will showcase some middlewares you can use to customise your traefik ingress behavior. For more information and all available options, please checkout common ingress docs (TODO: add link to common docs)

General

To setup a middleware you can specify it in the values of the chart you want to use it in:

ingressMiddlewares:
traefik:
middleware-name:
enabled: true
data:
address: some-address

Additionally you have to add them to your ingress like this:

ingress:
main:
enabled: true
integrations:
traefik:
enabled: true
entrypoints:
- websecure
middlewares:
- name: traefik-regex
namespace: traefik
- name: auth
namespace: traefik

Authelia Example

ingressMiddlewares:
traefik:
middleware-name:
enabled: true
type: forward-auth
data:
address: http://authelia.authelia.svc.cluster.local:9091/api/verify
authResponseHeadersRegex: ''
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
authRequestHeaders: []
tls:
insecureSkipVerify: true

IP Whitelist

ingressMiddlewares:
traefik:
middleware-name:
enabled: true
type: ip-allow-list
data:
sourceRange:
- 192.168.178.0/24
ipStrategy:
depth: 1
excludedIPs:
- some-excluded-ip

Themepart

ingressMiddlewares:
traefik:
middleware-name:
enabled: true
type: plugin-theme-park
data:
pluginName: my-plugin-name
app: sonarr
theme: dark
baseUrl: https://theme-park.dev
addons:
- some-addon
- some-other-addon

Redirect Regex

ingressMiddlewares:
traefik:
middleware-name:
enabled: true
type: redirect-regex
data:
regex: some-regex
replacement: some-replacement
permanent: true

More Examples can be found in the common docs here.