apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: traefik namespace: kube-system spec: valuesContent: |- additionalArguments: - "--providers.file.directory=/etc/traefik/dynamic" - "--providers.file.watch=true" certResolvers: default: email: letsencrypt.org.danny@spamasaurus.com storage: /data/acme.json dnsChallenge: provider: cloudflare delayBeforeCheck: 5m0s resolvers: - 1.1.1.1:53 - 1.0.0.1:53 deployment: initContainers: - name: volume-permissions image: busybox:latest command: [ "sh", "-c", "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json", ] securityContext: runAsNonRoot: false runAsGroup: 0 runAsUser: 0 volumeMounts: - name: traefik-data mountPath: /data env: - name: CF_API_EMAIL valueFrom: secretKeyRef: name: traefik-cloudflare key: CF_API_EMAIL - name: CF_API_KEY valueFrom: secretKeyRef: name: traefik-cloudflare key: CF_API_KEY extraObjects: - apiVersion: v1 kind: ConfigMap metadata: name: traefik-file-provider namespace: kube-system data: config.yml: | http: middlewares: 2fa-authentication: forwardAuth: address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/" trustForwardHeader: true security-headers: headers: forceSTSHeader: true stsSeconds: 315360000 stsIncludeSubdomains: true stsPreload: true compression: compress: {} tls: options: defaults: minVersion: VersionTLS12 sniStrict: true curvePreferences: - secp521r1 - secp384r1 cipherSuites: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - TLS_FALLBACK_SCSV - apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null name: traefik-cloudflare namespace: kube-system spec: encryptedData: CF_API_EMAIL: AgCeBTkyKJ2iOEug2JLlnSt7nsR+UZDiCz+vYyUsk4HRmvPj2j6Vy46jzF3N26eDXA5glaL95OVIfrakAZ6StEe2tfb0PwQJcHxLsrzS95WN/9EqMpPz3PtoOFhqtLrOj9T05Q92RlY5E8nY5CEHAO0pdMUN8WR+mAm5coL4Cd5MFg54f+Y3U4NTG3DgeED5sE3O9u6kBMenSYsvD/9Bn3crigK/imE7NtDYn/cDLkxDPyL05gGzLScp9pzhChHe303vdLFy+NbXrVKB2p2PXxz/4aB48CIN/e8mdUGb/DTPakSbG1x4EKea+5N5FtxnZx+0mCmSiYwAH+kYvg25Wnf08+2CQsiaFbbTBWYjO9pkvrADOZ0IV/66fOIOaAQIxh2hztLgM/AAuuWsMV5CLSNG4JfnEMVwztWLxj/lz3vKpSQnzzh9DfX/Yzz4QtZlneCooc9TvhUn9UxPqB4ydXEyUUw8DAKQjVxVs0MmnVwp+tKY+xCUSRPPQ9Z1PvGS+i0m6L7Fm5WVXEUZT2jFSeBCHm+UBkY7COvm1VHinTviNZYXtP0tWCty8eg2AvbOl5vxoV2MJRkqYy8mfnRRlxY5zvKSdDjWgFQoHQgHjjKZqV2RE/PEaEfoQ+PLZSigkr2vFf6uFQ5P5riS69MaqvcwvBhYj5AnB3Ev8NW/kljRx6HeJWijEiLFuUmXqgHhtjoNfhRUjrGH25/XIXokAPA+McxCVbwFEQkiGAj69Wb6LQ/tu90= CF_API_KEY: AgBMs0EeSS9OW2zHjxIZqzEuvVf09phrzsD+5L90DKWsnQVUsV1kmSYk7fun6A76vlR5gnSlWLVl1n2EezNHnViXKyIwu1s01vJ+rTPvNcTdkGWGYB8ZYnqvIe7PB3L4pzaSjOcHJ6jazByz1GFHf5hQC9AdaFtPX6ie8EGV7vOD8fic35BMRV/Y3Qc77W1U0mmA22hgHyvTCqdvlObbkHd23a3ArFXk+ELdPM4E3sPefFWjF2nZOJ/4ltouKs/O4+D2RXc1Am3N8cxKyMc7rTBtz69BLJppyTj4DaAbwq+hN8A328wi9oAuu6ifY7zpd2w0exw3uOfAGoksQZrldYDnTc2w/ecrijcBmcVGQb2AoBS1m+ZXJIdii6E3oyW3wpTcPsgdS+z+xviBnQMtScr+KMHTRlayaQXfEc9kFPp+qqAlf+mIq+dB8xFtNCT2qICWThh3LKZh6i6SkYpR+kFBzqd2wqpjyBLIRAwkAKF1NvR1KQtYsMYNAMlchJ6nhcLz2GmmHqTG9L+NmSafEdLbOhy7lnofpHZ94xCvs75+AISobYVxSXPTERff4NOcb492JT7ojYBfSjD9aZq5B1KU0A6r8+gErK3SKfKh9DkT1lotIV/giOvKfAfJhecUFRRqeCrJPXJVeKJxbLRhDL2i3lEvQqIru/bxebuw5t83rU/2SD+fANgmjRvsz5w9x+pbeg9VyRMJerx9bLb+Gw+enDBqq+s5QIyNK1t5b5J+H+ta1uZO template: metadata: creationTimestamp: null name: traefik-cloudflare namespace: kube-system type: Opaque ingressRoute: dashboard: enabled: true entryPoints: - websecure matchRule: Host(`ingress.spamasaurus.com`) middlewares: - name: 2fa-authentication@file - name: security-headers@file # - name: compression@file logs: general: level: DEBUG persistence: enabled: true name: traefik-data path: /data storageClass: longhorn ports: web: redirectTo: port: websecure websecure: forwardedHeaders: insecure: true tls: options: defaults@file certResolver: default domains: - main: '*.pvr.spamasaurus.com' - main: '*.spamasaurus.com' sans: - 'spamasaurus.com' - main: '*.bessems.com' sans: - 'bessems.com' - main: '*.bessems.eu' sans: - 'bessems.eu' - main: '*.gabaldon.eu' sans: - 'gabaldon.eu' - main: '*.gabaldon.nl' sans: - 'gabaldon.nl' - main: '*.itch.fyi' sans: - 'itch.fyi' service: spec: loadBalancerIP: "192.168.154.240" updateStrategy: type: Recreate rollingUpdate: null volumes: - name: traefik-file-provider type: configMap mountPath: /etc/traefik/dynamic