traefik update

charts/traefik/.schema.yaml

@@ -0,0 +1,13 @@
+# Required
+input:
+  - values.yaml
+
+draft: 2020
+indent: 4
+output: values.schema.json
+
+schemaRoot:
+  id: https://traefik.io/traefik-helm-chart.schema.json
+  title: Traefik Proxy Helm Chart
+  description: The Cloud Native Application Proxy
+  additionalProperties: true

charts/traefik/Changelog.md

@@ -1,5 +1,122 @@
 # Change Log
 
+## 34.0.0  ![AppVersion: v3.3.1](https://img.shields.io/static/v1?label=AppVersion&message=v3.3.1&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
+
+**Release date:** 2025-01-13
+
+* fix(Traefik Proxy)!: use namespaceOverride as expected
+* fix(Traefik Proxy)!: move redirectTo => redirections
+* fix(Gateway API): status should not use default service when it's disabled
+* feat(deps): update traefik docker tag to v3.3.1
+* feat(deps): update traefik docker tag to v3.2.3
+* feat(Traefik Proxy): apply migration guide to v3.3
+* feat(Traefik Proxy): add support for experimental FastProxy
+* feat(Traefik Hub): add support for AI Gateway
+* feat(Chart): :package: add optional separated chart for CRDs
+* feat(CRDs): update CRDs for Traefik Proxy v3.3.x
+* chore(release): publish v34.0.0
+* chore(Gateway API): :recycle: remove template from values
+
+**Upgrade Notes**
+
+There are multiple breaking changes in this release:
+
+1. When using namespaceOverride, the label selector will be changed. On a production environment, it's recommended to deploy a new instance with the new version, switch the traffic to it and delete the previous one. See PR #1290 for more information
+2. `ports.x.redirectTo` has been refactored to be aligned with upstream syntax. See PR #1301 for a complete before / after example.
+
+
+### Default value changes
+
+```diff
+diff --git a/traefik/values.yaml b/traefik/values.yaml
+index 78c8ea4..f5922fe 100644
+--- a/traefik/values.yaml
++++ b/traefik/values.yaml
+@@ -122,14 +122,19 @@ core:  # @schema additionalProperties: false
+ experimental:
+   # -- Defines whether all plugins must be loaded successfully for Traefik to start
+   abortOnPluginFailure: false
++  fastProxy:
++    # -- Enables the FastProxy implementation.
++    enabled: false
++    # -- Enable debug mode for the FastProxy implementation.
++    debug: false
++  kubernetesGateway:
++    # -- Enable traefik experimental GatewayClass CRD
++    enabled: false
+   # -- Enable traefik experimental plugins
+   plugins: {}
+   # demo:
+   #   moduleName: github.com/traefik/plugindemo
+   #   version: v0.2.1
+-  kubernetesGateway:
+-    # -- Enable traefik experimental GatewayClass CRD
+-    enabled: false
+ 
+ gateway:
+   # -- When providers.kubernetesGateway.enabled, deploy a default gateway
+@@ -314,8 +319,9 @@ providers:  # @schema additionalProperties: false
+       hostname: ""
+       # -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
+       service:
+-        name: "{{ (include \"traefik.fullname\" .) }}"
+-        namespace: "{{ .Release.Namespace }}"
++        enabled: true
++        name: ""
++        namespace: ""
+ 
+   file:
+     # -- Create a file provider
+@@ -537,8 +543,8 @@ tracing:  # @schema additionalProperties: false
+   addInternals: false
+   # -- Service name used in selected backend. Default: traefik.
+   serviceName:  # @schema type:[string, null]
+-  # -- Applies a list of shared key:value attributes on all spans.
+-  globalAttributes: {}
++  # -- Defines additional resource attributes to be sent to the collector.
++  resourceAttributes: {}
+   # -- Defines the list of request headers to add as attributes. It applies to client and server kind spans.
+   capturedRequestHeaders: []
+   # -- Defines the list of response headers to add as attributes. It applies to client and server kind spans.
+@@ -642,10 +648,12 @@ ports:
+     protocol: TCP
+     # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
+     nodePort:  # @schema type:[integer, null]; minimum:0
+-    # Port Redirections
+-    # Added in 2.2, you can make permanent redirects via entrypoints.
+-    # https://docs.traefik.io/routing/entrypoints/#redirection
+-    redirectTo: {}
++    redirections:
++      # -- Port Redirections
++      # Added in 2.2, one can make permanent redirects via entrypoints.
++      # Same sets of parameters: to, scheme, permanent and priority.
++      # https://docs.traefik.io/routing/entrypoints/#redirection
++      entryPoint: {}
+     forwardedHeaders:
+       # -- Trust forwarded headers information (X-Forwarded-*).
+       trustedIPs: []
+@@ -869,7 +877,7 @@ affinity: {}
+ #      - labelSelector:
+ #          matchLabels:
+ #            app.kubernetes.io/name: '{{ template "traefik.name" . }}'
+-#            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
++#            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
+ #        topologyKey: kubernetes.io/hostname
+ 
+ # -- nodeSelector is the simplest recommended form of node selection constraint.
+@@ -933,7 +941,9 @@ hub:
+       listenAddr: ""
+       # -- Certificate of the WebHook admission server. Default: "hub-agent-cert".
+       secretName: ""
+-
++  experimental:
++    # -- Set to true in order to enable AI Gateway. Requires a valid license token.
++    aigateway: false
+   redis:
+     # -- Enable Redis Cluster. Default: true.
+     cluster:    # @schema type:[boolean, null]
+```
+
 ## 33.2.1  ![AppVersion: v3.2.2](https://img.shields.io/static/v1?label=AppVersion&message=v3.2.2&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
 
 **Release date:** 2024-12-13

charts/traefik/Chart.yaml

@@ -1,8 +1,19 @@
 annotations:
-  artifacthub.io/changes: "- \"fix(Gateway API): CRDs should only be defined once\"\n-
+  artifacthub.io/changes: |
-    \"chore(release): \U0001F680 publish v33.2.1\"\n"
+    - "fix(Traefik Proxy)!: use namespaceOverride as expected"
+    - "fix(Traefik Proxy)!: move redirectTo => redirections"
+    - "fix(Gateway API): status should not use default service when it's disabled"
+    - "feat(deps): update traefik docker tag to v3.3.1"
+    - "feat(deps): update traefik docker tag to v3.2.3"
+    - "feat(Traefik Proxy): apply migration guide to v3.3"
+    - "feat(Traefik Proxy): add support for experimental FastProxy"
+    - "feat(Traefik Hub): add support for AI Gateway"
+    - "feat(Chart): :package: add optional separated chart for CRDs"
+    - "feat(CRDs): update CRDs for Traefik Proxy v3.3.x"
+    - "chore(release): publish v34.0.0"
+    - "chore(Gateway API): :recycle: remove template from values"
 apiVersion: v2
-appVersion: v3.2.2
+appVersion: v3.3.1
 description: A Traefik based Kubernetes ingress controller
 home: https://traefik.io/
 icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
@@ -24,4 +35,4 @@ sources:
 - https://github.com/traefik/traefik
 - https://github.com/traefik/traefik-helm-chart
 type: application
-version: 33.2.1
+version: 34.0.0

charts/traefik/EXAMPLES.md

@@ -102,6 +102,20 @@ kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traef
 
 This command makes the dashboard accessible on the url: http://127.0.0.1:8080/dashboard/
 
+# Redirect permanently traffic from http to https
+
+It's possible to redirect all incoming requests on an entrypoint to an other entrypoint.
+
+```yaml
+ports:
+  web:
+    redirections:
+      entryPoint:
+        to: websecure
+        scheme: https
+        permanent: true
+```
+
 # Publish and protect Traefik Dashboard with basic Auth
 
 To expose the dashboard in a secure way as [recommended](https://doc.traefik.io/traefik/operations/dashboard/#dashboard-router-rule)

charts/traefik/README.md

@@ -13,6 +13,8 @@ This chart support policy is aligned with [upstream support policy](https://doc.
 
 See [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) and upgrading section of this chart on CRDs.
 
+Starting with v34.x, to work around [Helm caveats](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations), it's possible to use an additional Chart dedicated to CRDs: **traefik-crds**.
+
 ### Philosophy
 
 The Traefik HelmChart is focused on Traefik deployment configuration.
@@ -56,7 +58,9 @@ Due to changes in API Group of Traefik CRDs from `containo.us` to `traefik.io`,
 | Chart v23.0.0 and above |  [x]                        | [x]                    |
 | Chart v28.0.0 and above |                             | [x]                    |
 
-### Deploying Traefik
+### Deploying
+
+#### The standard way
 
 ```bash
 helm install traefik traefik/traefik
@@ -75,15 +79,26 @@ Complete documentation on all available parameters is in the [default file](./tr
 helm install -f myvalues.yaml traefik traefik/traefik
 ```
 
-🛂 **Warning**: Helm v2 support was removed in the chart version 10.0.0.
+#### With additional CRDs chart
+
+```bash
+helm install traefik-crds traefik/traefik-crds
+helm install traefik traefik/traefik --skip-crds
+helm list # should display two charts installed
+```
 
 ## Upgrading
 
 One can check what has changed in the [Changelog](./traefik/Changelog.md).
 
-:information_source: With Helm v3, CRDs created by this chart can not be updated, cf. the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
+New major version indicates that there is an incompatible breaking change.
+> [!WARNING]
+> Please read carefully release notes of this chart before upgrading.
 
-:warning: Please read carefully release notes of this chart before upgrading CRDs.
+### A standard installation
+
+When using Helm native management for CRDs, user **MUST** upgrade CRDs before calling _helm upgrade_ command.
+CRDs are **not** updated by Helm. See [HIP-0011](https://github.com/helm/community/blob/main/hips/hip-0011.md) for details.
 
 ```bash
 # Update repository
@@ -96,7 +111,30 @@ kubectl apply --server-side --force-conflicts -k https://github.com/traefik/trae
 helm upgrade traefik traefik/traefik
 ```
 
-New major version indicates that there is an incompatible breaking change.
+> [!WARNING]
+> When upgrading from standard installation to the one with additional CRDs chart,
+> you **have** to change ownership on CRDs **before** installing CRDs chart
+
+```bash
+kubectl get customresourcedefinitions.apiextensions.k8s.io -o name | grep traefik.io | xargs kubectl patch --type='json' -p='[{"op": "add", "path": "/metadata/labels", "value": {"app.kubernetes.io/managed-by":"Helm"}},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-name", "value":"traefik-crds"},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-namespace", "value":"traefik-crds"}]'
+# If you use gateway API, you might also want to change Gateway API ownership
+kubectl get customresourcedefinitions.apiextensions.k8s.io -o name | grep gateway.networking.k8s.io | xargs kubectl patch --type='json' -p='[{"op": "add", "path": "/metadata/labels", "value": {"app.kubernetes.io/managed-by":"Helm"}},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-name", "value":"traefik-crds"},{"op": "add", "path": "/metadata/annotations/meta.helm.sh~1release-namespace", "value":"traefik"}]'
+helm install traefik-crds traefik/traefik-crds
+```
+
+
+### An installation with additional CRDs chart
+
+```bash
+# Update repository
+helm repo update
+# See current Chart & Traefik version
+helm search repo traefik/traefik
+# Update CRDs (Traefik Proxy v3 CRDs)
+helm upgrade traefik-crds traefik/traefik
+# Upgrade Traefik
+helm upgrade traefik traefik/traefik
+```
 
 ### Upgrade up to 27.X
 

charts/traefik/VALUES.md

@@ -1,6 +1,6 @@
 # traefik
 
-![Version: 33.2.1](https://img.shields.io/badge/Version-33.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.2.2](https://img.shields.io/badge/AppVersion-v3.2.2-informational?style=flat-square)
+![Version: 34.0.0](https://img.shields.io/badge/Version-34.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.3.1](https://img.shields.io/badge/AppVersion-v3.3.1-informational?style=flat-square)
 
 A Traefik based Kubernetes ingress controller
 
@@ -63,6 +63,8 @@ Kubernetes: `>=1.22.0-0`
 | env | list | See _values.yaml_ | Additional Environment variables to be passed to Traefik's binary |
 | envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets |
 | experimental.abortOnPluginFailure | bool | `false` | Defines whether all plugins must be loaded successfully for Traefik to start |
+| experimental.fastProxy.debug | bool | `false` | Enable debug mode for the FastProxy implementation. |
+| experimental.fastProxy.enabled | bool | `false` | Enables the FastProxy implementation. |
 | experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD |
 | experimental.plugins | object | `{}` | Enable traefik experimental plugins |
 | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template)  In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. |
@@ -83,6 +85,7 @@ Kubernetes: `>=1.22.0-0`
 | hub.apimanagement.admission.listenAddr | string | `""` | WebHook admission server listen address. Default: "0.0.0.0:9943". |
 | hub.apimanagement.admission.secretName | string | `""` | Certificate of the WebHook admission server. Default: "hub-agent-cert". |
 | hub.apimanagement.enabled | bool | `false` | Set to true in order to enable API Management. Requires a valid license token. |
+| hub.experimental.aigateway | bool | `false` | Set to true in order to enable AI Gateway. Requires a valid license token. |
 | hub.redis.cluster | string | `nil` | Enable Redis Cluster. Default: true. |
 | hub.redis.database | string | `nil` | Database used to store information. Default: "0". |
 | hub.redis.endpoints | string | `""` | Endpoints of the Redis instances to connect to. Default: "". |
@@ -222,7 +225,7 @@ Kubernetes: `>=1.22.0-0`
 | ports.web.protocol | string | `"TCP"` |  |
 | ports.web.proxyProtocol.insecure | bool | `false` |  |
 | ports.web.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
-| ports.web.redirectTo | object | `{}` |  |
+| ports.web.redirections.entryPoint | object | `{}` | Port Redirections Added in 2.2, one can make permanent redirects via entrypoints. Same sets of parameters: to, scheme, permanent and priority. https://docs.traefik.io/routing/entrypoints/#redirection |
 | ports.web.targetPort | string | `nil` |  |
 | ports.web.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport |
 | ports.websecure.allowACMEByPass | bool | `false` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) |
@@ -262,7 +265,7 @@ Kubernetes: `>=1.22.0-0`
 | providers.kubernetesGateway.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
 | providers.kubernetesGateway.statusAddress.hostname | string | `""` | This Hostname will get copied to the Gateway status.addresses. |
 | providers.kubernetesGateway.statusAddress.ip | string | `""` | This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6). |
-| providers.kubernetesGateway.statusAddress.service | object | `{"name":"{{ (include \"traefik.fullname\" .) }}","namespace":"{{ .Release.Namespace }}"}` | The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart. |
+| providers.kubernetesGateway.statusAddress.service | object | `{"enabled":true,"name":"","namespace":""}` | The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart. |
 | providers.kubernetesIngress.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available |
 | providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress |
 | providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider |
@@ -297,11 +300,10 @@ Kubernetes: `>=1.22.0-0`
 | tlsStore | object | `{}` | TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. |
 | tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. |
 | topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains. |
-| tracing | object | `{"addInternals":false,"capturedRequestHeaders":[],"capturedResponseHeaders":[],"globalAttributes":{},"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":"","insecure":false,"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}},"http":{"enabled":false,"endpoint":"","headers":{},"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}}},"safeQueryParams":[],"sampleRate":null,"serviceName":null}` | https://doc.traefik.io/traefik/observability/tracing/overview/ |
+| tracing | object | `{"addInternals":false,"capturedRequestHeaders":[],"capturedResponseHeaders":[],"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":"","insecure":false,"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}},"http":{"enabled":false,"endpoint":"","headers":{},"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}}},"resourceAttributes":{},"safeQueryParams":[],"sampleRate":null,"serviceName":null}` | https://doc.traefik.io/traefik/observability/tracing/overview/ |
 | tracing.addInternals | bool | `false` | Enables tracing for internal resources. Default: false. |
 | tracing.capturedRequestHeaders | list | `[]` | Defines the list of request headers to add as attributes. It applies to client and server kind spans. |
 | tracing.capturedResponseHeaders | list | `[]` | Defines the list of response headers to add as attributes. It applies to client and server kind spans. |
-| tracing.globalAttributes | object | `{}` | Applies a list of shared key:value attributes on all spans. |
 | tracing.otlp.enabled | bool | `false` | See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ |
 | tracing.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC |
 | tracing.otlp.grpc.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
@@ -317,6 +319,7 @@ Kubernetes: `>=1.22.0-0`
 | tracing.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
 | tracing.otlp.http.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
 | tracing.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
+| tracing.resourceAttributes | object | `{}` | Defines additional resource attributes to be sent to the collector. |
 | tracing.safeQueryParams | list | `[]` | By default, all query parameters are redacted. Defines the list of query parameters to not redact. |
 | tracing.sampleRate | string | `nil` | The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0. |
 | tracing.serviceName | string | `nil` | Service name used in selected backend. Default: traefik. |

charts/traefik/crds/traefik.io_ingressroutes.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -57,18 +57,19 @@ spec:
                       description: |-
                         Kind defines the kind of the route.
                         Rule is the only supported kind.
+                        If not defined, defaults to Rule.
                       enum:
                       - Rule
                       type: string
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
                       type: string
                     middlewares:
                       description: |-
                         Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -85,10 +86,22 @@ spec:
                         - name
                         type: object
                       type: array
+                    observability:
+                      description: |-
+                        Observability defines the observability configuration for a router.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#observability
+                      properties:
+                        accessLogs:
+                          type: boolean
+                        metrics:
+                          type: boolean
+                        tracing:
+                          type: boolean
+                      type: object
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
                       type: integer
                     services:
                       description: |-
@@ -229,7 +242,7 @@ spec:
                           sticky:
                             description: |-
                               Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
@@ -241,13 +254,19 @@ spec:
                                     type: boolean
                                   maxAge:
                                     description: |-
-                                      MaxAge indicates the number of seconds until the cookie expires.
+                                      MaxAge defines the number of seconds until the cookie expires.
                                       When set to a negative number, the cookie expires immediately.
                                       When set to zero, the cookie never expires.
                                     type: integer
                                   name:
                                     description: Name defines the Cookie name.
                                     type: string
+                                  path:
+                                    description: |-
+                                      Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                      When not provided the cookie will be sent on every request to the domain.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                    type: string
                                   sameSite:
                                     description: |-
                                       SameSite defines the same site policy.
@@ -277,28 +296,27 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
                       type: string
                   required:
-                  - kind
                   - match
                   type: object
                 type: array
               tls:
                 description: |-
                   TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -317,17 +335,17 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                     properties:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                     required:
                     - name
@@ -344,12 +362,12 @@ spec:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                     required:
                     - name

charts/traefik/crds/traefik.io_ingressroutetcps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -56,7 +56,7 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
                       type: integer
                     services:
                       description: Services defines the list of TCP services.
@@ -121,7 +121,7 @@ spec:
                           proxyProtocol:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
@@ -159,7 +159,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
                       type: string
                   required:
                   - match
@@ -168,18 +168,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -198,7 +198,7 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik

charts/traefik/crds/traefik.io_ingressrouteudps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string

charts/traefik/crds/traefik.io_middlewares.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
         properties:
           apiVersion:
             description: |-
@@ -45,7 +45,7 @@ spec:
                 description: |-
                   AddPrefix holds the add prefix middleware configuration.
                   This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
                 properties:
                   prefix:
                     description: |-
@@ -57,12 +57,12 @@ spec:
                 description: |-
                   BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -83,7 +83,7 @@ spec:
                 description: |-
                   Buffering holds the buffering middleware configuration.
                   This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
                     description: |-
@@ -115,14 +115,14 @@ spec:
                     description: |-
                       RetryExpression defines the retry conditions.
                       It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
                 description: |-
                   Chain holds the configuration of the chain middleware.
                   This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -181,7 +181,7 @@ spec:
                 description: |-
                   Compress holds the compress middleware configuration.
                   This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
                 properties:
                   defaultEncoding:
                     description: DefaultEncoding specifies the default encoding if
@@ -230,12 +230,12 @@ spec:
                 description: |-
                   DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -255,7 +255,7 @@ spec:
                 description: |-
                   ErrorPage holds the custom error middleware configuration.
                   This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
                 properties:
                   query:
                     description: |-
@@ -265,7 +265,7 @@ spec:
                   service:
                     description: |-
                       Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
                     properties:
                       healthCheck:
                         description: Healthcheck defines health checks for ExternalName
@@ -398,7 +398,7 @@ spec:
                       sticky:
                         description: |-
                           Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
@@ -409,13 +409,19 @@ spec:
                                 type: boolean
                               maxAge:
                                 description: |-
-                                  MaxAge indicates the number of seconds until the cookie expires.
+                                  MaxAge defines the number of seconds until the cookie expires.
                                   When set to a negative number, the cookie expires immediately.
                                   When set to zero, the cookie never expires.
                                 type: integer
                               name:
                                 description: Name defines the Cookie name.
                                 type: string
+                              path:
+                                description: |-
+                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                  When not provided the cookie will be sent on every request to the domain.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                type: string
                               sameSite:
                                 description: |-
                                   SameSite defines the same site policy.
@@ -456,7 +462,7 @@ spec:
                 description: |-
                   ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -484,8 +490,22 @@ spec:
                   authResponseHeadersRegex:
                     description: |-
                       AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
                     type: string
+                  forwardBody:
+                    description: ForwardBody defines whether to send the request body
+                      to the authentication server.
+                    type: boolean
+                  maxBodySize:
+                    description: MaxBodySize defines the maximum body size in bytes
+                      allowed to be forwarded to the authentication server.
+                    format: int64
+                    type: integer
+                  preserveLocationHeader:
+                    description: PreserveLocationHeader defines whether to forward
+                      the Location header to the client as is or prefix it with the
+                      domain name of the authentication server.
+                    type: boolean
                   tls:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
@@ -531,7 +551,7 @@ spec:
                 description: |-
                   Headers holds the headers middleware configuration.
                   This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -702,7 +722,7 @@ spec:
                 description: |-
                   InFlightReq holds the in-flight request middleware configuration.
                   This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
                 properties:
                   amount:
                     description: |-
@@ -715,12 +735,12 @@ spec:
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
                       If several strategies are defined at the same time, an error will be raised.
                       If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -755,12 +775,12 @@ spec:
                 description: |-
                   IPAllowList holds the IP allowlist middleware configuration.
                   This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -797,7 +817,7 @@ spec:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -827,7 +847,7 @@ spec:
                 description: |-
                   PassTLSClientCert holds the pass TLS client cert middleware configuration.
                   This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -936,7 +956,7 @@ spec:
                 description: |-
                   RateLimit holds the rate limit configuration.
                   This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
                 properties:
                   average:
                     description: |-
@@ -969,7 +989,7 @@ spec:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1004,7 +1024,7 @@ spec:
                 description: |-
                   RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1023,7 +1043,7 @@ spec:
                 description: |-
                   RedirectScheme holds the redirect scheme middleware configuration.
                   This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1040,7 +1060,7 @@ spec:
                 description: |-
                   ReplacePath holds the replace path middleware configuration.
                   This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -1051,7 +1071,7 @@ spec:
                 description: |-
                   ReplacePathRegex holds the replace path regex middleware configuration.
                   This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -1067,7 +1087,7 @@ spec:
                   Retry holds the retry middleware configuration.
                   This middleware reissues requests a given number of times to a backend server if that server does not reply.
                   As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
@@ -1089,7 +1109,7 @@ spec:
                 description: |-
                   StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
                 properties:
                   forceSlash:
                     description: |-
@@ -1108,7 +1128,7 @@ spec:
                 description: |-
                   StripPrefixRegex holds the strip prefix regex middleware configuration.
                   This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the

charts/traefik/crds/traefik.io_middlewaretcps.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -55,7 +55,7 @@ spec:
                 description: |-
                   IPAllowList defines the IPAllowList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +69,7 @@ spec:
                   IPWhiteList defines the IPWhiteList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
                   Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of

charts/traefik/crds/traefik.io_serverstransports.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
         properties:
           apiVersion:
             description: |-

charts/traefik/crds/traefik.io_serverstransporttcps.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransportTCP is the CRD implementation of a TCPServersTransport.
           If no tcpServersTransport is specified, a default one named default@internal will be used.
           The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
         properties:
           apiVersion:
             description: |-

charts/traefik/crds/traefik.io_tlsoptions.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
         properties:
           apiVersion:
             description: |-
@@ -44,14 +44,14 @@ spec:
               alpnProtocols:
                 description: |-
                   ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
                 description: |-
                   CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
                 items:
                   type: string
                 type: array
@@ -79,7 +79,7 @@ spec:
               curvePreferences:
                 description: |-
                   CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
                 items:
                   type: string
                 type: array

charts/traefik/crds/traefik.io_tlsstores.yaml

@@ -21,7 +21,7 @@ spec:
           TLSStore is the CRD implementation of a Traefik TLS Store.
           For the time being, only the TLSStore named default is supported.
           This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
         properties:
           apiVersion:
             description: |-

charts/traefik/crds/traefik.io_traefikservices.yaml

@@ -22,7 +22,7 @@ spec:
           TraefikService object allows to:
           - Apply weight to Services on load-balancing
           - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
         properties:
           apiVersion:
             description: |-
@@ -268,7 +268,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -279,13 +279,19 @@ spec:
                                   type: boolean
                                 maxAge:
                                   description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                     When set to a negative number, the cookie expires immediately.
                                     When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
+                                path:
+                                  description: |-
+                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                    When not provided the cookie will be sent on every request to the domain.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                  type: string
                                 sameSite:
                                   description: |-
                                     SameSite defines the same site policy.
@@ -375,7 +381,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -386,13 +392,19 @@ spec:
                             type: boolean
                           maxAge:
                             description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                               When set to a negative number, the cookie expires immediately.
                               When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
+                          path:
+                            description: |-
+                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                              When not provided the cookie will be sent on every request to the domain.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                            type: string
                           sameSite:
                             description: |-
                               SameSite defines the same site policy.
@@ -558,7 +570,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -569,13 +581,19 @@ spec:
                                   type: boolean
                                 maxAge:
                                   description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                     When set to a negative number, the cookie expires immediately.
                                     When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
+                                path:
+                                  description: |-
+                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                    When not provided the cookie will be sent on every request to the domain.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                  type: string
                                 sameSite:
                                   description: |-
                                     SameSite defines the same site policy.
@@ -605,7 +623,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -616,13 +634,19 @@ spec:
                             type: boolean
                           maxAge:
                             description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                               When set to a negative number, the cookie expires immediately.
                               When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
+                          path:
+                            description: |-
+                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                              When not provided the cookie will be sent on every request to the domain.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                            type: string
                           sameSite:
                             description: |-
                               SameSite defines the same site policy.

charts/traefik/templates/_helpers.tpl

@@ -43,7 +43,7 @@ If release name contains chart name it will be used as a full name.
 Allow customization of the instance label value.
 */}}
 {{- define "traefik.instance-name" -}}
-{{- default (printf "%s-%s" .Release.Name .Release.Namespace) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}}
+{{- default (printf "%s-%s" .Release.Name (include "traefik.namespace" .)) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/* Shared labels used for selector*/}}
@@ -89,7 +89,7 @@ Adds the namespace to name to prevent duplicate resource names when there
 are multiple namespaced releases with the same release name.
 */}}
 {{- define "traefik.clusterRoleName" -}}
-{{- (printf "%s-%s" (include "traefik.fullname" .) .Release.Namespace) | trunc 63 | trimSuffix "-" }}
+{{- (printf "%s-%s" (include "traefik.fullname" .) (include "traefik.namespace" .)) | trunc 63 | trimSuffix "-" }}
 {{- end -}}
 
 {{/*
@@ -99,7 +99,7 @@ service generated.
 Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride`
 */}}
 {{- define "providers.kubernetesIngress.publishedServicePath" -}}
-{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}}
+{{- $defServiceName := printf "%s/%s" (include "traefik.namespace" .) (include "traefik.fullname" .) -}}
 {{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }}
 {{- print $servicePath | trimSuffix "-" -}}
 {{- end -}}
@@ -150,15 +150,15 @@ based on semverCompare
 
 {{/* Generate/load self-signed certificate for admission webhooks */}}
 {{- define "traefik-hub.webhook_cert" -}}
-{{- $cert := lookup "v1" "Secret" .Release.Namespace "hub-agent-cert" -}}
+{{- $cert := lookup "v1" "Secret" (include "traefik.namespace" .) "hub-agent-cert" -}}
 {{- if $cert -}}
 {{/* reusing value of existing cert */}}
 Cert: {{ index $cert.data "tls.crt" }}
 Key: {{ index $cert.data "tls.key" }}
 {{- else -}}
 {{/* generate a new one */}}
-{{- $altNames := list ( printf "admission.%s.svc" .Release.Namespace ) -}}
+{{- $altNames := list ( printf "admission.%s.svc" (include "traefik.namespace" .) ) -}}
-{{- $cert := genSelfSignedCert ( printf "admission.%s.svc" .Release.Namespace ) (list) $altNames 3650 -}}
+{{- $cert := genSelfSignedCert ( printf "admission.%s.svc" (include "traefik.namespace" .) ) (list) $altNames 3650 -}}
 Cert: {{ $cert.Cert | b64enc }}
 Key: {{ $cert.Key | b64enc }}
 {{- end -}}

charts/traefik/templates/_podtemplate.tpl

@@ -392,8 +392,8 @@
           - "--tracing.serviceName={{ . }}"
             {{- end }}
 
-            {{- range $name, $value := .globalAttributes }}
+            {{- range $name, $value := .resourceAttributes }}
-          - "--tracing.globalAttributes.{{ $name }}={{ $value }}"
+          - "--tracing.resourceAttributes.{{ $name }}={{ $value }}"
             {{- end }}
 
             {{- range $index, $value := .capturedRequestHeaders }}
@@ -468,6 +468,14 @@
            {{- end }}
           {{- end }}
           {{- end }}
+          {{- with .Values.experimental.fastProxy }}
+            {{- if .enabled }}
+          - "--experimental.fastProxy"
+            {{- end }}
+            {{- if .debug }}
+          - "--experimental.fastProxy.debug"
+            {{- end }}
+          {{- end }}
           {{- range $pluginName, $plugin := .Values.experimental.plugins }}
           {{- if or (ne (typeOf $plugin) "map[string]interface {}") (not (hasKey $plugin "moduleName")) (not (hasKey $plugin "version")) }}
             {{- fail  (printf "ERROR: plugin %s is missing moduleName/version keys !" $pluginName) }}
@@ -555,9 +563,9 @@
              {{- with .hostname }}
           - "--providers.kubernetesgateway.statusaddress.hostname={{ . }}"
              {{- end }}
-             {{- with .service }}
+             {{- if (and .service.enabled $.Values.service.enabled) }}
-          - "--providers.kubernetesgateway.statusaddress.service.name={{ tpl .name $ }}"
+          - "--providers.kubernetesgateway.statusaddress.service.name={{ .service.name | default (include "traefik.fullname" $) }}"
-          - "--providers.kubernetesgateway.statusaddress.service.namespace={{ tpl .namespace $ }}"
+          - "--providers.kubernetesgateway.statusaddress.service.namespace={{ .service.namespace | default (include "traefik.namespace" $) }}"
              {{- end }}
             {{- end }}
             {{- if .nativeLBByDefault }}
@@ -590,14 +598,29 @@
           {{- range $entrypoint, $config := $.Values.ports }}
           {{- if $config }}
             {{- if $config.redirectTo }}
-             {{- $toPort := index $.Values.ports $config.redirectTo.port }}
+              {{- fail "ERROR: redirectTo syntax has been removed in v34 of this Chart. See Release notes or EXAMPLES.md for new syntax." -}}
+            {{- end }}
+            {{- if $config.redirections }}
+             {{- with $config.redirections.entryPoint }}
+              {{- if not (hasKey $.Values.ports .to) }}
+                {{- $errorMsg := printf "ERROR: Cannot redirect %s to %s: entryPoint not found" $entrypoint .to }}
+                {{- fail $errorMsg }}
+              {{- end }}
+              {{- $toPort := index $.Values.ports .to }}
+              {{- if and (($toPort.tls).enabled) (ne .scheme "https") }}
+                {{- $errorMsg := printf "ERROR: Cannot redirect %s to %s without setting scheme to https" $entrypoint .to }}
+                {{- fail $errorMsg }}
+              {{- end }}
           - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}"
-          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https"
+              {{- with .scheme }}
-             {{- if $config.redirectTo.priority }}
+          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme={{ . }}"
-          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.priority={{ $config.redirectTo.priority }}"
+              {{- end }}
-             {{- end }}
+              {{- with .priority }}
-             {{- if $config.redirectTo.permanent }}
+          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.priority={{ . }}"
-          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.permanent=true"
+              {{- end }}
+              {{- with .permanent }}
+          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.permanent={{ . }}"
+              {{- end }}
              {{- end }}
             {{- end }}
             {{- if $config.middlewares }}
@@ -756,6 +779,9 @@
               {{- end }}
              {{- end }}
             {{- end }}
+            {{- if .experimental.aigateway }}
+          - "--hub.experimental.aigateway"
+            {{- end -}}
             {{- with .platformUrl }}
           - "--hub.platformUrl={{ . }}"
             {{- end -}}

charts/traefik/templates/requirements.yaml

@@ -32,6 +32,10 @@
   {{- end }}
 {{- end }}
 
+{{- if and (semverCompare "<v3.2.0-0" $version) (.Values.experimental.fastProxy.enabled)}}
+  {{- fail "ERROR: fastProxy is an experimental feature only available for traefik >= v3.2.0." }}
+{{- end }}
+
 {{- if and (semverCompare "<v3.3.0-0" $version) (.Values.experimental.abortOnPluginFailure)}}
   {{- fail "ERROR: abortOnPluginFailure is an experimental feature only available for traefik >= v3.3.0." }}
 {{- end }}
@@ -42,4 +46,4 @@
 
 {{- if and (semverCompare "<v3.1.0-0" $version) .Values.tracing.safeQueryParams }}
   {{ fail "ERROR: safeQueryParams is a feature only available for traefik >= v3.1.0."}}
-{{- end }}
+{{- end }}

charts/traefik1/.helmignore

@@ -0,0 +1,2 @@
+tests/
+crds/kustomization.yaml

charts/traefik1/Chart.yaml

@@ -0,0 +1,27 @@
+annotations:
+  artifacthub.io/changes: "- \"fix(Gateway API): CRDs should only be defined once\"\n-
+    \"chore(release): \U0001F680 publish v33.2.1\"\n"
+apiVersion: v2
+appVersion: v3.2.2
+description: A Traefik based Kubernetes ingress controller
+home: https://traefik.io/
+icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
+keywords:
+- traefik
+- ingress
+- networking
+kubeVersion: '>=1.22.0-0'
+maintainers:
+- email: michel.loiseleur@traefik.io
+  name: mloiseleur
+- email: charlie.haley@traefik.io
+  name: charlie-haley
+- email: remi.buisson@traefik.io
+  name: darkweaver87
+- name: jnoordsij
+name: traefik
+sources:
+- https://github.com/traefik/traefik
+- https://github.com/traefik/traefik-helm-chart
+type: application
+version: 33.2.1

charts/traefik1/Guidelines.md

@@ -0,0 +1,34 @@
+# Traefik Helm Chart Guidelines
+
+This document outlines the guidelines for developing, managing and extending the Traefik helm chart.
+
+This Helm Chart is documented using field description from comments with [helm-docs](https://github.com/norwoodj/helm-docs).
+
+It comes with a JSON schema generated from values with [helm schema](https://github.com/losisin/helm-values-schema-json) plugin.
+
+## Feature Example
+
+```yaml
+logs:
+  general:
+    # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
+    format:  # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
+```
+
+Documention is on the first comment, starting with `# --`
+Specific instructions for schema, when needed, are done with the inline comment starting with `# @schema`.
+
+## Whitespace
+
+Extra whitespace is to be avoided in templating. Conditionals should chomp whitespace:
+
+```yaml
+{{- if .Values }}
+{{- end }}
+```
+
+There should be an empty commented line between each primary key in the values.yaml file to separate features from each other.
+
+## Values YAML Design
+
+The values.yaml file is designed to be user-friendly. It does not have to resemble the templated configuration if it is not conducive. Similarly, value names to not have to correspond to fields in the template if it is not conducive.

charts/traefik1/LICENSE

@@ -0,0 +1,202 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2020 Containous
+   Copyright 2020 Traefik Labs
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

charts/traefik1/README.md

@@ -0,0 +1,158 @@
+# Traefik
+
+[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy
+microservices with ease.
+
+## Introduction
+
+Starting with v28.x, this chart now bootstraps Traefik Proxy version 3 as a Kubernetes ingress controller,
+using Custom Resources `IngressRoute`: <https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/>.
+
+It's possible to use this chart with Traefik Proxy v2 using v27.x
+This chart support policy is aligned with [upstream support policy](https://doc.traefik.io/traefik/deprecation/releases/) of Traefik Proxy.
+
+See [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) and upgrading section of this chart on CRDs.
+
+### Philosophy
+
+The Traefik HelmChart is focused on Traefik deployment configuration.
+
+To keep this HelmChart as generic as possible we tend
+to avoid integrating any third party solutions nor any specific use cases.
+
+Accordingly, the encouraged approach to fulfill your needs:
+
+1. Override the default Traefik configuration values ([yaml file or cli](https://helm.sh/docs/chart_template_guide/values_files/))
+2. Append your own configurations (`kubectl apply -f myconf.yaml`)
+
+[Examples](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md) of common usage are provided.
+
+If needed, one may use [extraObjects](./traefik/tests/values/extra.yaml) or extend this HelmChart [as a Subchart](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/).
+
+## Installing
+
+### Prerequisites
+
+1. [x] Helm **v3 > 3.9.0** [installed](https://helm.sh/docs/using_helm/#installing-helm): `helm version`
+2. [x] Traefik's chart repository: `helm repo add traefik https://traefik.github.io/charts`
+
+### Kubernetes Version Support
+
+Due to changes in CRD version support, the following versions of the chart are usable and supported on the following Kubernetes versions:
+
+|                         |  Kubernetes v1.15 and below | Kubernetes v1.16-v1.21 | Kubernetes v1.22 and above |
+|-------------------------|-----------------------------|------------------------|----------------------------|
+| Chart v9.20.2 and below | [x]                         | [x]                    |                            |
+| Chart v10.0.0 and above |                             | [x]                    | [x]                        |
+| Chart v22.0.0 and above |                             |                        | [x]                        |
+
+### CRDs Support of Traefik Proxy
+
+Due to changes in API Group of Traefik CRDs from `containo.us` to `traefik.io`, this Chart install CRDs needed by default Traefik Proxy version, following this table:
+
+|                         |  `containo.us`              | `traefik.io`           |
+|-------------------------|-----------------------------|------------------------|
+| Chart v22.0.0 and below |  [x]                        |                        |
+| Chart v23.0.0 and above |  [x]                        | [x]                    |
+| Chart v28.0.0 and above |                             | [x]                    |
+
+### Deploying Traefik
+
+```bash
+helm install traefik traefik/traefik
+```
+
+or:
+
+```bash
+helm install traefik oci://ghcr.io/traefik/helm/traefik
+```
+
+You can customize the install with a `values` file. There are some [EXAMPLES](./EXAMPLES.md) provided.
+Complete documentation on all available parameters is in the [default file](./traefik/values.yaml).
+
+```bash
+helm install -f myvalues.yaml traefik traefik/traefik
+```
+
+🛂 **Warning**: Helm v2 support was removed in the chart version 10.0.0.
+
+## Upgrading
+
+One can check what has changed in the [Changelog](./traefik/Changelog.md).
+
+:information_source: With Helm v3, CRDs created by this chart can not be updated, cf. the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
+
+:warning: Please read carefully release notes of this chart before upgrading CRDs.
+
+```bash
+# Update repository
+helm repo update
+# See current Chart & Traefik version
+helm search repo traefik/traefik
+# Update CRDs (Traefik Proxy v3 CRDs)
+kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/
+# Upgrade Traefik
+helm upgrade traefik traefik/traefik
+```
+
+New major version indicates that there is an incompatible breaking change.
+
+### Upgrade up to 27.X
+
+When upgrading on Traefik Proxy v2 version, one need to stay at Traefik Helm Chart v27.x. The command to upgrade to the latest Traefik Proxy v2 CRD is:
+
+```bash
+kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/?ref=v27
+```
+
+### Upgrading after 18.X+
+
+It's detailed in [release notes](https://github.com/traefik/traefik-helm-chart/releases).
+
+### Upgrading from 17.x to 18.x
+
+Since v18.x, this chart by default merges TCP and UDP ports into a single (LoadBalancer) `Service`.
+Load balancers with mixed protocols are available since v1.20 and in
+[beta as of Kubernetes v1.24](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types).
+Availability may depend on your Kubernetes provider.
+
+To retain the old default behavior, set `service.single` to `false` in your values.
+
+When using TCP and UDP with a single service, you may encounter
+[this issue](https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741)
+from Kubernetes.
+
+On HTTP/3, if you want to avoid this issue, you can set
+`ports.websecure.http3.advertisedPort` to an other value than `443`
+
+If you were previously using HTTP/3, you should update your values as follows:
+  - Replace the old value (`true`) of `ports.websecure.http3` with a key `enabled: true`
+  - Remove `experimental.http3.enabled=true` entry
+
+### Upgrading from 16.x to 17.x
+
+Since v17.x, this chart provides unified labels following
+[Kubernetes recommendation](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/).
+
+This version needs to change an immutable field, which is not supported by
+Kubernetes and Helm, see [this issue](https://github.com/helm/helm/issues/7350)
+for more details.
+So you will have to delete your `Service`,  `Deployment` or `DaemonSet` in
+order to be able to upgrade.
+
+You may also upgrade by deploying another Traefik to a different namespace and
+removing after your first Traefik.
+
+Alternatively, since version 20.3.0 of this chart, you may set `instanceLabelOverride` to the previous value of that label.
+This will override the new `Release.Name-Release.Namespace` pattern to avoid any (longer) downtime.
+
+## Contributing
+
+If you want to contribute to this chart, please read the [Contributing Guide](./CONTRIBUTING.md).
+
+Thanks to all the people who have already contributed!
+
+<a href="https://github.com/traefik/traefik-helm-chart/graphs/contributors">
+  <img src="https://contributors-img.web.app/image?repo=traefik/traefik-helm-chart" />
+</a>

charts/traefik1/VALUES.md

@@ -0,0 +1,329 @@
+# traefik
+
+![Version: 33.2.1](https://img.shields.io/badge/Version-33.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.2.2](https://img.shields.io/badge/AppVersion-v3.2.2-informational?style=flat-square)
+
+A Traefik based Kubernetes ingress controller
+
+**Homepage:** <https://traefik.io/>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| mloiseleur | <michel.loiseleur@traefik.io> |  |
+| charlie-haley | <charlie.haley@traefik.io> |  |
+| darkweaver87 | <remi.buisson@traefik.io> |  |
+| jnoordsij |  |  |
+
+## Source Code
+
+* <https://github.com/traefik/traefik>
+* <https://github.com/traefik/traefik-helm-chart>
+
+## Requirements
+
+Kubernetes: `>=1.22.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalArguments | list | `[]` | Additional arguments to be passed at Traefik's binary See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` |
+| additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container |
+| affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts |
+| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. |
+| certificatesResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
+| commonLabels | object | `{}` | Add additional label to all resources |
+| core.defaultRuleSyntax | string | `""` | Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes |
+| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) |
+| deployment.additionalVolumes | list | `[]` | Additional volumes available for use with initContainers and additionalContainers |
+| deployment.annotations | object | `{}` | Additional deployment annotations (e.g. for jaeger-operator sidecar injection) |
+| deployment.dnsConfig | object | `{}` | Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) |
+| deployment.dnsPolicy | string | `""` | Custom pod DNS policy. Apply if `hostNetwork: true` |
+| deployment.enabled | bool | `true` | Enable deployment |
+| deployment.healthchecksHost | string | `""` |  |
+| deployment.healthchecksPort | string | `nil` |  |
+| deployment.healthchecksScheme | string | `nil` |  |
+| deployment.hostAliases | list | `[]` | Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) |
+| deployment.imagePullSecrets | list | `[]` | Pull secret for fetching traefik container image |
+| deployment.initContainers | list | `[]` | Additional initContainers (e.g. for setting file permission as shown below) |
+| deployment.kind | string | `"Deployment"` | Deployment or DaemonSet |
+| deployment.labels | object | `{}` | Additional deployment labels (e.g. for filtering deployment by custom labels) |
+| deployment.lifecycle | object | `{}` | Pod lifecycle actions |
+| deployment.livenessPath | string | `""` | Override the liveness path. Default: /ping |
+| deployment.minReadySeconds | int | `0` | The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available |
+| deployment.podAnnotations | object | `{}` | Additional pod annotations (e.g. for mesh injection or prometheus scraping) It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' |
+| deployment.podLabels | object | `{}` | Additional Pod labels (e.g. for filtering Pod by custom labels) |
+| deployment.readinessPath | string | `""` |  |
+| deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) |
+| deployment.revisionHistoryLimit | string | `nil` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) |
+| deployment.runtimeClassName | string | `""` | Set a runtimeClassName on pod |
+| deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing |
+| deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down |
+| env | list | See _values.yaml_ | Additional Environment variables to be passed to Traefik's binary |
+| envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets |
+| experimental.abortOnPluginFailure | bool | `false` | Defines whether all plugins must be loaded successfully for Traefik to start |
+| experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD |
+| experimental.plugins | object | `{}` | Enable traefik experimental plugins |
+| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template)  In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. |
+| gateway.annotations | object | `{}` | Additional gateway annotations (e.g. for cert-manager.io/issuer) |
+| gateway.enabled | bool | `true` | When providers.kubernetesGateway.enabled, deploy a default gateway |
+| gateway.infrastructure | object | `{}` | [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels) |
+| gateway.listeners | object | `{"web":{"hostname":"","namespacePolicy":null,"port":8000,"protocol":"HTTP"}}` | Define listeners |
+| gateway.listeners.web.hostname | string | `""` | Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) |
+| gateway.listeners.web.namespacePolicy | string | `nil` | Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces |
+| gateway.listeners.web.port | int | `8000` | Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. The port must match a port declared in ports section. |
+| gateway.name | string | `""` | Set a custom name to gateway |
+| gateway.namespace | string | `""` | By default, Gateway is created in the same `Namespace` than Traefik. |
+| gatewayClass.enabled | bool | `true` | When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass |
+| gatewayClass.labels | object | `{}` | Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) |
+| gatewayClass.name | string | `""` | Set a custom name to GatewayClass |
+| globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods |
+| hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulable pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. |
+| hub.apimanagement.admission.listenAddr | string | `""` | WebHook admission server listen address. Default: "0.0.0.0:9943". |
+| hub.apimanagement.admission.secretName | string | `""` | Certificate of the WebHook admission server. Default: "hub-agent-cert". |
+| hub.apimanagement.enabled | bool | `false` | Set to true in order to enable API Management. Requires a valid license token. |
+| hub.redis.cluster | string | `nil` | Enable Redis Cluster. Default: true. |
+| hub.redis.database | string | `nil` | Database used to store information. Default: "0". |
+| hub.redis.endpoints | string | `""` | Endpoints of the Redis instances to connect to. Default: "". |
+| hub.redis.password | string | `""` | The password to use when connecting to Redis endpoints. Default: "". |
+| hub.redis.sentinel.masterset | string | `""` | Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". |
+| hub.redis.sentinel.password | string | `""` | Password to use for sentinel authentication (can be different from endpoint password). Default: "". |
+| hub.redis.sentinel.username | string | `""` | Username to use for sentinel authentication (can be different from endpoint username). Default: "". |
+| hub.redis.timeout | string | `""` | Timeout applied on connection with redis. Default: "0s". |
+| hub.redis.tls.ca | string | `""` | Path to the certificate authority used for the secured connection. |
+| hub.redis.tls.cert | string | `""` | Path to the public certificate used for the secure connection. |
+| hub.redis.tls.insecureSkipVerify | bool | `false` | When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. |
+| hub.redis.tls.key | string | `""` | Path to the private key used for the secure connection. |
+| hub.redis.username | string | `""` | The username to use when connecting to Redis endpoints. Default: "". |
+| hub.sendlogs | string | `nil` |  |
+| hub.token | string | `""` | Name of `Secret` with key 'token' set to a valid license token. It enables API Gateway. |
+| image.pullPolicy | string | `"IfNotPresent"` | Traefik image pull policy |
+| image.registry | string | `"docker.io"` | Traefik image host registry |
+| image.repository | string | `"traefik"` | Traefik image repository |
+| image.tag | string | `nil` | defaults to appVersion |
+| ingressClass | object | `{"enabled":true,"isDefaultClass":true,"name":""}` | Create a default IngressClass for Traefik |
+| ingressRoute.dashboard.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) |
+| ingressRoute.dashboard.enabled | bool | `false` | Create an IngressRoute for the dashboard |
+| ingressRoute.dashboard.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. /!\ Do not expose your dashboard without any protection over the internet /!\ |
+| ingressRoute.dashboard.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) |
+| ingressRoute.dashboard.matchRule | string | `"PathPrefix(`/dashboard`) || PathPrefix(`/api`)"` | The router match rule used for the dashboard ingressRoute |
+| ingressRoute.dashboard.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) |
+| ingressRoute.dashboard.services | list | `[{"kind":"TraefikService","name":"api@internal"}]` | The internal service used for the dashboard ingressRoute |
+| ingressRoute.dashboard.tls | object | `{}` | TLS options (e.g. secret containing certificate) |
+| ingressRoute.healthcheck.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) |
+| ingressRoute.healthcheck.enabled | bool | `false` | Create an IngressRoute for the healthcheck probe |
+| ingressRoute.healthcheck.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. |
+| ingressRoute.healthcheck.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) |
+| ingressRoute.healthcheck.matchRule | string | `"PathPrefix(`/ping`)"` | The router match rule used for the healthcheck ingressRoute |
+| ingressRoute.healthcheck.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) |
+| ingressRoute.healthcheck.services | list | `[{"kind":"TraefikService","name":"ping@internal"}]` | The internal service used for the healthcheck ingressRoute |
+| ingressRoute.healthcheck.tls | object | `{}` | TLS options (e.g. secret containing certificate) |
+| instanceLabelOverride | string | `""` |  |
+| livenessProbe.failureThreshold | int | `3` | The number of consecutive failures allowed before considering the probe as failed. |
+| livenessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
+| livenessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
+| livenessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
+| livenessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
+| logs.access.addInternals | bool | `false` | Enables accessLogs for internal resources. Default: false. |
+| logs.access.bufferingSize | string | `nil` | Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) |
+| logs.access.enabled | bool | `false` | To enable access logs |
+| logs.access.fields.general.defaultmode | string | `"keep"` | Set default mode for fields.names |
+| logs.access.fields.general.names | object | `{}` | Names of the fields to limit. |
+| logs.access.fields.headers | object | `{"defaultmode":"drop","names":{}}` | [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) |
+| logs.access.fields.headers.defaultmode | string | `"drop"` | Set default mode for fields.headers |
+| logs.access.filters | object | `{"minduration":"","retryattempts":false,"statuscodes":""}` | Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) |
+| logs.access.filters.minduration | string | `""` | Set minDuration, to keep access logs when requests take longer than the specified duration |
+| logs.access.filters.retryattempts | bool | `false` | Set retryAttempts, to keep the access logs when at least one retry has happened |
+| logs.access.filters.statuscodes | string | `""` | Set statusCodes, to limit the access logs to requests with a status codes in the specified range |
+| logs.access.format | string | `nil` | Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) |
+| logs.general.filePath | string | `""` | To write the logs into a log file, use the filePath option. |
+| logs.general.format | string | `nil` | Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) |
+| logs.general.level | string | `"INFO"` | Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC. |
+| logs.general.noColor | bool | `false` | When set to true and format is common, it disables the colorized output. |
+| metrics.addInternals | bool | `false` |  |
+| metrics.otlp.addEntryPointsLabels | string | `nil` | Enable metrics on entry points. Default: true |
+| metrics.otlp.addRoutersLabels | string | `nil` | Enable metrics on routers. Default: false |
+| metrics.otlp.addServicesLabels | string | `nil` | Enable metrics on services. Default: true |
+| metrics.otlp.enabled | bool | `false` | Set to true in order to enable the OpenTelemetry metrics |
+| metrics.otlp.explicitBoundaries | list | `[]` | Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] |
+| metrics.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC |
+| metrics.otlp.grpc.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
+| metrics.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. |
+| metrics.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
+| metrics.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
+| metrics.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
+| metrics.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
+| metrics.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. |
+| metrics.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
+| metrics.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. |
+| metrics.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
+| metrics.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
+| metrics.otlp.http.tls.insecureSkipVerify | string | `nil` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
+| metrics.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
+| metrics.otlp.pushInterval | string | `""` | Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s |
+| metrics.prometheus.addEntryPointsLabels | string | `nil` |  |
+| metrics.prometheus.addRoutersLabels | string | `nil` |  |
+| metrics.prometheus.addServicesLabels | string | `nil` |  |
+| metrics.prometheus.buckets | string | `""` |  |
+| metrics.prometheus.disableAPICheck | string | `nil` | When set to true, it won't check if Prometheus Operator CRDs are deployed |
+| metrics.prometheus.entryPoint | string | `"metrics"` | Entry point used to expose metrics. |
+| metrics.prometheus.manualRouting | bool | `false` |  |
+| metrics.prometheus.prometheusRule.additionalLabels | object | `{}` |  |
+| metrics.prometheus.prometheusRule.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. |
+| metrics.prometheus.prometheusRule.namespace | string | `""` |  |
+| metrics.prometheus.service.annotations | object | `{}` |  |
+| metrics.prometheus.service.enabled | bool | `false` | Create a dedicated metrics service to use with ServiceMonitor |
+| metrics.prometheus.service.labels | object | `{}` |  |
+| metrics.prometheus.serviceMonitor.additionalLabels | object | `{}` |  |
+| metrics.prometheus.serviceMonitor.enableHttp2 | bool | `false` |  |
+| metrics.prometheus.serviceMonitor.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. |
+| metrics.prometheus.serviceMonitor.followRedirects | bool | `false` |  |
+| metrics.prometheus.serviceMonitor.honorLabels | bool | `false` |  |
+| metrics.prometheus.serviceMonitor.honorTimestamps | bool | `false` |  |
+| metrics.prometheus.serviceMonitor.interval | string | `""` |  |
+| metrics.prometheus.serviceMonitor.jobLabel | string | `""` |  |
+| metrics.prometheus.serviceMonitor.metricRelabelings | list | `[]` |  |
+| metrics.prometheus.serviceMonitor.namespace | string | `""` |  |
+| metrics.prometheus.serviceMonitor.namespaceSelector | object | `{}` |  |
+| metrics.prometheus.serviceMonitor.relabelings | list | `[]` |  |
+| metrics.prometheus.serviceMonitor.scrapeTimeout | string | `""` |  |
+| namespaceOverride | string | `""` | This field override the default Release Namespace for Helm. It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` |
+| nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. |
+| persistence.accessMode | string | `"ReadWriteOnce"` |  |
+| persistence.annotations | object | `{}` |  |
+| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/. It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage`  option |
+| persistence.existingClaim | string | `""` |  |
+| persistence.name | string | `"data"` |  |
+| persistence.path | string | `"/data"` |  |
+| persistence.size | string | `"128Mi"` |  |
+| persistence.storageClass | string | `""` |  |
+| persistence.subPath | string | `""` | Only mount a subpath of the Volume into the pod |
+| persistence.volumeName | string | `""` |  |
+| podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) |
+| podSecurityContext | object | See _values.yaml_ | [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) |
+| podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding |
+| ports.metrics.expose | object | `{"default":false}` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
+| ports.metrics.exposedPort | int | `9100` | The exposed port for this service |
+| ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
+| ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
+| ports.traefik.expose | object | `{"default":false}` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
+| ports.traefik.exposedPort | int | `8080` | The exposed port for this service |
+| ports.traefik.hostIP | string | `nil` | Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which means it's listening on all your interfaces and all your IPs. You may want to set this value if you need traefik to listen on specific interface only. |
+| ports.traefik.hostPort | string | `nil` | Use hostPort if set. |
+| ports.traefik.port | int | `8080` |  |
+| ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
+| ports.web.expose.default | bool | `true` |  |
+| ports.web.exposedPort | int | `80` |  |
+| ports.web.forwardedHeaders.insecure | bool | `false` |  |
+| ports.web.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
+| ports.web.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
+| ports.web.port | int | `8000` |  |
+| ports.web.protocol | string | `"TCP"` |  |
+| ports.web.proxyProtocol.insecure | bool | `false` |  |
+| ports.web.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
+| ports.web.redirectTo | object | `{}` |  |
+| ports.web.targetPort | string | `nil` |  |
+| ports.web.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport |
+| ports.websecure.allowACMEByPass | bool | `false` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) |
+| ports.websecure.appProtocol | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) |
+| ports.websecure.containerPort | string | `nil` |  |
+| ports.websecure.expose.default | bool | `true` |  |
+| ports.websecure.exposedPort | int | `443` |  |
+| ports.websecure.forwardedHeaders.insecure | bool | `false` |  |
+| ports.websecure.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
+| ports.websecure.hostPort | string | `nil` |  |
+| ports.websecure.http3.advertisedPort | string | `nil` |  |
+| ports.websecure.http3.enabled | bool | `false` |  |
+| ports.websecure.middlewares | list | `[]` | /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace   - namespace-name1@kubernetescrd   - namespace-name2@kubernetescrd |
+| ports.websecure.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
+| ports.websecure.port | int | `8443` |  |
+| ports.websecure.protocol | string | `"TCP"` |  |
+| ports.websecure.proxyProtocol.insecure | bool | `false` |  |
+| ports.websecure.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
+| ports.websecure.targetPort | string | `nil` |  |
+| ports.websecure.tls | object | `{"certResolver":"","domains":[],"enabled":true,"options":""}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) |
+| ports.websecure.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) |
+| priorityClassName | string | `""` | [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) |
+| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) |
+| providers.file.enabled | bool | `false` | Create a file provider |
+| providers.file.watch | bool | `true` | Allows Traefik to automatically watch for file changes |
+| providers.kubernetesCRD.allowCrossNamespace | bool | `false` | Allows IngressRoute to reference resources in namespace other than theirs |
+| providers.kubernetesCRD.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available |
+| providers.kubernetesCRD.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in IngressRoute |
+| providers.kubernetesCRD.enabled | bool | `true` | Load Kubernetes IngressRoute provider |
+| providers.kubernetesCRD.ingressClass | string | `""` | When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. |
+| providers.kubernetesCRD.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
+| providers.kubernetesCRD.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
+| providers.kubernetesGateway.enabled | bool | `false` | Enable Traefik Gateway provider for Gateway API |
+| providers.kubernetesGateway.experimentalChannel | bool | `false` | Toggles support for the Experimental Channel resources (Gateway API release channels documentation). This option currently enables support for TCPRoute and TLSRoute. |
+| providers.kubernetesGateway.labelselector | string | `""` | A label selector can be defined to filter on specific GatewayClass objects only. |
+| providers.kubernetesGateway.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
+| providers.kubernetesGateway.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
+| providers.kubernetesGateway.statusAddress.hostname | string | `""` | This Hostname will get copied to the Gateway status.addresses. |
+| providers.kubernetesGateway.statusAddress.ip | string | `""` | This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6). |
+| providers.kubernetesGateway.statusAddress.service | object | `{"name":"{{ (include \"traefik.fullname\" .) }}","namespace":"{{ .Release.Namespace }}"}` | The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart. |
+| providers.kubernetesIngress.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available |
+| providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress |
+| providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider |
+| providers.kubernetesIngress.ingressClass | string | `nil` | When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. |
+| providers.kubernetesIngress.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
+| providers.kubernetesIngress.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
+| providers.kubernetesIngress.publishedService.enabled | bool | `true` | Enable [publishedService](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#publishedservice) |
+| providers.kubernetesIngress.publishedService.pathOverride | string | `""` | Override path of Kubernetes Service used to copy status from. Format: namespace/servicename. Default to Service deployed with this Chart. |
+| rbac | object | `{"aggregateTo":[],"enabled":true,"namespaced":false,"secretResourceNames":[]}` | Whether Role Based Access Control objects like roles and rolebindings should be created |
+| readinessProbe.failureThreshold | int | `1` | The number of consecutive failures allowed before considering the probe as failed. |
+| readinessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
+| readinessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
+| readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
+| readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
+| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. |
+| securityContext | object | See _values.yaml_ | [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) |
+| service.additionalServices | object | `{}` |  |
+| service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) |
+| service.annotationsTCP | object | `{}` | Additional annotations for TCP service only |
+| service.annotationsUDP | object | `{}` | Additional annotations for UDP service only |
+| service.enabled | bool | `true` |  |
+| service.externalIPs | list | `[]` |  |
+| service.labels | object | `{}` | Additional service labels (e.g. for filtering Service by custom labels) |
+| service.loadBalancerSourceRanges | list | `[]` |  |
+| service.single | bool | `true` |  |
+| service.spec | object | `{}` | Cannot contain type, selector or ports entries. |
+| service.type | string | `"LoadBalancer"` |  |
+| serviceAccount | object | `{"name":""}` | The service account the pods will use to interact with the Kubernetes API |
+| serviceAccountAnnotations | object | `{}` | Additional serviceAccount annotations (e.g. for oidc authentication) |
+| startupProbe | object | `{}` | Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) |
+| tlsOptions | object | `{}` | TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) When using `labelSelector`, you'll need to set labels on tlsOption accordingly. See EXAMPLE.md for details. |
+| tlsStore | object | `{}` | TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. |
+| tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. |
+| topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains. |
+| tracing | object | `{"addInternals":false,"capturedRequestHeaders":[],"capturedResponseHeaders":[],"globalAttributes":{},"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":"","insecure":false,"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}},"http":{"enabled":false,"endpoint":"","headers":{},"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}}},"safeQueryParams":[],"sampleRate":null,"serviceName":null}` | https://doc.traefik.io/traefik/observability/tracing/overview/ |
+| tracing.addInternals | bool | `false` | Enables tracing for internal resources. Default: false. |
+| tracing.capturedRequestHeaders | list | `[]` | Defines the list of request headers to add as attributes. It applies to client and server kind spans. |
+| tracing.capturedResponseHeaders | list | `[]` | Defines the list of response headers to add as attributes. It applies to client and server kind spans. |
+| tracing.globalAttributes | object | `{}` | Applies a list of shared key:value attributes on all spans. |
+| tracing.otlp.enabled | bool | `false` | See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ |
+| tracing.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC |
+| tracing.otlp.grpc.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
+| tracing.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. |
+| tracing.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
+| tracing.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
+| tracing.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
+| tracing.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
+| tracing.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. |
+| tracing.otlp.http.endpoint | string | `""` | Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics |
+| tracing.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. |
+| tracing.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. |
+| tracing.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. |
+| tracing.otlp.http.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. |
+| tracing.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. |
+| tracing.safeQueryParams | list | `[]` | By default, all query parameters are redacted. Defines the list of query parameters to not redact. |
+| tracing.sampleRate | string | `nil` | The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0. |
+| tracing.serviceName | string | `nil` | Service name used in selected backend. Default: traefik. |
+| updateStrategy.rollingUpdate.maxSurge | int | `1` |  |
+| updateStrategy.rollingUpdate.maxUnavailable | int | `0` |  |
+| updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy of Deployment or DaemonSet |
+| volumes | list | `[]` | Add volumes to the traefik pod. The volume name will be passed to tpl. This can be used to mount a cert pair or a configmap that holds a config.toml file. After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: `additionalArguments: - "--providers.file.filename=/config/dynamic.toml" - "--ping" - "--ping.entrypoint=web"` |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/traefik1/crds/hub.traefik.io_accesscontrolpolicies.yaml

@@ -0,0 +1,368 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: accesscontrolpolicies.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: AccessControlPolicy
+    listKind: AccessControlPolicyList
+    plural: accesscontrolpolicies
+    singular: accesscontrolpolicy
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AccessControlPolicy defines an access control policy.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AccessControlPolicySpec configures an access control policy.
+            properties:
+              apiKey:
+                description: AccessControlPolicyAPIKey configure an APIKey control
+                  policy.
+                properties:
+                  forwardHeaders:
+                    additionalProperties:
+                      type: string
+                    description: ForwardHeaders instructs the middleware to forward
+                      key metadata as header values upon successful authentication.
+                    type: object
+                  keySource:
+                    description: KeySource defines how to extract API keys from requests.
+                    properties:
+                      cookie:
+                        description: Cookie is the name of a cookie.
+                        type: string
+                      header:
+                        description: Header is the name of a header.
+                        type: string
+                      headerAuthScheme:
+                        description: |-
+                          HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
+                          If set, this scheme is removed from the token, and all requests not including it are dropped.
+                        type: string
+                      query:
+                        description: Query is the name of a query parameter.
+                        type: string
+                    type: object
+                  keys:
+                    description: Keys define the set of authorized keys to access
+                      a protected resource.
+                    items:
+                      description: AccessControlPolicyAPIKeyKey defines an API key.
+                      properties:
+                        id:
+                          description: ID is the unique identifier of the key.
+                          type: string
+                        metadata:
+                          additionalProperties:
+                            type: string
+                          description: Metadata holds arbitrary metadata for this
+                            key, can be used by ForwardHeaders.
+                          type: object
+                        value:
+                          description: Value is the SHAKE-256 hash (using 64 bytes)
+                            of the API key.
+                          type: string
+                      required:
+                      - id
+                      - value
+                      type: object
+                    type: array
+                required:
+                - keySource
+                type: object
+              basicAuth:
+                description: AccessControlPolicyBasicAuth holds the HTTP basic authentication
+                  configuration.
+                properties:
+                  forwardUsernameHeader:
+                    type: string
+                  realm:
+                    type: string
+                  stripAuthorizationHeader:
+                    type: boolean
+                  users:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              jwt:
+                description: AccessControlPolicyJWT configures a JWT access control
+                  policy.
+                properties:
+                  claims:
+                    type: string
+                  forwardHeaders:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  jwksFile:
+                    type: string
+                  jwksUrl:
+                    type: string
+                  publicKey:
+                    type: string
+                  signingSecret:
+                    type: string
+                  signingSecretBase64Encoded:
+                    type: boolean
+                  stripAuthorizationHeader:
+                    type: boolean
+                  tokenQueryKey:
+                    type: string
+                type: object
+              oAuthIntro:
+                description: AccessControlOAuthIntro configures an OAuth 2.0 Token
+                  Introspection access control policy.
+                properties:
+                  claims:
+                    type: string
+                  clientConfig:
+                    description: AccessControlOAuthIntroClientConfig configures the
+                      OAuth 2.0 client for issuing token introspection requests.
+                    properties:
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers to set when sending requests to the Authorization
+                          Server.
+                        type: object
+                      maxRetries:
+                        default: 3
+                        description: MaxRetries defines the number of retries for
+                          introspection requests.
+                        type: integer
+                      timeoutSeconds:
+                        default: 5
+                        description: TimeoutSeconds configures the maximum amount
+                          of seconds to wait before giving up on requests.
+                        type: integer
+                      tls:
+                        description: TLS configures TLS communication with the Authorization
+                          Server.
+                        properties:
+                          ca:
+                            description: CA sets the CA bundle used to sign the Authorization
+                              Server certificate.
+                            type: string
+                          insecureSkipVerify:
+                            description: |-
+                              InsecureSkipVerify skips the Authorization Server certificate validation.
+                              For testing purposes only, do not use in production.
+                            type: boolean
+                        type: object
+                      tokenTypeHint:
+                        description: |-
+                          TokenTypeHint is a hint to pass to the Authorization Server.
+                          See https://tools.ietf.org/html/rfc7662#section-2.1 for more information.
+                        type: string
+                      url:
+                        description: URL of the Authorization Server.
+                        type: string
+                    required:
+                    - url
+                    type: object
+                  forwardHeaders:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  tokenSource:
+                    description: |-
+                      TokenSource describes how to extract tokens from HTTP requests.
+                      If multiple sources are set, the order is the following: header > query > cookie.
+                    properties:
+                      cookie:
+                        description: Cookie is the name of a cookie.
+                        type: string
+                      header:
+                        description: Header is the name of a header.
+                        type: string
+                      headerAuthScheme:
+                        description: |-
+                          HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
+                          If set, this scheme is removed from the token, and all requests not including it are dropped.
+                        type: string
+                      query:
+                        description: Query is the name of a query parameter.
+                        type: string
+                    type: object
+                required:
+                - clientConfig
+                - tokenSource
+                type: object
+              oidc:
+                description: AccessControlPolicyOIDC holds the OIDC authentication
+                  configuration.
+                properties:
+                  authParams:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  claims:
+                    type: string
+                  clientId:
+                    type: string
+                  disableAuthRedirectionPaths:
+                    items:
+                      type: string
+                    type: array
+                  forwardHeaders:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  issuer:
+                    type: string
+                  logoutUrl:
+                    type: string
+                  redirectUrl:
+                    type: string
+                  scopes:
+                    items:
+                      type: string
+                    type: array
+                  secret:
+                    description: |-
+                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                      in any namespace
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  session:
+                    description: Session holds session configuration.
+                    properties:
+                      domain:
+                        type: string
+                      path:
+                        type: string
+                      refresh:
+                        type: boolean
+                      sameSite:
+                        type: string
+                      secure:
+                        type: boolean
+                    type: object
+                  stateCookie:
+                    description: StateCookie holds state cookie configuration.
+                    properties:
+                      domain:
+                        type: string
+                      path:
+                        type: string
+                      sameSite:
+                        type: string
+                      secure:
+                        type: boolean
+                    type: object
+                type: object
+              oidcGoogle:
+                description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication
+                  configuration.
+                properties:
+                  authParams:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  clientId:
+                    type: string
+                  emails:
+                    description: Emails are the allowed emails to connect.
+                    items:
+                      type: string
+                    minItems: 1
+                    type: array
+                  forwardHeaders:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  logoutUrl:
+                    type: string
+                  redirectUrl:
+                    type: string
+                  secret:
+                    description: |-
+                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                      in any namespace
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  session:
+                    description: Session holds session configuration.
+                    properties:
+                      domain:
+                        type: string
+                      path:
+                        type: string
+                      refresh:
+                        type: boolean
+                      sameSite:
+                        type: string
+                      secure:
+                        type: boolean
+                    type: object
+                  stateCookie:
+                    description: StateCookie holds state cookie configuration.
+                    properties:
+                      domain:
+                        type: string
+                      path:
+                        type: string
+                      sameSite:
+                        type: string
+                      secure:
+                        type: boolean
+                    type: object
+                type: object
+            type: object
+          status:
+            description: The current status of this access control policy.
+            properties:
+              specHash:
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_aiservices.yaml

@@ -0,0 +1,245 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: aiservices.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: AIService
+    listKind: AIServiceList
+    plural: aiservices
+    singular: aiservice
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AIService is a Kubernetes-like Service to interact with a text-based
+          LLM provider. It defines the parameters and credentials required to interact
+          with various LLM providers.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this AIService.
+            properties:
+              anthropic:
+                description: Anthropic configures Anthropic backend.
+                properties:
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                  token:
+                    type: string
+                required:
+                - token
+                type: object
+              azureOpenai:
+                description: AzureOpenAI configures AzureOpenAI.
+                properties:
+                  apiKey:
+                    type: string
+                  baseUrl:
+                    type: string
+                  deploymentName:
+                    type: string
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                required:
+                - apiKey
+                - baseUrl
+                - deploymentName
+                type: object
+              bedrock:
+                description: Bedrock configures Bedrock backend.
+                properties:
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                  region:
+                    type: string
+                  systemMessage:
+                    type: boolean
+                type: object
+              cohere:
+                description: Cohere configures Cohere backend.
+                properties:
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                  token:
+                    type: string
+                required:
+                - token
+                type: object
+              gemini:
+                description: Gemini configures Gemini backend.
+                properties:
+                  apiKey:
+                    type: string
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                required:
+                - apiKey
+                type: object
+              mistral:
+                description: Mistral configures Mistral AI backend.
+                properties:
+                  apiKey:
+                    type: string
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                required:
+                - apiKey
+                type: object
+              ollama:
+                description: Ollama configures Ollama backend.
+                properties:
+                  baseUrl:
+                    type: string
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                required:
+                - baseUrl
+                type: object
+              openai:
+                description: OpenAI configures OpenAI.
+                properties:
+                  model:
+                    type: string
+                  params:
+                    description: Params holds the LLM hyperparameters.
+                    properties:
+                      frequencyPenalty:
+                        type: number
+                      maxTokens:
+                        type: integer
+                      presencePenalty:
+                        type: number
+                      temperature:
+                        type: number
+                      topP:
+                        type: number
+                    type: object
+                  token:
+                    type: string
+                required:
+                - token
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apiaccesses.yaml

@@ -0,0 +1,190 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apiaccesses.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: APIAccess
+    listKind: APIAccessList
+    plural: apiaccesses
+    singular: apiaccess
+  scope: Namespaced
+  versions:
+  - deprecated: true
+    deprecationWarning: APIAccess is deprecated in favor of APICatalogItems and ManagedSubscription
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIAccess defines who can access to a set of APIs.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this APIAccess.
+            properties:
+              apiBundles:
+                description: |-
+                  APIBundles defines a set of APIBundle that will be accessible to the configured audience.
+                  Multiple APIAccesses can select the same APIBundles.
+                items:
+                  description: APIBundleReference references an APIBundle.
+                  properties:
+                    name:
+                      description: Name of the APIBundle.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apiBundles
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+              apiPlan:
+                description: APIPlan defines which APIPlan will be used.
+                properties:
+                  name:
+                    description: Name of the APIPlan.
+                    maxLength: 253
+                    type: string
+                required:
+                - name
+                type: object
+              apiSelector:
+                description: |-
+                  APISelector selects the APIs that will be accessible to the configured audience.
+                  Multiple APIAccesses can select the same set of APIs.
+                  This field is optional and follows standard label selector semantics.
+                  An empty APISelector matches any API.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              apis:
+                description: |-
+                  APIs defines a set of APIs that will be accessible to the configured audience.
+                  Multiple APIAccesses can select the same APIs.
+                  When combined with APISelector, this set of APIs is appended to the matching APIs.
+                items:
+                  description: APIReference references an API.
+                  properties:
+                    name:
+                      description: Name of the API.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apis
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+              everyone:
+                description: Everyone indicates that all users will have access to
+                  the selected APIs.
+                type: boolean
+              groups:
+                description: Groups are the consumer groups that will gain access
+                  to the selected APIs.
+                items:
+                  type: string
+                type: array
+              operationFilter:
+                description: |-
+                  OperationFilter specifies the allowed operations on APIs and APIVersions.
+                  If not set, all operations are available.
+                  An empty OperationFilter prohibits all operations.
+                properties:
+                  include:
+                    description: Include defines the names of OperationSets that will
+                      be accessible.
+                    items:
+                      type: string
+                    maxItems: 100
+                    type: array
+                type: object
+              weight:
+                description: Weight specifies the evaluation order of the plan.
+                type: integer
+                x-kubernetes-validations:
+                - message: must be a positive number
+                  rule: self >= 0
+            type: object
+            x-kubernetes-validations:
+            - message: groups and everyone are mutually exclusive
+              rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
+                self.groups.size() > 0) : true'
+          status:
+            description: The current status of this APIAccess.
+            properties:
+              hash:
+                description: Hash is a hash representing the APIAccess.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apibundles.yaml

@@ -0,0 +1,125 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apibundles.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: APIBundle
+    listKind: APIBundleList
+    plural: apibundles
+    singular: apibundle
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIBundle defines a set of APIs.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this APIBundle.
+            properties:
+              apiSelector:
+                description: |-
+                  APISelector selects the APIs that will be accessible to the configured audience.
+                  Multiple APIBundles can select the same set of APIs.
+                  This field is optional and follows standard label selector semantics.
+                  An empty APISelector matches any API.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              apis:
+                description: |-
+                  APIs defines a set of APIs that will be accessible to the configured audience.
+                  Multiple APIBundles can select the same APIs.
+                  When combined with APISelector, this set of APIs is appended to the matching APIs.
+                items:
+                  description: APIReference references an API.
+                  properties:
+                    name:
+                      description: Name of the API.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apis
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+            type: object
+          status:
+            description: The current status of this APIBundle.
+            properties:
+              hash:
+                description: Hash is a hash representing the APIBundle.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apicatalogitems.yaml

@@ -0,0 +1,184 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apicatalogitems.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: APICatalogItem
+    listKind: APICatalogItemList
+    plural: apicatalogitems
+    singular: apicatalogitem
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APICatalogItem defines APIs that will be part of the API catalog
+          on the portal.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this APICatalogItem.
+            properties:
+              apiBundles:
+                description: |-
+                  APIBundles defines a set of APIBundle that will be visible to the configured audience.
+                  Multiple APICatalogItem can select the same APIBundles.
+                items:
+                  description: APIBundleReference references an APIBundle.
+                  properties:
+                    name:
+                      description: Name of the APIBundle.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apiBundles
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+              apiPlan:
+                description: |-
+                  APIPlan defines which APIPlan will be available.
+                  If multiple APICatalogItem specify the same API with different APIPlan, the API consumer will be able to pick
+                  a plan from this list.
+                properties:
+                  name:
+                    description: Name of the APIPlan.
+                    maxLength: 253
+                    type: string
+                required:
+                - name
+                type: object
+              apiSelector:
+                description: |-
+                  APISelector selects the APIs that will be visible to the configured audience.
+                  Multiple APICatalogItem can select the same set of APIs.
+                  This field is optional and follows standard label selector semantics.
+                  An empty APISelector matches any API.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              apis:
+                description: |-
+                  APIs defines a set of APIs that will be visible to the configured audience.
+                  Multiple APICatalogItem can select the same APIs.
+                  When combined with APISelector, this set of APIs is appended to the matching APIs.
+                items:
+                  description: APIReference references an API.
+                  properties:
+                    name:
+                      description: Name of the API.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apis
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+              everyone:
+                description: Everyone indicates that all users will see these APIs.
+                type: boolean
+              groups:
+                description: Groups are the consumer groups that will see the APIs.
+                items:
+                  type: string
+                type: array
+              operationFilter:
+                description: |-
+                  OperationFilter specifies the visible operations on APIs and APIVersions.
+                  If not set, all operations are available.
+                  An empty OperationFilter prohibits all operations.
+                properties:
+                  include:
+                    description: Include defines the names of OperationSets that will
+                      be accessible.
+                    items:
+                      type: string
+                    maxItems: 100
+                    type: array
+                type: object
+            type: object
+            x-kubernetes-validations:
+            - message: groups and everyone are mutually exclusive
+              rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
+                self.groups.size() > 0) : true'
+          status:
+            description: The current status of this APICatalogItem.
+            properties:
+              hash:
+                description: Hash is a hash representing the APICatalogItem.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apiplans.yaml

@@ -0,0 +1,103 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apiplans.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: APIPlan
+    listKind: APIPlanList
+    plural: apiplans
+    singular: apiplan
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIPlan defines API Plan policy.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this APIPlan.
+            properties:
+              description:
+                description: Description describes the plan.
+                type: string
+              quota:
+                description: Quota defines the quota policy.
+                properties:
+                  limit:
+                    description: Limit is the maximum number of token in the bucket.
+                    type: integer
+                    x-kubernetes-validations:
+                    - message: must be a positive number
+                      rule: self >= 0
+                  period:
+                    description: Period is the unit of time for the Limit.
+                    format: duration
+                    type: string
+                    x-kubernetes-validations:
+                    - message: must be between 1s and 9999h
+                      rule: self >= duration('1s') && self <= duration('9999h')
+                required:
+                - limit
+                type: object
+              rateLimit:
+                description: RateLimit defines the rate limit policy.
+                properties:
+                  limit:
+                    description: Limit is the maximum number of token in the bucket.
+                    type: integer
+                    x-kubernetes-validations:
+                    - message: must be a positive number
+                      rule: self >= 0
+                  period:
+                    description: Period is the unit of time for the Limit.
+                    format: duration
+                    type: string
+                    x-kubernetes-validations:
+                    - message: must be between 1s and 1h
+                      rule: self >= duration('1s') && self <= duration('1h')
+                required:
+                - limit
+                type: object
+              title:
+                description: Title is the human-readable name of the plan.
+                type: string
+            required:
+            - title
+            type: object
+          status:
+            description: The current status of this APIPlan.
+            properties:
+              hash:
+                description: Hash is a hash representing the APIPlan.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apiportals.yaml

@@ -0,0 +1,139 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apiportals.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: APIPortal
+    listKind: APIPortalList
+    plural: apiportals
+    singular: apiportal
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIPortal defines a developer portal for accessing the documentation
+          of APIs.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this APIPortal.
+            properties:
+              description:
+                description: Description of the APIPortal.
+                type: string
+              title:
+                description: Title is the public facing name of the APIPortal.
+                type: string
+              trustedUrls:
+                description: TrustedURLs are the urls that are trusted by the OAuth
+                  2.0 authorization server.
+                items:
+                  type: string
+                maxItems: 1
+                minItems: 1
+                type: array
+                x-kubernetes-validations:
+                - message: must be a valid URLs
+                  rule: self.all(x, isURL(x))
+              ui:
+                description: UI holds the UI customization options.
+                properties:
+                  logoUrl:
+                    description: LogoURL is the public URL of the logo.
+                    type: string
+                type: object
+            required:
+            - trustedUrls
+            type: object
+          status:
+            description: The current status of this APIPortal.
+            properties:
+              hash:
+                description: Hash is a hash representing the APIPortal.
+                type: string
+              oidc:
+                description: OIDC is the OIDC configuration for accessing the exposed
+                  APIPortal WebUI.
+                properties:
+                  clientId:
+                    description: ClientID is the OIDC ClientID for accessing the exposed
+                      APIPortal WebUI.
+                    type: string
+                  companyClaim:
+                    description: CompanyClaim is the name of the JWT claim containing
+                      the user company.
+                    type: string
+                  emailClaim:
+                    description: EmailClaim is the name of the JWT claim containing
+                      the user email.
+                    type: string
+                  firstnameClaim:
+                    description: FirstnameClaim is the name of the JWT claim containing
+                      the user firstname.
+                    type: string
+                  generic:
+                    description: Generic indicates whether or not the APIPortal authentication
+                      relies on Generic OIDC.
+                    type: boolean
+                  groupsClaim:
+                    description: GroupsClaim is the name of the JWT claim containing
+                      the user groups.
+                    type: string
+                  issuer:
+                    description: Issuer is the OIDC issuer for accessing the exposed
+                      APIPortal WebUI.
+                    type: string
+                  lastnameClaim:
+                    description: LastnameClaim is the name of the JWT claim containing
+                      the user lastname.
+                    type: string
+                  scopes:
+                    description: Scopes is the OIDC scopes for getting user attributes
+                      during the authentication to the exposed APIPortal WebUI.
+                    type: string
+                  secretName:
+                    description: SecretName is the name of the secret containing the
+                      OIDC ClientSecret for accessing the exposed APIPortal WebUI.
+                    type: string
+                  syncedAttributes:
+                    description: SyncedAttributes configure the user attributes to
+                      sync.
+                    items:
+                      type: string
+                    type: array
+                  userIdClaim:
+                    description: UserIDClaim is the name of the JWT claim containing
+                      the user ID.
+                    type: string
+                type: object
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apiratelimits.yaml

@@ -0,0 +1,166 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apiratelimits.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: APIRateLimit
+    listKind: APIRateLimitList
+    plural: apiratelimits
+    singular: apiratelimit
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIRateLimit defines how group of consumers are rate limited
+          on a set of APIs.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this APIRateLimit.
+            properties:
+              apiSelector:
+                description: |-
+                  APISelector selects the APIs that will be rate limited.
+                  Multiple APIRateLimits can select the same set of APIs.
+                  This field is optional and follows standard label selector semantics.
+                  An empty APISelector matches any API.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              apis:
+                description: |-
+                  APIs defines a set of APIs that will be rate limited.
+                  Multiple APIRateLimits can select the same APIs.
+                  When combined with APISelector, this set of APIs is appended to the matching APIs.
+                items:
+                  description: APIReference references an API.
+                  properties:
+                    name:
+                      description: Name of the API.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apis
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+              everyone:
+                description: |-
+                  Everyone indicates that all users will, by default, be rate limited with this configuration.
+                  If an APIRateLimit explicitly target a group, the default rate limit will be ignored.
+                type: boolean
+              groups:
+                description: |-
+                  Groups are the consumer groups that will be rate limited.
+                  Multiple APIRateLimits can target the same set of consumer groups, the most restrictive one applies.
+                  When a consumer belongs to multiple groups, the least restrictive APIRateLimit applies.
+                items:
+                  type: string
+                type: array
+              limit:
+                description: Limit is the maximum number of token in the bucket.
+                type: integer
+                x-kubernetes-validations:
+                - message: must be a positive number
+                  rule: self >= 0
+              period:
+                description: Period is the unit of time for the Limit.
+                format: duration
+                type: string
+                x-kubernetes-validations:
+                - message: must be between 1s and 1h
+                  rule: self >= duration('1s') && self <= duration('1h')
+              strategy:
+                description: |-
+                  Strategy defines how the bucket state will be synchronized between the different Traefik Hub instances.
+                  It can be, either "local" or "distributed".
+                enum:
+                - local
+                - distributed
+                type: string
+            required:
+            - limit
+            type: object
+            x-kubernetes-validations:
+            - message: groups and everyone are mutually exclusive
+              rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
+                self.groups.size() > 0) : true'
+          status:
+            description: The current status of this APIRateLimit.
+            properties:
+              hash:
+                description: Hash is a hash representing the APIRateLimit.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apis.yaml

@@ -0,0 +1,190 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apis.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: API
+    listKind: APIList
+    plural: apis
+    singular: api
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          API defines an HTTP interface that is exposed to external clients. It specifies the supported versions
+          and provides instructions for accessing its documentation. Once instantiated, an API object is associated
+          with an Ingress, IngressRoute, or HTTPRoute resource, enabling the exposure of the described API to the outside world.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: APISpec describes the API.
+            properties:
+              openApiSpec:
+                description: OpenAPISpec defines the API contract as an OpenAPI specification.
+                properties:
+                  operationSets:
+                    description: OperationSets defines the sets of operations to be
+                      referenced for granular filtering in APIAccesses.
+                    items:
+                      description: |-
+                        OperationSet gives a name to a set of matching OpenAPI operations.
+                        This set of operations can then be referenced for granular filtering in APIAccesses.
+                      properties:
+                        matchers:
+                          description: Matchers defines a list of alternative rules
+                            for matching OpenAPI operations.
+                          items:
+                            description: OperationMatcher defines criteria for matching
+                              an OpenAPI operation.
+                            minProperties: 1
+                            properties:
+                              methods:
+                                description: Methods specifies the HTTP methods to
+                                  be included for selection.
+                                items:
+                                  type: string
+                                maxItems: 10
+                                type: array
+                              path:
+                                description: Path specifies the exact path of the
+                                  operations to select.
+                                maxLength: 255
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must start with a '/'
+                                  rule: self.startsWith('/')
+                                - message: cannot contains '../'
+                                  rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+                              pathPrefix:
+                                description: PathPrefix specifies the path prefix
+                                  of the operations to select.
+                                maxLength: 255
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must start with a '/'
+                                  rule: self.startsWith('/')
+                                - message: cannot contains '../'
+                                  rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+                              pathRegex:
+                                description: PathRegex specifies a regular expression
+                                  pattern for matching operations based on their paths.
+                                type: string
+                            type: object
+                            x-kubernetes-validations:
+                            - message: path, pathPrefix and pathRegex are mutually
+                                exclusive
+                              rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
+                                x).size() <= 1'
+                          maxItems: 100
+                          minItems: 1
+                          type: array
+                        name:
+                          description: Name is the name of the OperationSet to reference
+                            in APIAccesses.
+                          maxLength: 253
+                          type: string
+                      required:
+                      - matchers
+                      - name
+                      type: object
+                    maxItems: 100
+                    type: array
+                  override:
+                    description: Override holds data used to override OpenAPI specification.
+                    properties:
+                      servers:
+                        items:
+                          properties:
+                            url:
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid URL
+                                rule: isURL(self)
+                          required:
+                          - url
+                          type: object
+                        maxItems: 100
+                        minItems: 1
+                        type: array
+                    required:
+                    - servers
+                    type: object
+                  path:
+                    description: |-
+                      Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
+                      The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
+                      It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
+                      The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+                    maxLength: 255
+                    type: string
+                    x-kubernetes-validations:
+                    - message: must start with a '/'
+                      rule: self.startsWith('/')
+                    - message: cannot contains '../'
+                      rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+                  url:
+                    description: |-
+                      URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
+                      The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: must be a valid URL
+                      rule: isURL(self)
+                type: object
+                x-kubernetes-validations:
+                - message: path or url must be defined
+                  rule: has(self.path) || has(self.url)
+              versions:
+                description: Versions are the different APIVersions available.
+                items:
+                  description: APIVersionRef references an APIVersion.
+                  properties:
+                    name:
+                      description: Name of the APIVersion.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                minItems: 1
+                type: array
+            type: object
+          status:
+            description: The current status of this API.
+            properties:
+              hash:
+                description: Hash is a hash representing the API.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/hub.traefik.io_apiversions.yaml

@@ -0,0 +1,194 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: apiversions.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: APIVersion
+    listKind: APIVersionList
+    plural: apiversions
+    singular: apiversion
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.title
+      name: Title
+      type: string
+    - jsonPath: .spec.release
+      name: Release
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIVersion defines a version of an API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this APIVersion.
+            properties:
+              openApiSpec:
+                description: OpenAPISpec defines the API contract as an OpenAPI specification.
+                properties:
+                  operationSets:
+                    description: OperationSets defines the sets of operations to be
+                      referenced for granular filtering in APIAccesses.
+                    items:
+                      description: |-
+                        OperationSet gives a name to a set of matching OpenAPI operations.
+                        This set of operations can then be referenced for granular filtering in APIAccesses.
+                      properties:
+                        matchers:
+                          description: Matchers defines a list of alternative rules
+                            for matching OpenAPI operations.
+                          items:
+                            description: OperationMatcher defines criteria for matching
+                              an OpenAPI operation.
+                            minProperties: 1
+                            properties:
+                              methods:
+                                description: Methods specifies the HTTP methods to
+                                  be included for selection.
+                                items:
+                                  type: string
+                                maxItems: 10
+                                type: array
+                              path:
+                                description: Path specifies the exact path of the
+                                  operations to select.
+                                maxLength: 255
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must start with a '/'
+                                  rule: self.startsWith('/')
+                                - message: cannot contains '../'
+                                  rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+                              pathPrefix:
+                                description: PathPrefix specifies the path prefix
+                                  of the operations to select.
+                                maxLength: 255
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must start with a '/'
+                                  rule: self.startsWith('/')
+                                - message: cannot contains '../'
+                                  rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+                              pathRegex:
+                                description: PathRegex specifies a regular expression
+                                  pattern for matching operations based on their paths.
+                                type: string
+                            type: object
+                            x-kubernetes-validations:
+                            - message: path, pathPrefix and pathRegex are mutually
+                                exclusive
+                              rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
+                                x).size() <= 1'
+                          maxItems: 100
+                          minItems: 1
+                          type: array
+                        name:
+                          description: Name is the name of the OperationSet to reference
+                            in APIAccesses.
+                          maxLength: 253
+                          type: string
+                      required:
+                      - matchers
+                      - name
+                      type: object
+                    maxItems: 100
+                    type: array
+                  override:
+                    description: Override holds data used to override OpenAPI specification.
+                    properties:
+                      servers:
+                        items:
+                          properties:
+                            url:
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid URL
+                                rule: isURL(self)
+                          required:
+                          - url
+                          type: object
+                        maxItems: 100
+                        minItems: 1
+                        type: array
+                    required:
+                    - servers
+                    type: object
+                  path:
+                    description: |-
+                      Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
+                      The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
+                      It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
+                      The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+                    maxLength: 255
+                    type: string
+                    x-kubernetes-validations:
+                    - message: must start with a '/'
+                      rule: self.startsWith('/')
+                    - message: cannot contains '../'
+                      rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+                  url:
+                    description: |-
+                      URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
+                      The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: must be a valid URL
+                      rule: isURL(self)
+                type: object
+                x-kubernetes-validations:
+                - message: path or url must be defined
+                  rule: has(self.path) || has(self.url)
+              release:
+                description: |-
+                  Release is the version number of the API.
+                  This value must follow the SemVer format: https://semver.org/
+                maxLength: 100
+                type: string
+                x-kubernetes-validations:
+                - message: must be a valid semver version
+                  rule: self.matches(r"""^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$""")
+              title:
+                description: Title is the public facing name of the APIVersion.
+                type: string
+            required:
+            - release
+            type: object
+          status:
+            description: The current status of this APIVersion.
+            properties:
+              hash:
+                description: Hash is a hash representing the APIVersion.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}

charts/traefik1/crds/hub.traefik.io_managedsubscriptions.yaml

@@ -0,0 +1,204 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: managedsubscriptions.hub.traefik.io
+spec:
+  group: hub.traefik.io
+  names:
+    kind: ManagedSubscription
+    listKind: ManagedSubscriptionList
+    plural: managedsubscriptions
+    singular: managedsubscription
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ManagedSubscription defines a Subscription managed by the API manager as the result of a pre-negotiation with its
+          API consumers. This subscription grant consuming access to a set of APIs to a set of Applications.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: The desired behavior of this ManagedSubscription.
+            properties:
+              apiBundles:
+                description: |-
+                  APIBundles defines a set of APIBundle that will be accessible.
+                  Multiple ManagedSubscriptions can select the same APIBundles.
+                items:
+                  description: APIBundleReference references an APIBundle.
+                  properties:
+                    name:
+                      description: Name of the APIBundle.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apiBundles
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+              apiPlan:
+                description: APIPlan defines which APIPlan will be used.
+                properties:
+                  name:
+                    description: Name of the APIPlan.
+                    maxLength: 253
+                    type: string
+                required:
+                - name
+                type: object
+              apiSelector:
+                description: |-
+                  APISelector selects the APIs that will be accessible.
+                  Multiple ManagedSubscriptions can select the same set of APIs.
+                  This field is optional and follows standard label selector semantics.
+                  An empty APISelector matches any API.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              apis:
+                description: |-
+                  APIs defines a set of APIs that will be accessible.
+                  Multiple ManagedSubscriptions can select the same APIs.
+                  When combined with APISelector, this set of APIs is appended to the matching APIs.
+                items:
+                  description: APIReference references an API.
+                  properties:
+                    name:
+                      description: Name of the API.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 100
+                type: array
+                x-kubernetes-validations:
+                - message: duplicated apis
+                  rule: self.all(x, self.exists_one(y, x.name == y.name))
+              applications:
+                description: |-
+                  Applications references the Applications that will gain access to the specified APIs.
+                  Multiple ManagedSubscriptions can select the same AppID.
+                items:
+                  description: ApplicationReference references an Application.
+                  properties:
+                    appId:
+                      description: |-
+                        AppID is the public identifier of the application.
+                        In the case of OIDC, it corresponds to the clientId.
+                      maxLength: 253
+                      type: string
+                  required:
+                  - appId
+                  type: object
+                maxItems: 100
+                minItems: 1
+                type: array
+              claims:
+                description: Claims specifies an expression that validate claims in
+                  order to authorize the request.
+                type: string
+              operationFilter:
+                description: |-
+                  OperationFilter specifies the allowed operations on APIs and APIVersions.
+                  If not set, all operations are available.
+                  An empty OperationFilter prohibits all operations.
+                properties:
+                  include:
+                    description: Include defines the names of OperationSets that will
+                      be accessible.
+                    items:
+                      type: string
+                    maxItems: 100
+                    type: array
+                type: object
+              weight:
+                description: |-
+                  Weight specifies the evaluation order of the APIPlan.
+                  When multiple ManagedSubscriptions targets the same API and Application with different APIPlan,
+                  the APIPlan with the highest weight will be enforced. If weights are equal, alphabetical order is used.
+                type: integer
+                x-kubernetes-validations:
+                - message: must be a positive number
+                  rule: self >= 0
+            required:
+            - applications
+            type: object
+          status:
+            description: The current status of this ManagedSubscription.
+            properties:
+              hash:
+                description: Hash is a hash representing the ManagedSubscription.
+                type: string
+              syncedAt:
+                format: date-time
+                type: string
+              version:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_ingressroutes.yaml

@@ -0,0 +1,366 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: ingressroutes.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: IngressRoute
+    listKind: IngressRouteList
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteSpec defines the desired state of IngressRoute.
+            properties:
+              entryPoints:
+                description: |-
+                  EntryPoints defines the list of entry point names to bind to.
+                  Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  Default: all.
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: Route holds the HTTP route configuration.
+                  properties:
+                    kind:
+                      description: |-
+                        Kind defines the kind of the route.
+                        Rule is the only supported kind.
+                      enum:
+                      - Rule
+                      type: string
+                    match:
+                      description: |-
+                        Match defines the router's rule.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
+                      type: string
+                    middlewares:
+                      description: |-
+                        Middlewares defines the list of references to Middleware resources.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
+                      items:
+                        description: MiddlewareRef is a reference to a Middleware
+                          resource.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Middleware
+                              resource.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Middleware resource.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    priority:
+                      description: |-
+                        Priority defines the router's priority.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
+                      type: integer
+                    services:
+                      description: |-
+                        Services defines the list of Service.
+                        It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
+                      items:
+                        description: Service defines an upstream HTTP service to proxy
+                          traffic to.
+                        properties:
+                          healthCheck:
+                            description: Healthcheck defines health checks for ExternalName
+                              services.
+                            properties:
+                              followRedirects:
+                                description: |-
+                                  FollowRedirects defines whether redirects should be followed during the health check calls.
+                                  Default: true
+                                type: boolean
+                              headers:
+                                additionalProperties:
+                                  type: string
+                                description: Headers defines custom headers to be
+                                  sent to the health check endpoint.
+                                type: object
+                              hostname:
+                                description: Hostname defines the value of hostname
+                                  in the Host header of the health check request.
+                                type: string
+                              interval:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  Interval defines the frequency of the health check calls.
+                                  Default: 30s
+                                x-kubernetes-int-or-string: true
+                              method:
+                                description: Method defines the healthcheck method.
+                                type: string
+                              mode:
+                                description: |-
+                                  Mode defines the health check mode.
+                                  If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                  Default: http
+                                type: string
+                              path:
+                                description: Path defines the server URL path for
+                                  the health check endpoint.
+                                type: string
+                              port:
+                                description: Port defines the server URL port for
+                                  the health check endpoint.
+                                type: integer
+                              scheme:
+                                description: Scheme replaces the server URL scheme
+                                  for the health check endpoint.
+                                type: string
+                              status:
+                                description: Status defines the expected HTTP status
+                                  code of the response to the health check request.
+                                type: integer
+                              timeout:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                  Default: 5s
+                                x-kubernetes-int-or-string: true
+                            type: object
+                          kind:
+                            description: Kind defines the kind of the Service.
+                            enum:
+                            - Service
+                            - TraefikService
+                            type: string
+                          name:
+                            description: |-
+                              Name defines the name of the referenced Kubernetes Service or TraefikService.
+                              The differentiation between the two is specified in the Kind field.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service or TraefikService.
+                            type: string
+                          nativeLB:
+                            description: |-
+                              NativeLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                              The Kubernetes Service itself does load-balance to the pods.
+                              By default, NativeLB is false.
+                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
+                          passHostHeader:
+                            description: |-
+                              PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                              By default, passHostHeader is true.
+                            type: boolean
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          responseForwarding:
+                            description: ResponseForwarding defines how Traefik forwards
+                              the response from the upstream Kubernetes Service to
+                              the client.
+                            properties:
+                              flushInterval:
+                                description: |-
+                                  FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                                  A negative value means to flush immediately after each write to the client.
+                                  This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                                  for such responses, writes are flushed to the client immediately.
+                                  Default: 100ms
+                                type: string
+                            type: object
+                          scheme:
+                            description: |-
+                              Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                              It defaults to https when Kubernetes Service port is 443, http otherwise.
+                            type: string
+                          serversTransport:
+                            description: |-
+                              ServersTransport defines the name of ServersTransport resource to use.
+                              It allows to configure the transport between Traefik and your servers.
+                              Can only be used on a Kubernetes Service.
+                            type: string
+                          sticky:
+                            description: |-
+                              Sticky defines the sticky sessions configuration.
+                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            properties:
+                              cookie:
+                                description: Cookie defines the sticky cookie configuration.
+                                properties:
+                                  httpOnly:
+                                    description: HTTPOnly defines whether the cookie
+                                      can be accessed by client-side APIs, such as
+                                      JavaScript.
+                                    type: boolean
+                                  maxAge:
+                                    description: |-
+                                      MaxAge indicates the number of seconds until the cookie expires.
+                                      When set to a negative number, the cookie expires immediately.
+                                      When set to zero, the cookie never expires.
+                                    type: integer
+                                  name:
+                                    description: Name defines the Cookie name.
+                                    type: string
+                                  sameSite:
+                                    description: |-
+                                      SameSite defines the same site policy.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                    type: string
+                                  secure:
+                                    description: Secure defines whether the cookie
+                                      can only be transmitted over an encrypted connection
+                                      (i.e. HTTPS).
+                                    type: boolean
+                                type: object
+                            type: object
+                          strategy:
+                            description: |-
+                              Strategy defines the load balancing strategy between the servers.
+                              RoundRobin is the only supported value at the moment.
+                            type: string
+                          weight:
+                            description: |-
+                              Weight defines the weight and should only be specified when Name references a TraefikService object
+                              (and to be precise, one that embeds a Weighted Round Robin).
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    syntax:
+                      description: |-
+                        Syntax defines the router's rule syntax.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
+                      type: string
+                  required:
+                  - kind
+                  - match
+                  type: object
+                type: array
+              tls:
+                description: |-
+                  TLS defines the TLS configuration.
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
+                properties:
+                  certResolver:
+                    description: |-
+                      CertResolver defines the name of the certificate resolver to use.
+                      Cert resolvers have to be configured in the static configuration.
+                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                    type: string
+                  domains:
+                    description: |-
+                      Domains defines the list of domains that will be used to issue certificates.
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                    items:
+                      description: Domain holds a domain name with SANs.
+                      properties:
+                        main:
+                          description: Main defines the main domain name.
+                          type: string
+                        sans:
+                          description: SANs defines the subject alternative domain
+                            names.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  options:
+                    description: |-
+                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+                      If not defined, the `default` TLSOption is used.
+                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                    properties:
+                      name:
+                        description: |-
+                          Name defines the name of the referenced TLSOption.
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                        type: string
+                      namespace:
+                        description: |-
+                          Namespace defines the namespace of the referenced TLSOption.
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                  store:
+                    description: |-
+                      Store defines the reference to the TLSStore, that will be used to store certificates.
+                      Please note that only `default` TLSStore can be used.
+                    properties:
+                      name:
+                        description: |-
+                          Name defines the name of the referenced TLSStore.
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                        type: string
+                      namespace:
+                        description: |-
+                          Namespace defines the namespace of the referenced TLSStore.
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_ingressroutetcps.yaml

@@ -0,0 +1,247 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: ingressroutetcps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: IngressRouteTCP
+    listKind: IngressRouteTCPList
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
+            properties:
+              entryPoints:
+                description: |-
+                  EntryPoints defines the list of entry point names to bind to.
+                  Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  Default: all.
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: RouteTCP holds the TCP route configuration.
+                  properties:
+                    match:
+                      description: |-
+                        Match defines the router's rule.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
+                      type: string
+                    middlewares:
+                      description: Middlewares defines the list of references to MiddlewareTCP
+                        resources.
+                      items:
+                        description: ObjectReference is a generic reference to a Traefik
+                          resource.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Traefik
+                              resource.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Traefik resource.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    priority:
+                      description: |-
+                        Priority defines the router's priority.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
+                      type: integer
+                    services:
+                      description: Services defines the list of TCP services.
+                      items:
+                        description: ServiceTCP defines an upstream TCP service to
+                          proxy traffic to.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service.
+                            type: string
+                          nativeLB:
+                            description: |-
+                              NativeLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                              The Kubernetes Service itself does load-balance to the pods.
+                              By default, NativeLB is false.
+                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          proxyProtocol:
+                            description: |-
+                              ProxyProtocol defines the PROXY protocol configuration.
+                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+                            properties:
+                              version:
+                                description: Version defines the PROXY Protocol version
+                                  to use.
+                                type: integer
+                            type: object
+                          serversTransport:
+                            description: |-
+                              ServersTransport defines the name of ServersTransportTCP resource to use.
+                              It allows to configure the transport between Traefik and your servers.
+                              Can only be used on a Kubernetes Service.
+                            type: string
+                          terminationDelay:
+                            description: |-
+                              TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
+                              it has closed the writing capability of its connection, to close the reading capability as well,
+                              hence fully terminating the connection.
+                              It is a duration in milliseconds, defaulting to 100.
+                              A negative value means an infinite deadline (i.e. the reading capability is never closed).
+                              Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
+                            type: integer
+                          tls:
+                            description: TLS determines whether to use TLS when dialing
+                              with the backend.
+                            type: boolean
+                          weight:
+                            description: Weight defines the weight used when balancing
+                              requests between multiple Kubernetes Service.
+                            type: integer
+                        required:
+                        - name
+                        - port
+                        type: object
+                      type: array
+                    syntax:
+                      description: |-
+                        Syntax defines the router's rule syntax.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
+                      type: string
+                  required:
+                  - match
+                  type: object
+                type: array
+              tls:
+                description: |-
+                  TLS defines the TLS configuration on a layer 4 / TCP Route.
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
+                properties:
+                  certResolver:
+                    description: |-
+                      CertResolver defines the name of the certificate resolver to use.
+                      Cert resolvers have to be configured in the static configuration.
+                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                    type: string
+                  domains:
+                    description: |-
+                      Domains defines the list of domains that will be used to issue certificates.
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                    items:
+                      description: Domain holds a domain name with SANs.
+                      properties:
+                        main:
+                          description: Main defines the main domain name.
+                          type: string
+                        sans:
+                          description: SANs defines the subject alternative domain
+                            names.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  options:
+                    description: |-
+                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+                      If not defined, the `default` TLSOption is used.
+                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                    properties:
+                      name:
+                        description: Name defines the name of the referenced Traefik
+                          resource.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Traefik resource.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  passthrough:
+                    description: Passthrough defines whether a TLS router will terminate
+                      the TLS connection.
+                    type: boolean
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                  store:
+                    description: |-
+                      Store defines the reference to the TLSStore, that will be used to store certificates.
+                      Please note that only `default` TLSStore can be used.
+                    properties:
+                      name:
+                        description: Name defines the name of the referenced Traefik
+                          resource.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Traefik resource.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_ingressrouteudps.yaml

@@ -0,0 +1,111 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: ingressrouteudps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: IngressRouteUDP
+    listKind: IngressRouteUDPList
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
+            properties:
+              entryPoints:
+                description: |-
+                  EntryPoints defines the list of entry point names to bind to.
+                  Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  Default: all.
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: RouteUDP holds the UDP route configuration.
+                  properties:
+                    services:
+                      description: Services defines the list of UDP services.
+                      items:
+                        description: ServiceUDP defines an upstream UDP service to
+                          proxy traffic to.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service.
+                            type: string
+                          nativeLB:
+                            description: |-
+                              NativeLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                              The Kubernetes Service itself does load-balance to the pods.
+                              By default, NativeLB is false.
+                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          weight:
+                            description: Weight defines the weight used when balancing
+                              requests between multiple Kubernetes Service.
+                            type: integer
+                        required:
+                        - name
+                        - port
+                        type: object
+                      type: array
+                  type: object
+                type: array
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_middlewaretcps.yaml

@@ -0,0 +1,87 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: middlewaretcps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: MiddlewareTCP
+    listKind: MiddlewareTCPList
+    plural: middlewaretcps
+    singular: middlewaretcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
+            properties:
+              inFlightConn:
+                description: InFlightConn defines the InFlightConn middleware configuration.
+                properties:
+                  amount:
+                    description: |-
+                      Amount defines the maximum amount of allowed simultaneous connections.
+                      The middleware closes the connection if there are already amount connections opened.
+                    format: int64
+                    type: integer
+                type: object
+              ipAllowList:
+                description: |-
+                  IPAllowList defines the IPAllowList middleware configuration.
+                  This middleware accepts/refuses connections based on the client IP.
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+                properties:
+                  sourceRange:
+                    description: SourceRange defines the allowed IPs (or ranges of
+                      allowed IPs by using CIDR notation).
+                    items:
+                      type: string
+                    type: array
+                type: object
+              ipWhiteList:
+                description: |-
+                  IPWhiteList defines the IPWhiteList middleware configuration.
+                  This middleware accepts/refuses connections based on the client IP.
+                  Deprecated: please use IPAllowList instead.
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
+                properties:
+                  sourceRange:
+                    description: SourceRange defines the allowed IPs (or ranges of
+                      allowed IPs by using CIDR notation).
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_serverstransports.yaml

@@ -0,0 +1,139 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: serverstransports.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: ServersTransport
+    listKind: ServersTransportList
+    plural: serverstransports
+    singular: serverstransport
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ServersTransport is the CRD implementation of a ServersTransport.
+          If no serversTransport is specified, the default@internal will be used.
+          The default@internal serversTransport is created from the static configuration.
+          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ServersTransportSpec defines the desired state of a ServersTransport.
+            properties:
+              certificatesSecrets:
+                description: CertificatesSecrets defines a list of secret storing
+                  client certificates for mTLS.
+                items:
+                  type: string
+                type: array
+              disableHTTP2:
+                description: DisableHTTP2 disables HTTP/2 for connections with backend
+                  servers.
+                type: boolean
+              forwardingTimeouts:
+                description: ForwardingTimeouts defines the timeouts for requests
+                  forwarded to the backend servers.
+                properties:
+                  dialTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: DialTimeout is the amount of time to wait until a
+                      connection to a backend server can be established.
+                    x-kubernetes-int-or-string: true
+                  idleConnTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: IdleConnTimeout is the maximum period for which an
+                      idle HTTP keep-alive connection will remain open before closing
+                      itself.
+                    x-kubernetes-int-or-string: true
+                  pingTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: PingTimeout is the timeout after which the HTTP/2
+                      connection will be closed if a response to ping is not received.
+                    x-kubernetes-int-or-string: true
+                  readIdleTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: ReadIdleTimeout is the timeout after which a health
+                      check using ping frame will be carried out if no frame is received
+                      on the HTTP/2 connection.
+                    x-kubernetes-int-or-string: true
+                  responseHeaderTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: ResponseHeaderTimeout is the amount of time to wait
+                      for a server's response headers after fully writing the request
+                      (including its body, if any).
+                    x-kubernetes-int-or-string: true
+                type: object
+              insecureSkipVerify:
+                description: InsecureSkipVerify disables SSL certificate verification.
+                type: boolean
+              maxIdleConnsPerHost:
+                description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
+                  to keep per-host.
+                type: integer
+              peerCertURI:
+                description: PeerCertURI defines the peer cert URI used to match against
+                  SAN URI during the peer certificate verification.
+                type: string
+              rootCAsSecrets:
+                description: RootCAsSecrets defines a list of CA secret used to validate
+                  self-signed certificate.
+                items:
+                  type: string
+                type: array
+              serverName:
+                description: ServerName defines the server name used to contact the
+                  server.
+                type: string
+              spiffe:
+                description: Spiffe defines the SPIFFE configuration.
+                properties:
+                  ids:
+                    description: IDs defines the allowed SPIFFE IDs (takes precedence
+                      over the SPIFFE TrustDomain).
+                    items:
+                      type: string
+                    type: array
+                  trustDomain:
+                    description: TrustDomain defines the allowed SPIFFE trust domain.
+                    type: string
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_serverstransporttcps.yaml

@@ -0,0 +1,120 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: serverstransporttcps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: ServersTransportTCP
+    listKind: ServersTransportTCPList
+    plural: serverstransporttcps
+    singular: serverstransporttcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
+          If no tcpServersTransport is specified, a default one named default@internal will be used.
+          The default@internal tcpServersTransport can be configured in the static configuration.
+          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
+            properties:
+              dialKeepAlive:
+                anyOf:
+                - type: integer
+                - type: string
+                description: DialKeepAlive is the interval between keep-alive probes
+                  for an active network connection. If zero, keep-alive probes are
+                  sent with a default value (currently 15 seconds), if supported by
+                  the protocol and operating system. Network protocols or operating
+                  systems that do not support keep-alives ignore this field. If negative,
+                  keep-alive probes are disabled.
+                x-kubernetes-int-or-string: true
+              dialTimeout:
+                anyOf:
+                - type: integer
+                - type: string
+                description: DialTimeout is the amount of time to wait until a connection
+                  to a backend server can be established.
+                x-kubernetes-int-or-string: true
+              terminationDelay:
+                anyOf:
+                - type: integer
+                - type: string
+                description: TerminationDelay defines the delay to wait before fully
+                  terminating the connection, after one connected peer has closed
+                  its writing capability.
+                x-kubernetes-int-or-string: true
+              tls:
+                description: TLS defines the TLS configuration
+                properties:
+                  certificatesSecrets:
+                    description: CertificatesSecrets defines a list of secret storing
+                      client certificates for mTLS.
+                    items:
+                      type: string
+                    type: array
+                  insecureSkipVerify:
+                    description: InsecureSkipVerify disables TLS certificate verification.
+                    type: boolean
+                  peerCertURI:
+                    description: |-
+                      MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
+                      PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
+                    type: string
+                  rootCAsSecrets:
+                    description: RootCAsSecrets defines a list of CA secret used to
+                      validate self-signed certificates.
+                    items:
+                      type: string
+                    type: array
+                  serverName:
+                    description: ServerName defines the server name used to contact
+                      the server.
+                    type: string
+                  spiffe:
+                    description: Spiffe defines the SPIFFE configuration.
+                    properties:
+                      ids:
+                        description: IDs defines the allowed SPIFFE IDs (takes precedence
+                          over the SPIFFE TrustDomain).
+                        items:
+                          type: string
+                        type: array
+                      trustDomain:
+                        description: TrustDomain defines the allowed SPIFFE trust
+                          domain.
+                        type: string
+                    type: object
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_tlsoptions.yaml

@@ -0,0 +1,114 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: tlsoptions.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: TLSOption
+    listKind: TLSOptionList
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
+          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSOptionSpec defines the desired state of a TLSOption.
+            properties:
+              alpnProtocols:
+                description: |-
+                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
+                items:
+                  type: string
+                type: array
+              cipherSuites:
+                description: |-
+                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
+                items:
+                  type: string
+                type: array
+              clientAuth:
+                description: ClientAuth defines the server's policy for TLS Client
+                  Authentication.
+                properties:
+                  clientAuthType:
+                    description: ClientAuthType defines the client authentication
+                      type to apply.
+                    enum:
+                    - NoClientCert
+                    - RequestClientCert
+                    - RequireAnyClientCert
+                    - VerifyClientCertIfGiven
+                    - RequireAndVerifyClientCert
+                    type: string
+                  secretNames:
+                    description: SecretNames defines the names of the referenced Kubernetes
+                      Secret storing certificate details.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              curvePreferences:
+                description: |-
+                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
+                items:
+                  type: string
+                type: array
+              maxVersion:
+                description: |-
+                  MaxVersion defines the maximum TLS version that Traefik will accept.
+                  Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+                  Default: None.
+                type: string
+              minVersion:
+                description: |-
+                  MinVersion defines the minimum TLS version that Traefik will accept.
+                  Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+                  Default: VersionTLS10.
+                type: string
+              preferServerCipherSuites:
+                description: |-
+                  PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
+                  It is enabled automatically when minVersion or maxVersion is set.
+                  Deprecated: https://github.com/golang/go/issues/45430
+                type: boolean
+              sniStrict:
+                description: SniStrict defines whether Traefik allows connections
+                  from clients connections that do not specify a server_name extension.
+                type: boolean
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_tlsstores.yaml

@@ -0,0 +1,97 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: tlsstores.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: TLSStore
+    listKind: TLSStoreList
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          TLSStore is the CRD implementation of a Traefik TLS Store.
+          For the time being, only the TLSStore named default is supported.
+          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
+          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSStoreSpec defines the desired state of a TLSStore.
+            properties:
+              certificates:
+                description: Certificates is a list of secret names, each secret holding
+                  a key/certificate pair to add to the store.
+                items:
+                  description: Certificate holds a secret name for the TLSStore resource.
+                  properties:
+                    secretName:
+                      description: SecretName is the name of the referenced Kubernetes
+                        Secret to specify the certificate details.
+                      type: string
+                  required:
+                  - secretName
+                  type: object
+                type: array
+              defaultCertificate:
+                description: DefaultCertificate defines the default certificate configuration.
+                properties:
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                required:
+                - secretName
+                type: object
+              defaultGeneratedCert:
+                description: DefaultGeneratedCert defines the default generated certificate
+                  configuration.
+                properties:
+                  domain:
+                    description: Domain is the domain definition for the DefaultCertificate.
+                    properties:
+                      main:
+                        description: Main defines the main domain name.
+                        type: string
+                      sans:
+                        description: SANs defines the subject alternative domain names.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  resolver:
+                    description: Resolver is the name of the resolver that will be
+                      used to issue the DefaultCertificate.
+                    type: string
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/crds/traefik.io_traefikservices.yaml

@@ -0,0 +1,644 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: traefikservices.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: TraefikService
+    listKind: TraefikServiceList
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          TraefikService is the CRD implementation of a Traefik Service.
+          TraefikService object allows to:
+          - Apply weight to Services on load-balancing
+          - Mirror traffic on services
+          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TraefikServiceSpec defines the desired state of a TraefikService.
+            properties:
+              mirroring:
+                description: Mirroring defines the Mirroring service configuration.
+                properties:
+                  healthCheck:
+                    description: Healthcheck defines health checks for ExternalName
+                      services.
+                    properties:
+                      followRedirects:
+                        description: |-
+                          FollowRedirects defines whether redirects should be followed during the health check calls.
+                          Default: true
+                        type: boolean
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers defines custom headers to be sent to
+                          the health check endpoint.
+                        type: object
+                      hostname:
+                        description: Hostname defines the value of hostname in the
+                          Host header of the health check request.
+                        type: string
+                      interval:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Interval defines the frequency of the health check calls.
+                          Default: 30s
+                        x-kubernetes-int-or-string: true
+                      method:
+                        description: Method defines the healthcheck method.
+                        type: string
+                      mode:
+                        description: |-
+                          Mode defines the health check mode.
+                          If defined to grpc, will use the gRPC health check protocol to probe the server.
+                          Default: http
+                        type: string
+                      path:
+                        description: Path defines the server URL path for the health
+                          check endpoint.
+                        type: string
+                      port:
+                        description: Port defines the server URL port for the health
+                          check endpoint.
+                        type: integer
+                      scheme:
+                        description: Scheme replaces the server URL scheme for the
+                          health check endpoint.
+                        type: string
+                      status:
+                        description: Status defines the expected HTTP status code
+                          of the response to the health check request.
+                        type: integer
+                      timeout:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                          Default: 5s
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  kind:
+                    description: Kind defines the kind of the Service.
+                    enum:
+                    - Service
+                    - TraefikService
+                    type: string
+                  maxBodySize:
+                    description: |-
+                      MaxBodySize defines the maximum size allowed for the body of the request.
+                      If the body is larger, the request is not mirrored.
+                      Default value is -1, which means unlimited size.
+                    format: int64
+                    type: integer
+                  mirrorBody:
+                    description: |-
+                      MirrorBody defines whether the body of the request should be mirrored.
+                      Default value is true.
+                    type: boolean
+                  mirrors:
+                    description: Mirrors defines the list of mirrors where Traefik
+                      will duplicate the traffic.
+                    items:
+                      description: MirrorService holds the mirror configuration.
+                      properties:
+                        healthCheck:
+                          description: Healthcheck defines health checks for ExternalName
+                            services.
+                          properties:
+                            followRedirects:
+                              description: |-
+                                FollowRedirects defines whether redirects should be followed during the health check calls.
+                                Default: true
+                              type: boolean
+                            headers:
+                              additionalProperties:
+                                type: string
+                              description: Headers defines custom headers to be sent
+                                to the health check endpoint.
+                              type: object
+                            hostname:
+                              description: Hostname defines the value of hostname
+                                in the Host header of the health check request.
+                              type: string
+                            interval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Interval defines the frequency of the health check calls.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                            method:
+                              description: Method defines the healthcheck method.
+                              type: string
+                            mode:
+                              description: |-
+                                Mode defines the health check mode.
+                                If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                Default: http
+                              type: string
+                            path:
+                              description: Path defines the server URL path for the
+                                health check endpoint.
+                              type: string
+                            port:
+                              description: Port defines the server URL port for the
+                                health check endpoint.
+                              type: integer
+                            scheme:
+                              description: Scheme replaces the server URL scheme for
+                                the health check endpoint.
+                              type: string
+                            status:
+                              description: Status defines the expected HTTP status
+                                code of the response to the health check request.
+                              type: integer
+                            timeout:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                Default: 5s
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        kind:
+                          description: Kind defines the kind of the Service.
+                          enum:
+                          - Service
+                          - TraefikService
+                          type: string
+                        name:
+                          description: |-
+                            Name defines the name of the referenced Kubernetes Service or TraefikService.
+                            The differentiation between the two is specified in the Kind field.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Kubernetes Service or TraefikService.
+                          type: string
+                        nativeLB:
+                          description: |-
+                            NativeLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                            The Kubernetes Service itself does load-balance to the pods.
+                            By default, NativeLB is false.
+                          type: boolean
+                        nodePortLB:
+                          description: |-
+                            NodePortLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                            It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                            By default, NodePortLB is false.
+                          type: boolean
+                        passHostHeader:
+                          description: |-
+                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                            By default, passHostHeader is true.
+                          type: boolean
+                        percent:
+                          description: |-
+                            Percent defines the part of the traffic to mirror.
+                            Supported values: 0 to 100.
+                          type: integer
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: |-
+                            Port defines the port of a Kubernetes Service.
+                            This can be a reference to a named port.
+                          x-kubernetes-int-or-string: true
+                        responseForwarding:
+                          description: ResponseForwarding defines how Traefik forwards
+                            the response from the upstream Kubernetes Service to the
+                            client.
+                          properties:
+                            flushInterval:
+                              description: |-
+                                FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                                A negative value means to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                                for such responses, writes are flushed to the client immediately.
+                                Default: 100ms
+                              type: string
+                          type: object
+                        scheme:
+                          description: |-
+                            Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                            It defaults to https when Kubernetes Service port is 443, http otherwise.
+                          type: string
+                        serversTransport:
+                          description: |-
+                            ServersTransport defines the name of ServersTransport resource to use.
+                            It allows to configure the transport between Traefik and your servers.
+                            Can only be used on a Kubernetes Service.
+                          type: string
+                        sticky:
+                          description: |-
+                            Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          properties:
+                            cookie:
+                              description: Cookie defines the sticky cookie configuration.
+                              properties:
+                                httpOnly:
+                                  description: HTTPOnly defines whether the cookie
+                                    can be accessed by client-side APIs, such as JavaScript.
+                                  type: boolean
+                                maxAge:
+                                  description: |-
+                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    When set to a negative number, the cookie expires immediately.
+                                    When set to zero, the cookie never expires.
+                                  type: integer
+                                name:
+                                  description: Name defines the Cookie name.
+                                  type: string
+                                sameSite:
+                                  description: |-
+                                    SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                  type: string
+                                secure:
+                                  description: Secure defines whether the cookie can
+                                    only be transmitted over an encrypted connection
+                                    (i.e. HTTPS).
+                                  type: boolean
+                              type: object
+                          type: object
+                        strategy:
+                          description: |-
+                            Strategy defines the load balancing strategy between the servers.
+                            RoundRobin is the only supported value at the moment.
+                          type: string
+                        weight:
+                          description: |-
+                            Weight defines the weight and should only be specified when Name references a TraefikService object
+                            (and to be precise, one that embeds a Weighted Round Robin).
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  name:
+                    description: |-
+                      Name defines the name of the referenced Kubernetes Service or TraefikService.
+                      The differentiation between the two is specified in the Kind field.
+                    type: string
+                  namespace:
+                    description: Namespace defines the namespace of the referenced
+                      Kubernetes Service or TraefikService.
+                    type: string
+                  nativeLB:
+                    description: |-
+                      NativeLB controls, when creating the load-balancer,
+                      whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                      The Kubernetes Service itself does load-balance to the pods.
+                      By default, NativeLB is false.
+                    type: boolean
+                  nodePortLB:
+                    description: |-
+                      NodePortLB controls, when creating the load-balancer,
+                      whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                      It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                      By default, NodePortLB is false.
+                    type: boolean
+                  passHostHeader:
+                    description: |-
+                      PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                      By default, passHostHeader is true.
+                    type: boolean
+                  port:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: |-
+                      Port defines the port of a Kubernetes Service.
+                      This can be a reference to a named port.
+                    x-kubernetes-int-or-string: true
+                  responseForwarding:
+                    description: ResponseForwarding defines how Traefik forwards the
+                      response from the upstream Kubernetes Service to the client.
+                    properties:
+                      flushInterval:
+                        description: |-
+                          FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                          A negative value means to flush immediately after each write to the client.
+                          This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                          for such responses, writes are flushed to the client immediately.
+                          Default: 100ms
+                        type: string
+                    type: object
+                  scheme:
+                    description: |-
+                      Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                      It defaults to https when Kubernetes Service port is 443, http otherwise.
+                    type: string
+                  serversTransport:
+                    description: |-
+                      ServersTransport defines the name of ServersTransport resource to use.
+                      It allows to configure the transport between Traefik and your servers.
+                      Can only be used on a Kubernetes Service.
+                    type: string
+                  sticky:
+                    description: |-
+                      Sticky defines the sticky sessions configuration.
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                    properties:
+                      cookie:
+                        description: Cookie defines the sticky cookie configuration.
+                        properties:
+                          httpOnly:
+                            description: HTTPOnly defines whether the cookie can be
+                              accessed by client-side APIs, such as JavaScript.
+                            type: boolean
+                          maxAge:
+                            description: |-
+                              MaxAge indicates the number of seconds until the cookie expires.
+                              When set to a negative number, the cookie expires immediately.
+                              When set to zero, the cookie never expires.
+                            type: integer
+                          name:
+                            description: Name defines the Cookie name.
+                            type: string
+                          sameSite:
+                            description: |-
+                              SameSite defines the same site policy.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                            type: string
+                          secure:
+                            description: Secure defines whether the cookie can only
+                              be transmitted over an encrypted connection (i.e. HTTPS).
+                            type: boolean
+                        type: object
+                    type: object
+                  strategy:
+                    description: |-
+                      Strategy defines the load balancing strategy between the servers.
+                      RoundRobin is the only supported value at the moment.
+                    type: string
+                  weight:
+                    description: |-
+                      Weight defines the weight and should only be specified when Name references a TraefikService object
+                      (and to be precise, one that embeds a Weighted Round Robin).
+                    type: integer
+                required:
+                - name
+                type: object
+              weighted:
+                description: Weighted defines the Weighted Round Robin configuration.
+                properties:
+                  services:
+                    description: Services defines the list of Kubernetes Service and/or
+                      TraefikService to load-balance, with weight.
+                    items:
+                      description: Service defines an upstream HTTP service to proxy
+                        traffic to.
+                      properties:
+                        healthCheck:
+                          description: Healthcheck defines health checks for ExternalName
+                            services.
+                          properties:
+                            followRedirects:
+                              description: |-
+                                FollowRedirects defines whether redirects should be followed during the health check calls.
+                                Default: true
+                              type: boolean
+                            headers:
+                              additionalProperties:
+                                type: string
+                              description: Headers defines custom headers to be sent
+                                to the health check endpoint.
+                              type: object
+                            hostname:
+                              description: Hostname defines the value of hostname
+                                in the Host header of the health check request.
+                              type: string
+                            interval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Interval defines the frequency of the health check calls.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                            method:
+                              description: Method defines the healthcheck method.
+                              type: string
+                            mode:
+                              description: |-
+                                Mode defines the health check mode.
+                                If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                Default: http
+                              type: string
+                            path:
+                              description: Path defines the server URL path for the
+                                health check endpoint.
+                              type: string
+                            port:
+                              description: Port defines the server URL port for the
+                                health check endpoint.
+                              type: integer
+                            scheme:
+                              description: Scheme replaces the server URL scheme for
+                                the health check endpoint.
+                              type: string
+                            status:
+                              description: Status defines the expected HTTP status
+                                code of the response to the health check request.
+                              type: integer
+                            timeout:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                Default: 5s
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        kind:
+                          description: Kind defines the kind of the Service.
+                          enum:
+                          - Service
+                          - TraefikService
+                          type: string
+                        name:
+                          description: |-
+                            Name defines the name of the referenced Kubernetes Service or TraefikService.
+                            The differentiation between the two is specified in the Kind field.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Kubernetes Service or TraefikService.
+                          type: string
+                        nativeLB:
+                          description: |-
+                            NativeLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                            The Kubernetes Service itself does load-balance to the pods.
+                            By default, NativeLB is false.
+                          type: boolean
+                        nodePortLB:
+                          description: |-
+                            NodePortLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                            It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                            By default, NodePortLB is false.
+                          type: boolean
+                        passHostHeader:
+                          description: |-
+                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                            By default, passHostHeader is true.
+                          type: boolean
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: |-
+                            Port defines the port of a Kubernetes Service.
+                            This can be a reference to a named port.
+                          x-kubernetes-int-or-string: true
+                        responseForwarding:
+                          description: ResponseForwarding defines how Traefik forwards
+                            the response from the upstream Kubernetes Service to the
+                            client.
+                          properties:
+                            flushInterval:
+                              description: |-
+                                FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                                A negative value means to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                                for such responses, writes are flushed to the client immediately.
+                                Default: 100ms
+                              type: string
+                          type: object
+                        scheme:
+                          description: |-
+                            Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                            It defaults to https when Kubernetes Service port is 443, http otherwise.
+                          type: string
+                        serversTransport:
+                          description: |-
+                            ServersTransport defines the name of ServersTransport resource to use.
+                            It allows to configure the transport between Traefik and your servers.
+                            Can only be used on a Kubernetes Service.
+                          type: string
+                        sticky:
+                          description: |-
+                            Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          properties:
+                            cookie:
+                              description: Cookie defines the sticky cookie configuration.
+                              properties:
+                                httpOnly:
+                                  description: HTTPOnly defines whether the cookie
+                                    can be accessed by client-side APIs, such as JavaScript.
+                                  type: boolean
+                                maxAge:
+                                  description: |-
+                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    When set to a negative number, the cookie expires immediately.
+                                    When set to zero, the cookie never expires.
+                                  type: integer
+                                name:
+                                  description: Name defines the Cookie name.
+                                  type: string
+                                sameSite:
+                                  description: |-
+                                    SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                  type: string
+                                secure:
+                                  description: Secure defines whether the cookie can
+                                    only be transmitted over an encrypted connection
+                                    (i.e. HTTPS).
+                                  type: boolean
+                              type: object
+                          type: object
+                        strategy:
+                          description: |-
+                            Strategy defines the load balancing strategy between the servers.
+                            RoundRobin is the only supported value at the moment.
+                          type: string
+                        weight:
+                          description: |-
+                            Weight defines the weight and should only be specified when Name references a TraefikService object
+                            (and to be precise, one that embeds a Weighted Round Robin).
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  sticky:
+                    description: |-
+                      Sticky defines whether sticky sessions are enabled.
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                    properties:
+                      cookie:
+                        description: Cookie defines the sticky cookie configuration.
+                        properties:
+                          httpOnly:
+                            description: HTTPOnly defines whether the cookie can be
+                              accessed by client-side APIs, such as JavaScript.
+                            type: boolean
+                          maxAge:
+                            description: |-
+                              MaxAge indicates the number of seconds until the cookie expires.
+                              When set to a negative number, the cookie expires immediately.
+                              When set to zero, the cookie never expires.
+                            type: integer
+                          name:
+                            description: Name defines the Cookie name.
+                            type: string
+                          sameSite:
+                            description: |-
+                              SameSite defines the same site policy.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                            type: string
+                          secure:
+                            description: Secure defines whether the cookie can only
+                              be transmitted over an encrypted connection (i.e. HTTPS).
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true

charts/traefik1/templates/NOTES.txt

@@ -0,0 +1,36 @@
+
+
+{{ .Release.Name }} with {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} has been deployed successfully on {{ template "traefik.namespace" . }} namespace !
+
+{{- if .Values.persistence }}
+{{- if and .Values.persistence.enabled (empty .Values.deployment.initContainer)}}
+
+🚨 When enabling persistence for certificates, permissions on acme.json can be
+lost when Traefik restarts. You can ensure correct permissions with an
+initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager
+for more info. 🚨
+
+{{- end }}
+{{- end }}
+{{- with .Values.providers.kubernetesCRD.labelSelector }}
+  {{- $labelsApplied := include "traefik.labels" $ }}
+  {{- $labelSelectors := regexSplit "," . -1 }}
+  {{- range $labelSelectors }}
+    {{- $labelSelectorRaw := regexSplit "=" . -1 }}
+    {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }}
+    {{- if not (contains $labelSelector $labelsApplied) }}
+🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesCRD provider 🚨
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- with .Values.providers.kubernetesIngress.labelSelector }}
+  {{- $labelsApplied := include "traefik.labels" $ }}
+  {{- $labelSelectors := regexSplit "," . -1 }}
+  {{- range $labelSelectors }}
+    {{- $labelSelectorRaw := regexSplit "=" . -1 }}
+    {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }}
+    {{- if not (contains $labelSelector $labelsApplied) }}
+🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesIngress provider 🚨
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/traefik1/templates/_helpers.tpl

@@ -0,0 +1,192 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "traefik.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "traefik.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the chart image name.
+*/}}
+{{- define "traefik.image-name" -}}
+{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (.Values.image.tag | default .Chart.AppVersion) }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "traefik.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Allow customization of the instance label value.
+*/}}
+{{- define "traefik.instance-name" -}}
+{{- default (printf "%s-%s" .Release.Name .Release.Namespace) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Shared labels used for selector*/}}
+{{/* This is an immutable field: this should not change between upgrade */}}
+{{- define "traefik.labelselector" -}}
+app.kubernetes.io/name: {{ template "traefik.name" . }}
+app.kubernetes.io/instance: {{ template "traefik.instance-name" . }}
+{{- end }}
+
+{{/* Shared labels used in metada */}}
+{{- define "traefik.labels" -}}
+{{ include "traefik.labelselector" . }}
+helm.sh/chart: {{ template "traefik.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Construct the namespace for all namespaced resources
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+Preserve the default behavior of the Release namespace if no override is provided
+*/}}
+{{- define "traefik.namespace" -}}
+{{- if .Values.namespaceOverride -}}
+{{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- .Release.Namespace -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+The name of the service account to use
+*/}}
+{{- define "traefik.serviceAccountName" -}}
+{{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}}
+{{- end -}}
+
+{{/*
+The name of the ClusterRole and ClusterRoleBinding to use.
+Adds the namespace to name to prevent duplicate resource names when there
+are multiple namespaced releases with the same release name.
+*/}}
+{{- define "traefik.clusterRoleName" -}}
+{{- (printf "%s-%s" (include "traefik.fullname" .) .Release.Namespace) | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{/*
+Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice.
+By convention this will simply use the <namespace>/<service-name> to match the name of the
+service generated.
+Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride`
+*/}}
+{{- define "providers.kubernetesIngress.publishedServicePath" -}}
+{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}}
+{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }}
+{{- print $servicePath | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Construct a comma-separated list of whitelisted namespaces
+*/}}
+{{- define "providers.kubernetesCRD.namespaces" -}}
+{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }}
+{{- end -}}
+{{- define "providers.kubernetesGateway.namespaces" -}}
+{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesGateway.namespaces) }}
+{{- end -}}
+{{- define "providers.kubernetesIngress.namespaces" -}}
+{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }}
+{{- end -}}
+
+{{/*
+Renders a complete tree, even values that contains template.
+*/}}
+{{- define "traefik.render" -}}
+  {{- if typeIs "string" .value }}
+    {{- tpl .value .context }}
+  {{ else }}
+    {{- tpl (.value | toYaml) .context }}
+  {{- end }}
+{{- end -}}
+
+{{- define "imageVersion" -}}
+{{/*
+Traefik hub is based on v3.1 (v3.0 before v3.3.1) of traefik proxy, so this is a hack to avoid to much complexity in RBAC management which are
+based on semverCompare
+*/}}
+{{- if $.Values.hub.token -}}
+ {{ $hubVersion := "v3.2" }}
+ {{- if regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag) -}}
+    {{- if semverCompare "<v3.3.2-0" $.Values.image.tag -}}
+        {{ $hubVersion = "v3.0" }}
+    {{- else if semverCompare "<v3.7.0-0" $.Values.image.tag -}}
+        {{ $hubVersion = "v3.1" }}
+    {{- end -}}
+ {{- end -}}
+{{ $hubVersion }}
+{{- else -}}
+{{ (split "@" (default $.Chart.AppVersion $.Values.image.tag))._0 | replace "latest-" "" | replace "experimental-" "" }}
+{{- end -}}
+{{- end -}}
+
+{{/* Generate/load self-signed certificate for admission webhooks */}}
+{{- define "traefik-hub.webhook_cert" -}}
+{{- $cert := lookup "v1" "Secret" .Release.Namespace "hub-agent-cert" -}}
+{{- if $cert -}}
+{{/* reusing value of existing cert */}}
+Cert: {{ index $cert.data "tls.crt" }}
+Key: {{ index $cert.data "tls.key" }}
+{{- else -}}
+{{/* generate a new one */}}
+{{- $altNames := list ( printf "admission.%s.svc" .Release.Namespace ) -}}
+{{- $cert := genSelfSignedCert ( printf "admission.%s.svc" .Release.Namespace ) (list) $altNames 3650 -}}
+Cert: {{ $cert.Cert | b64enc }}
+Key: {{ $cert.Key | b64enc }}
+{{- end -}}
+{{- end -}}
+
+{{- define "traefik.yaml2CommandLineArgsRec" -}}
+    {{- $path := .path -}}
+    {{- range $key, $value := .content -}}
+        {{- if kindIs "map" $value }}
+            {{- include "traefik.yaml2CommandLineArgsRec" (dict "path" (printf "%s.%s" $path $key) "content" $value) -}}
+        {{- else }}
+--{{ join "." (list $path $key)}}={{ join "," $value }}
+        {{- end -}}
+    {{- end -}}
+{{- end -}}
+
+{{- define "traefik.yaml2CommandLineArgs" -}}
+    {{- range ((regexSplit "\n" ((include "traefik.yaml2CommandLineArgsRec" (dict "path" .path "content" .content)) | trim) -1) | compact) -}}
+      {{ printf "- \"%s\"\n" . }}
+    {{- end -}}
+{{- end -}}
+
+{{- define "traefik.hasPluginsVolume" -}}
+    {{- $found := false -}}
+    {{- range . -}}
+       {{- if eq .name "plugins" -}}
+           {{ $found = true }}
+       {{- end -}}
+    {{- end -}}
+    {{- $found -}}
+{{- end -}}

charts/traefik1/templates/_podtemplate.tpl

@@ -0,0 +1,887 @@
+{{- define "traefik.podTemplate" }}
+  {{- $version := include "imageVersion" $ }}
+    metadata:
+      annotations:
+      {{- if .Values.deployment.podAnnotations }}
+        {{- tpl (toYaml .Values.deployment.podAnnotations) . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.metrics }}
+      {{- if and (.Values.metrics.prometheus) (not (.Values.metrics.prometheus.serviceMonitor).enabled) }}
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "/metrics"
+        prometheus.io/port: {{ quote (index .Values.ports .Values.metrics.prometheus.entryPoint).port }}
+      {{- end }}
+      {{- end }}
+      labels:
+      {{- include "traefik.labels" . | nindent 8 -}}
+      {{- with .Values.deployment.podLabels }}
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.deployment.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "traefik.serviceAccountName" . }}
+      automountServiceAccountToken: true
+      terminationGracePeriodSeconds: {{ default 60 .Values.deployment.terminationGracePeriodSeconds }}
+      hostNetwork: {{ .Values.hostNetwork }}
+      {{- with .Values.deployment.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- with .Values.deployment.dnsConfig }}
+      dnsConfig:
+        {{- if .searches }}
+        searches:
+          {{- toYaml .searches | nindent 10 }}
+        {{- end }}
+        {{- if .nameservers }}
+        nameservers:
+          {{- toYaml .nameservers | nindent 10 }}
+        {{- end }}
+        {{- if .options }}
+        options:
+          {{- toYaml .options | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.deployment.hostAliases }}
+      hostAliases: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.initContainers }}
+      initContainers:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- if .Values.deployment.shareProcessNamespace }}
+      shareProcessNamespace: true
+      {{- end }}
+      {{- with .Values.deployment.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
+      containers:
+      - image: {{ template "traefik.image-name" . }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        name: {{ template "traefik.fullname" . }}
+        resources:
+          {{- with .Values.resources }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- if (and (empty .Values.ports.traefik) (empty .Values.deployment.healthchecksPort)) }}
+          {{- fail "ERROR: When disabling traefik port, you need to specify `deployment.healthchecksPort`" }}
+        {{- end }}
+        {{- $healthchecksPort := (default (.Values.ports.traefik).port .Values.deployment.healthchecksPort) }}
+        {{- $healthchecksHost := (default (.Values.ports.traefik).hostIP .Values.deployment.healthchecksHost) }}
+        {{- $healthchecksScheme := (default "HTTP" .Values.deployment.healthchecksScheme) }}
+        {{- $readinessPath := (default "/ping" .Values.deployment.readinessPath) }}
+        {{- $livenessPath := (default "/ping" .Values.deployment.livenessPath) }}
+        readinessProbe:
+          httpGet:
+            {{- with $healthchecksHost }}
+            host: {{ . }}
+            {{- end }}
+            path: {{ $readinessPath }}
+            port: {{ $healthchecksPort }}
+            scheme: {{ $healthchecksScheme }}
+          {{- toYaml .Values.readinessProbe | nindent 10 }}
+        livenessProbe:
+          httpGet:
+            {{- with $healthchecksHost }}
+            host: {{ . }}
+            {{- end }}
+            path: {{ $livenessPath }}
+            port: {{ $healthchecksPort }}
+            scheme: {{ $healthchecksScheme }}
+          {{- toYaml .Values.livenessProbe | nindent 10 }}
+        {{- with .Values.startupProbe}}
+        startupProbe:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        lifecycle:
+          {{- with .Values.deployment.lifecycle }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        ports:
+        {{- $hostNetwork := .Values.hostNetwork }}
+        {{- range $name, $config := .Values.ports }}
+         {{- if $config }}
+          {{- if and $hostNetwork (and $config.hostPort $config.port) }}
+            {{- if ne ($config.hostPort | int) ($config.port | int) }}
+              {{- fail "ERROR: All hostPort must match their respective containerPort when `hostNetwork` is enabled" }}
+            {{- end }}
+          {{- end }}
+        - name: {{ $name | quote }}
+          containerPort: {{ default $config.port $config.containerPort }}
+          {{- if $config.hostPort }}
+          hostPort: {{ $config.hostPort }}
+          {{- end }}
+          {{- if $config.hostIP }}
+          hostIP: {{ $config.hostIP }}
+          {{- end }}
+          protocol: {{ default "TCP" $config.protocol | quote }}
+          {{- if ($config.http3).enabled }}
+        - name: "{{ $name }}-http3"
+          containerPort: {{ $config.port }}
+           {{- if $config.hostPort }}
+          hostPort: {{ default $config.hostPort $config.http3.advertisedPort }}
+           {{- end }}
+          protocol: UDP
+          {{- end }}
+         {{- end }}
+        {{- end }}
+        {{- if .Values.hub.token }}
+          {{- $listenAddr := default ":9943" .Values.hub.apimanagement.admission.listenAddr }}
+        - name: admission
+          containerPort: {{ last (mustRegexSplit ":" $listenAddr 2) }}
+          protocol: TCP
+          {{- if .Values.hub.apimanagement.enabled }}
+        - name: apiportal
+          containerPort: 9903
+          protocol: TCP
+          {{- end }}
+        {{- end }}
+        {{- with .Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+          - name: {{ .Values.persistence.name }}
+            mountPath: {{ .Values.persistence.path }}
+            {{- if .Values.persistence.subPath }}
+            subPath: {{ .Values.persistence.subPath }}
+            {{- end }}
+          - name: tmp
+            mountPath: /tmp
+          {{- $root := . }}
+          {{- range .Values.volumes }}
+          - name: {{ tpl (.name) $root | replace "." "-" }}
+            mountPath: {{ .mountPath }}
+            readOnly: true
+          {{- end }}
+          {{- if and (gt (len .Values.experimental.plugins) 0) (ne (include "traefik.hasPluginsVolume" .Values.deployment.additionalVolumes) "true") }}
+          - name: plugins
+            mountPath: "/plugins-storage"
+          {{- end }}
+          {{- if .Values.providers.file.enabled }}
+          - name: traefik-extra-config
+            mountPath: "/etc/traefik/dynamic"
+          {{- end }}
+          {{- if .Values.additionalVolumeMounts }}
+            {{- toYaml .Values.additionalVolumeMounts | nindent 10 }}
+          {{- end }}
+        args:
+          {{- with .Values.globalArguments }}
+          {{- range . }}
+          - {{ . | quote }}
+          {{- end }}
+          {{- end }}
+          {{- range $name, $config := .Values.ports }}
+           {{- if $config }}
+          - "--entryPoints.{{$name}}.address={{ $config.hostIP }}:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}"
+            {{- with $config.asDefault }}
+          - "--entryPoints.{{$name}}.asDefault={{ . }}"
+            {{- end }}
+           {{- end }}
+          {{- end }}
+          - "--api.dashboard=true"
+          - "--ping=true"
+
+          {{- with .Values.core }}
+           {{- with .defaultRuleSyntax }}
+          - "--core.defaultRuleSyntax={{ . }}"
+           {{- end }}
+          {{- end }}
+
+          {{- if .Values.metrics }}
+          {{- if .Values.metrics.addInternals }}
+          - "--metrics.addinternals"
+          {{- end }}
+          {{- with .Values.metrics.datadog }}
+          - "--metrics.datadog=true"
+           {{- with .address }}
+          - "--metrics.datadog.address={{ . }}"
+           {{- end }}
+           {{- with .pushInterval }}
+          - "--metrics.datadog.pushInterval={{ . }}"
+           {{- end }}
+           {{- with .prefix }}
+          - "--metrics.datadog.prefix={{ . }}"
+           {{- end }}
+           {{- if ne .addRoutersLabels nil }}
+            {{- with .addRoutersLabels | toString }}
+          - "--metrics.datadog.addRoutersLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if ne .addEntryPointsLabels nil }}
+            {{- with .addEntryPointsLabels | toString }}
+          - "--metrics.datadog.addEntryPointsLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if ne .addServicesLabels nil }}
+            {{- with .addServicesLabels | toString }}
+          - "--metrics.datadog.addServicesLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+          {{- end }}
+
+          {{- with .Values.metrics.influxdb2 }}
+          - "--metrics.influxdb2=true"
+          - "--metrics.influxdb2.address={{ .address }}"
+          - "--metrics.influxdb2.token={{ .token }}"
+          - "--metrics.influxdb2.org={{ .org }}"
+          - "--metrics.influxdb2.bucket={{ .bucket }}"
+           {{- with .pushInterval }}
+          - "--metrics.influxdb2.pushInterval={{ . }}"
+           {{- end }}
+           {{- range $name, $value := .additionalLabels }}
+          - "--metrics.influxdb2.additionalLabels.{{ $name }}={{ $value }}"
+           {{- end }}
+           {{- if ne .addRoutersLabels nil }}
+            {{- with .addRoutersLabels | toString }}
+          - "--metrics.influxdb2.addRoutersLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if ne .addEntryPointsLabels nil }}
+            {{- with .addEntryPointsLabels | toString }}
+          - "--metrics.influxdb2.addEntryPointsLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if ne .addServicesLabels nil }}
+            {{- with .addServicesLabels | toString }}
+          - "--metrics.influxdb2.addServicesLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+          {{- end }}
+          {{- if (.Values.metrics.prometheus) }}
+          - "--metrics.prometheus=true"
+          - "--metrics.prometheus.entrypoint={{ .Values.metrics.prometheus.entryPoint }}"
+          {{- if (eq (.Values.metrics.prometheus.addRoutersLabels | toString) "true") }}
+          - "--metrics.prometheus.addRoutersLabels=true"
+          {{- end }}
+          {{- if ne .Values.metrics.prometheus.addEntryPointsLabels nil }}
+           {{- with .Values.metrics.prometheus.addEntryPointsLabels | toString }}
+          - "--metrics.prometheus.addEntryPointsLabels={{ . }}"
+           {{- end }}
+          {{- end }}
+          {{- if ne .Values.metrics.prometheus.addServicesLabels nil }}
+           {{- with .Values.metrics.prometheus.addServicesLabels| toString }}
+          - "--metrics.prometheus.addServicesLabels={{ . }}"
+           {{- end }}
+          {{- end }}
+          {{- if .Values.metrics.prometheus.buckets }}
+          - "--metrics.prometheus.buckets={{ .Values.metrics.prometheus.buckets }}"
+          {{- end }}
+          {{- if .Values.metrics.prometheus.manualRouting }}
+          - "--metrics.prometheus.manualrouting=true"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.metrics.statsd }}
+          - "--metrics.statsd=true"
+          - "--metrics.statsd.address={{ .address }}"
+           {{- with .pushInterval }}
+          - "--metrics.statsd.pushInterval={{ . }}"
+           {{- end }}
+           {{- with .prefix }}
+          - "--metrics.statsd.prefix={{ . }}"
+           {{- end }}
+           {{- if .addRoutersLabels}}
+          - "--metrics.statsd.addRoutersLabels=true"
+           {{- end }}
+           {{- if ne .addEntryPointsLabels nil }}
+            {{- with .addEntryPointsLabels | toString }}
+          - "--metrics.statsd.addEntryPointsLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if ne .addServicesLabels nil }}
+            {{- with .addServicesLabels | toString }}
+          - "--metrics.statsd.addServicesLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+          {{- end }}
+
+          {{- end }}
+
+          {{- with .Values.metrics.otlp }}
+          {{- if .enabled }}
+          - "--metrics.otlp=true"
+           {{- if ne .addEntryPointsLabels nil }}
+            {{- with .addEntryPointsLabels | toString }}
+          - "--metrics.otlp.addEntryPointsLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if ne .addRoutersLabels nil }}
+            {{- with .addRoutersLabels | toString }}
+          - "--metrics.otlp.addRoutersLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if ne .addServicesLabels nil }}
+            {{- with .addServicesLabels | toString }}
+          - "--metrics.otlp.addServicesLabels={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- with .explicitBoundaries }}
+          - "--metrics.otlp.explicitBoundaries={{ join "," . }}"
+           {{- end }}
+           {{- with .pushInterval }}
+          - "--metrics.otlp.pushInterval={{ . }}"
+           {{- end }}
+           {{- with .http }}
+            {{- if .enabled }}
+          - "--metrics.otlp.http=true"
+             {{- with .endpoint }}
+          - "--metrics.otlp.http.endpoint={{ . }}"
+             {{- end }}
+             {{- range $name, $value := .headers }}
+          - "--metrics.otlp.http.headers.{{ $name }}={{ $value }}"
+             {{- end }}
+             {{- with .tls }}
+              {{- with .ca }}
+          - "--metrics.otlp.http.tls.ca={{ . }}"
+              {{- end }}
+              {{- with .cert }}
+          - "--metrics.otlp.http.tls.cert={{ . }}"
+              {{- end }}
+              {{- with .key }}
+          - "--metrics.otlp.http.tls.key={{ . }}"
+              {{- end }}
+              {{- with .insecureSkipVerify }}
+          - "--metrics.otlp.http.tls.insecureSkipVerify={{ . }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+           {{- end }}
+           {{- with .grpc }}
+            {{- if .enabled }}
+          - "--metrics.otlp.grpc=true"
+             {{- with .endpoint }}
+          - "--metrics.otlp.grpc.endpoint={{ . }}"
+             {{- end }}
+             {{- with .insecure }}
+          - "--metrics.otlp.grpc.insecure={{ . }}"
+             {{- end }}
+             {{- range $name, $value := .headers }}
+          - "--metrics.otlp.grpc.headers.{{ $name }}={{ $value }}"
+             {{- end }}
+             {{- with .tls }}
+              {{- with .ca }}
+          - "--metrics.otlp.grpc.tls.ca={{ . }}"
+              {{- end }}
+              {{- with .cert }}
+          - "--metrics.otlp.grpc.tls.cert={{ . }}"
+              {{- end }}
+              {{- with .key }}
+          - "--metrics.otlp.grpc.tls.key={{ . }}"
+              {{- end }}
+              {{- with .insecureSkipVerify }}
+          - "--metrics.otlp.grpc.tls.insecureSkipVerify={{ . }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+           {{- end }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.tracing.addInternals }}
+          - "--tracing.addinternals"
+          {{- end }}
+
+          {{- with .Values.tracing }}
+            {{- with .sampleRate }}
+          - "--tracing.sampleRate={{ . }}"
+            {{- end }}
+
+            {{- with .serviceName }}
+          - "--tracing.serviceName={{ . }}"
+            {{- end }}
+
+            {{- range $name, $value := .globalAttributes }}
+          - "--tracing.globalAttributes.{{ $name }}={{ $value }}"
+            {{- end }}
+
+            {{- range $index, $value := .capturedRequestHeaders }}
+          - "--tracing.capturedRequestHeaders[{{ $index }}]={{ $value }}"
+            {{- end }}
+
+            {{- range $index, $value := .capturedResponseHeaders }}
+          - "--tracing.capturedResponseHeaders[{{ $index }}]={{ $value }}"
+            {{- end }}
+
+            {{- if .safeQueryParams }}
+          - "--tracing.safeQueryParams={{- .safeQueryParams | join "," -}}"
+            {{- end }}
+
+          {{- end }}
+
+          {{- with .Values.tracing.otlp }}
+          {{- if .enabled }}
+          - "--tracing.otlp=true"
+           {{- with .http }}
+            {{- if .enabled }}
+          - "--tracing.otlp.http=true"
+             {{- with .endpoint }}
+          - "--tracing.otlp.http.endpoint={{ . }}"
+             {{- end }}
+             {{- range $name, $value := .headers }}
+          - "--tracing.otlp.http.headers.{{ $name }}={{ $value }}"
+             {{- end }}
+             {{- with .tls }}
+              {{- with .ca }}
+          - "--tracing.otlp.http.tls.ca={{ . }}"
+              {{- end }}
+              {{- with .cert }}
+          - "--tracing.otlp.http.tls.cert={{ . }}"
+              {{- end }}
+              {{- with .key }}
+          - "--tracing.otlp.http.tls.key={{ . }}"
+              {{- end }}
+              {{- with .insecureSkipVerify }}
+          - "--tracing.otlp.http.tls.insecureSkipVerify={{ . }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+           {{- end }}
+           {{- with .grpc }}
+            {{- if .enabled }}
+          - "--tracing.otlp.grpc=true"
+             {{- with .endpoint }}
+          - "--tracing.otlp.grpc.endpoint={{ . }}"
+             {{- end }}
+             {{- with .insecure }}
+          - "--tracing.otlp.grpc.insecure={{ . }}"
+             {{- end }}
+             {{- range $name, $value := .headers }}
+          - "--tracing.otlp.grpc.headers.{{ $name }}={{ $value }}"
+             {{- end }}
+             {{- with .tls }}
+              {{- with .ca }}
+          - "--tracing.otlp.grpc.tls.ca={{ . }}"
+              {{- end }}
+              {{- with .cert }}
+          - "--tracing.otlp.grpc.tls.cert={{ . }}"
+              {{- end }}
+              {{- with .key }}
+          - "--tracing.otlp.grpc.tls.key={{ . }}"
+              {{- end }}
+              {{- with .insecureSkipVerify }}
+          - "--tracing.otlp.grpc.tls.insecureSkipVerify={{ . }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+           {{- end }}
+          {{- end }}
+          {{- end }}
+          {{- range $pluginName, $plugin := .Values.experimental.plugins }}
+          {{- if or (ne (typeOf $plugin) "map[string]interface {}") (not (hasKey $plugin "moduleName")) (not (hasKey $plugin "version")) }}
+            {{- fail  (printf "ERROR: plugin %s is missing moduleName/version keys !" $pluginName) }}
+          {{- end }}
+          - "--experimental.plugins.{{ $pluginName }}.moduleName={{ $plugin.moduleName }}"
+          - "--experimental.plugins.{{ $pluginName }}.version={{ $plugin.version }}"
+          {{- end }}
+          {{- if and (semverCompare ">=v3.3.0-0" $version) (.Values.experimental.abortOnPluginFailure)}}
+          - "--experimental.abortonpluginfailure={{ .Values.experimental.abortOnPluginFailure }}"
+          {{- end }}
+          {{- if .Values.providers.kubernetesCRD.enabled }}
+          - "--providers.kubernetescrd"
+           {{- if .Values.providers.kubernetesCRD.labelSelector }}
+          - "--providers.kubernetescrd.labelSelector={{ .Values.providers.kubernetesCRD.labelSelector }}"
+           {{- end }}
+           {{- if .Values.providers.kubernetesCRD.ingressClass }}
+          - "--providers.kubernetescrd.ingressClass={{ .Values.providers.kubernetesCRD.ingressClass }}"
+           {{- end }}
+           {{- if .Values.providers.kubernetesCRD.allowCrossNamespace }}
+          - "--providers.kubernetescrd.allowCrossNamespace=true"
+           {{- end }}
+           {{- if .Values.providers.kubernetesCRD.allowExternalNameServices }}
+          - "--providers.kubernetescrd.allowExternalNameServices=true"
+           {{- end }}
+           {{- if ne .Values.providers.kubernetesCRD.allowEmptyServices nil }}
+            {{- with .Values.providers.kubernetesCRD.allowEmptyServices | toString }}
+          - "--providers.kubernetescrd.allowEmptyServices={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if and .Values.rbac.namespaced (semverCompare ">=v3.1.2-0" $version) }}
+          - "--providers.kubernetescrd.disableClusterScopeResources=true"
+           {{- end }}
+           {{- if .Values.providers.kubernetesCRD.nativeLBByDefault }}
+          - "--providers.kubernetescrd.nativeLBByDefault=true"
+           {{- end }}
+          {{- end }}
+          {{- if .Values.providers.kubernetesIngress.enabled }}
+          - "--providers.kubernetesingress"
+           {{- if .Values.providers.kubernetesIngress.allowExternalNameServices }}
+          - "--providers.kubernetesingress.allowExternalNameServices=true"
+           {{- end }}
+           {{- if ne .Values.providers.kubernetesIngress.allowEmptyServices nil }}
+            {{- with .Values.providers.kubernetesIngress.allowEmptyServices | toString }}
+          - "--providers.kubernetesingress.allowEmptyServices={{ . }}"
+            {{- end }}
+           {{- end }}
+           {{- if and .Values.service.enabled .Values.providers.kubernetesIngress.publishedService.enabled }}
+          - "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}"
+           {{- end }}
+           {{- if .Values.providers.kubernetesIngress.labelSelector }}
+          - "--providers.kubernetesingress.labelSelector={{ .Values.providers.kubernetesIngress.labelSelector }}"
+           {{- end }}
+           {{- if .Values.providers.kubernetesIngress.ingressClass }}
+          - "--providers.kubernetesingress.ingressClass={{ .Values.providers.kubernetesIngress.ingressClass }}"
+           {{- end }}
+           {{- if .Values.rbac.namespaced }}
+            {{- if semverCompare "<v3.1.5-0" $version }}
+          - "--providers.kubernetesingress.disableIngressClassLookup=true"
+              {{- if semverCompare ">=v3.1.2-0" $version }}
+          - "--providers.kubernetesingress.disableClusterScopeResources=true"
+              {{- end }}
+            {{- else }}
+          - "--providers.kubernetesingress.disableClusterScopeResources=true"
+            {{- end }}
+           {{- end }}
+           {{- if .Values.providers.kubernetesIngress.nativeLBByDefault }}
+          - "--providers.kubernetesingress.nativeLBByDefault=true"
+           {{- end }}
+          {{- end }}
+          {{- if .Values.experimental.kubernetesGateway.enabled }}
+          - "--experimental.kubernetesgateway"
+          {{- end }}
+          {{- with .Values.providers.kubernetesCRD }}
+          {{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }}
+          - "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" $ }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.providers.kubernetesGateway }}
+           {{- if .enabled }}
+          - "--providers.kubernetesgateway"
+            {{- with .statusAddress }}
+             {{- with .ip }}
+          - "--providers.kubernetesgateway.statusaddress.ip={{ . }}"
+             {{- end }}
+             {{- with .hostname }}
+          - "--providers.kubernetesgateway.statusaddress.hostname={{ . }}"
+             {{- end }}
+             {{- with .service }}
+          - "--providers.kubernetesgateway.statusaddress.service.name={{ tpl .name $ }}"
+          - "--providers.kubernetesgateway.statusaddress.service.namespace={{ tpl .namespace $ }}"
+             {{- end }}
+            {{- end }}
+            {{- if .nativeLBByDefault }}
+          - "--providers.kubernetesgateway.nativeLBByDefault=true"
+            {{- end }}
+            {{- if or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced) }}
+          - "--providers.kubernetesgateway.namespaces={{ template "providers.kubernetesGateway.namespaces" $ }}"
+            {{- end }}
+            {{- if .experimentalChannel }}
+          - "--providers.kubernetesgateway.experimentalchannel=true"
+            {{- end }}
+            {{- with .labelselector }}
+          - "--providers.kubernetesgateway.labelselector={{ . }}"
+            {{- end }}
+           {{- end }}
+          {{- end }}
+          {{- with .Values.providers.kubernetesIngress }}
+          {{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }}
+          - "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" $ }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.providers.file }}
+          {{- if .enabled }}
+          - "--providers.file.directory=/etc/traefik/dynamic"
+          {{- if .watch }}
+          - "--providers.file.watch=true"
+          {{- end }}
+          {{- end }}
+          {{- end }}
+          {{- range $entrypoint, $config := $.Values.ports }}
+          {{- if $config }}
+            {{- if $config.redirectTo }}
+             {{- $toPort := index $.Values.ports $config.redirectTo.port }}
+          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}"
+          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https"
+             {{- if $config.redirectTo.priority }}
+          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.priority={{ $config.redirectTo.priority }}"
+             {{- end }}
+             {{- if $config.redirectTo.permanent }}
+          - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.permanent=true"
+             {{- end }}
+            {{- end }}
+            {{- if $config.middlewares }}
+          - "--entryPoints.{{ $entrypoint }}.http.middlewares={{ join "," $config.middlewares }}"
+            {{- end }}
+            {{- if $config.tls }}
+              {{- if $config.tls.enabled }}
+          - "--entryPoints.{{ $entrypoint }}.http.tls=true"
+                {{- if $config.tls.options }}
+          - "--entryPoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}"
+                {{- end }}
+                {{- if $config.tls.certResolver }}
+          - "--entryPoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}"
+                {{- end }}
+                {{- if $config.tls.domains }}
+                  {{- range $index, $domain := $config.tls.domains }}
+                    {{- if $domain.main }}
+          - "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}"
+                    {{- end }}
+                    {{- if $domain.sans }}
+          - "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}"
+                    {{- end }}
+                  {{- end }}
+                {{- end }}
+                {{- if $config.http3 }}
+                  {{- if $config.http3.enabled }}
+          - "--entryPoints.{{ $entrypoint }}.http3"
+                    {{- if $config.http3.advertisedPort }}
+          - "--entryPoints.{{ $entrypoint }}.http3.advertisedPort={{ $config.http3.advertisedPort }}"
+                    {{- end }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+            {{- end }}
+            {{- if $config.allowACMEByPass }}
+              {{- if (semverCompare "<v3.1.3-0" $version) }}
+                {{- fail "ERROR: allowACMEByPass has been introduced with Traefik v3.1.3+" -}}
+              {{- end }}
+          - "--entryPoints.{{ $entrypoint }}.allowACMEByPass=true"
+            {{- end }}
+            {{- if $config.forwardedHeaders }}
+              {{- if $config.forwardedHeaders.trustedIPs }}
+          - "--entryPoints.{{ $entrypoint }}.forwardedHeaders.trustedIPs={{ join "," $config.forwardedHeaders.trustedIPs }}"
+              {{- end }}
+              {{- if $config.forwardedHeaders.insecure }}
+          - "--entryPoints.{{ $entrypoint }}.forwardedHeaders.insecure"
+              {{- end }}
+            {{- end }}
+            {{- if $config.proxyProtocol }}
+              {{- if $config.proxyProtocol.trustedIPs }}
+          - "--entryPoints.{{ $entrypoint }}.proxyProtocol.trustedIPs={{ join "," $config.proxyProtocol.trustedIPs }}"
+              {{- end }}
+              {{- if $config.proxyProtocol.insecure }}
+          - "--entryPoints.{{ $entrypoint }}.proxyProtocol.insecure"
+              {{- end }}
+            {{- end }}
+            {{- with $config.transport }}
+              {{- with .respondingTimeouts }}
+                {{- if and (ne .readTimeout nil) (toString .readTimeout) }}
+          - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.readTimeout={{ .readTimeout }}"
+                {{- end }}
+                {{- if and (ne .writeTimeout nil) (toString .writeTimeout) }}
+          - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.writeTimeout={{ .writeTimeout }}"
+                {{- end }}
+                {{- if and (ne .idleTimeout nil) (toString .idleTimeout) }}
+          - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.idleTimeout={{ .idleTimeout }}"
+                {{- end }}
+              {{- end }}
+              {{- with .lifeCycle }}
+                {{- if and (ne .requestAcceptGraceTimeout nil) (toString .requestAcceptGraceTimeout) }}
+          - "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.requestAcceptGraceTimeout={{ .requestAcceptGraceTimeout }}"
+                {{- end }}
+                {{- if and (ne .graceTimeOut nil) (toString .graceTimeOut) }}
+          - "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.graceTimeOut={{ .graceTimeOut }}"
+                {{- end }}
+              {{- end }}
+              {{- if and (ne .keepAliveMaxRequests nil) (toString .keepAliveMaxRequests) }}
+          - "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxRequests={{ .keepAliveMaxRequests }}"
+              {{- end }}
+              {{- if and (ne .keepAliveMaxTime nil) (toString .keepAliveMaxTime) }}
+          - "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxTime={{ .keepAliveMaxTime }}"
+              {{- end }}
+            {{- end }}
+          {{- end }}
+          {{- end }}
+          {{- with .Values.logs }}
+            {{- if and .general.format (not (has .general.format (list "common" "json"))) }}
+              {{- fail "ERROR: .Values.logs.general.format must be either common or json"  }}
+            {{- end }}
+            {{- with .general.format }}
+          - "--log.format={{ . }}"
+            {{- end }}
+            {{- with .general.filePath }}
+          - "--log.filePath={{ . }}"
+            {{- end }}
+            {{- if and (or (eq .general.format "common") (not .general.format)) (eq .general.noColor true) }}
+          - "--log.noColor={{ .general.noColor }}"
+            {{- end }}
+            {{- with .general.level }}
+          - "--log.level={{ . | upper }}"
+            {{- end }}
+            {{- if .access.enabled }}
+          - "--accesslog=true"
+              {{- with .access.format }}
+          - "--accesslog.format={{ . }}"
+              {{- end }}
+              {{- with .access.filePath }}
+          - "--accesslog.filepath={{ . }}"
+              {{- end }}
+              {{- if .access.addInternals }}
+          - "--accesslog.addinternals"
+              {{- end }}
+              {{- with .access.bufferingSize }}
+          - "--accesslog.bufferingsize={{ . }}"
+              {{- end }}
+              {{- with .access.filters }}
+                {{- with .statuscodes }}
+          - "--accesslog.filters.statuscodes={{ . }}"
+                {{- end }}
+                {{- if .retryattempts }}
+          - "--accesslog.filters.retryattempts"
+                {{- end }}
+                {{- with .minduration }}
+          - "--accesslog.filters.minduration={{ . }}"
+                {{- end }}
+              {{- end }}
+          - "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}"
+              {{- range $fieldname, $fieldaction := .access.fields.general.names }}
+          - "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}"
+              {{- end }}
+          - "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}"
+              {{- range $fieldname, $fieldaction := .access.fields.headers.names }}
+          - "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}"
+              {{- end }}
+            {{- end }}
+          {{- end }}
+          {{- include "traefik.yaml2CommandLineArgs" (dict "path" "certificatesresolvers" "content" $.Values.certificatesResolvers) | nindent 10 }}
+          {{- with .Values.additionalArguments }}
+          {{- range . }}
+          - {{ . | quote }}
+          {{- end }}
+          {{- end }}
+          {{- with .Values.hub }}
+           {{- if .token }}
+          - "--hub.token=$(HUB_TOKEN)"
+            {{- if and (not .apimanagement.enabled) ($.Values.hub.apimanagement.admission.listenAddr) }}
+               {{- fail "ERROR: Cannot configure admission without enabling hub.apimanagement" }}
+            {{- end }}
+            {{- with .apimanagement }}
+             {{- if .enabled }}
+              {{- $listenAddr := default ":9943" .admission.listenAddr }}
+          - "--hub.apimanagement"
+          - "--hub.apimanagement.admission.listenAddr={{ $listenAddr }}"
+              {{- with .admission.secretName }}
+          - "--hub.apimanagement.admission.secretName={{ . }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+            {{- with .platformUrl }}
+          - "--hub.platformUrl={{ . }}"
+            {{- end -}}
+            {{- range $field, $value := .redis }}
+             {{- if has $field (list "cluster" "database" "endpoints" "username" "password" "timeout") -}}
+              {{- with $value }}
+          - "--hub.redis.{{ $field }}={{ $value }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+            {{- range $field, $value := .redis.sentinel }}
+             {{- if has $field (list "masterset" "password" "username") -}}
+              {{- with $value }}
+          - "--hub.redis.sentinel.{{ $field }}={{ $value }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+            {{- range $field, $value := .redis.tls }}
+             {{- if has $field (list "ca" "cert" "insecureSkipVerify" "key") -}}
+              {{- with $value }}
+          - "--hub.redis.tls.{{ $field }}={{ $value }}"
+              {{- end }}
+             {{- end }}
+            {{- end }}
+            {{- with .sendlogs }}
+          - "--hub.sendlogs={{ . }}"
+            {{- end }}
+          {{- end }}
+         {{- end }}
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- if ($.Values.resources.limits).cpu }}
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: '1'
+          {{- end }}
+          {{- if ($.Values.resources.limits).memory }}
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: '1'
+          {{- end }}
+          {{- with .Values.hub.token }}
+          - name: HUB_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ . }}
+                key: token
+          {{- end }}
+        {{- with .Values.env }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.envFrom }}
+        envFrom:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- if .Values.deployment.additionalContainers }}
+        {{- toYaml .Values.deployment.additionalContainers | nindent 6 }}
+      {{- end }}
+      volumes:
+        - name: {{ .Values.persistence.name }}
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        - name: tmp
+          emptyDir: {}
+        {{- $root := . }}
+        {{- range .Values.volumes }}
+        - name: {{ tpl (.name) $root | replace "." "-" }}
+          {{- if eq .type "secret" }}
+          secret:
+            secretName: {{ tpl (.name) $root }}
+          {{- else if eq .type "configMap" }}
+          configMap:
+            name: {{ tpl (.name) $root }}
+          {{- end }}
+        {{- end }}
+        {{- if .Values.deployment.additionalVolumes }}
+          {{- toYaml .Values.deployment.additionalVolumes | nindent 8 }}
+        {{- end }}
+        {{- if and (gt (len .Values.experimental.plugins) 0) (ne (include "traefik.hasPluginsVolume" .Values.deployment.additionalVolumes) "true") }}
+        - name: plugins
+          emptyDir: {}
+        {{- end }}
+        {{- if .Values.providers.file.enabled }}
+        - name: traefik-extra-config
+          configMap:
+            name: {{ template "traefik.fullname" . }}-file-provider
+        {{- end }}
+      {{- if .Values.affinity }}
+      affinity:
+        {{- tpl (toYaml .Values.affinity) . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.topologySpreadConstraints }}
+      {{- if (semverCompare "<v1.19.0-0" .Capabilities.KubeVersion.Version) }}
+        {{- fail "ERROR: topologySpreadConstraints are supported only on kubernetes >= v1.19" -}}
+      {{- end }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .Values.topologySpreadConstraints) . | nindent 8 }}
+      {{- end }}
+{{ end -}}

charts/traefik1/templates/_service-metrics.tpl

@@ -0,0 +1,25 @@
+{{- define "traefik.metrics-service-metadata" }}
+  labels:
+  {{- include "traefik.metricsservicelabels" . | nindent 4 -}}
+  {{- with .Values.metrics.prometheus.service.labels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/* Labels used for metrics-relevant selector*/}}
+{{/* This is an immutable field: this should not change between upgrade */}}
+{{- define "traefik.metricslabelselector" -}}
+{{- include "traefik.labelselector" . }}
+app.kubernetes.io/component: metrics
+{{- end }}
+
+{{/* Shared labels used in metadata of metrics-service and servicemonitor */}}
+{{- define "traefik.metricsservicelabels" -}}
+{{ include "traefik.metricslabelselector" . }}
+helm.sh/chart: {{ template "traefik.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+

charts/traefik1/templates/_service.tpl

@@ -0,0 +1,84 @@
+{{- define "traefik.service-name" -}}
+{{- $fullname := printf "%s-%s" (include "traefik.fullname" .root) .name -}}
+{{- if eq .name "default" -}}
+{{- $fullname = include "traefik.fullname" .root -}}
+{{- end -}}
+
+{{- if ge (len $fullname) 60 -}} # 64 - 4 (udp-postfix) = 60
+  {{- fail "ERROR: Cannot create a service whose full name contains more than 60 characters" -}}
+{{- end -}}
+
+{{- $fullname -}}
+{{- end -}}
+
+{{- define "traefik.service-metadata" }}
+  labels:
+  {{- include "traefik.labels" .root | nindent 4 -}}
+  {{- with .service.labels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{- define "traefik.service-spec" -}}
+  {{- $type := default "LoadBalancer" .service.type }}
+  type: {{ $type }}
+  {{- with .service.loadBalancerClass }}
+  loadBalancerClass: {{ . }}
+  {{- end}}
+  {{- with .service.spec }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  selector:
+    {{- include "traefik.labelselector" .root | nindent 4 }}
+  {{- if eq $type "LoadBalancer" }}
+  {{- with .service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- toYaml . | nindent 2 }}
+  {{- end -}}
+  {{- end -}}
+  {{- with .service.externalIPs }}
+  externalIPs:
+  {{- toYaml . | nindent 2 }}
+  {{- end -}}
+  {{- with .service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ . }}
+  {{- end }}
+  {{- with .service.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 2 }}
+  {{- end -}}
+{{- end }}
+
+{{- define "traefik.service-ports" }}
+ {{- range $name, $config := .ports }}
+  {{- if (index (default dict $config.expose) $.serviceName) }}
+  {{- $port := default $config.port $config.exposedPort }}
+  {{- if empty $port }}
+    {{- fail (print "ERROR: Cannot create " (trim $name) " port on Service without .port or .exposedPort") }}
+  {{- end }}
+  - port: {{ $port }}
+    name: {{ $name | quote }}
+    targetPort: {{ default $name $config.targetPort }}
+    protocol: {{ default "TCP" $config.protocol }}
+    {{- if $config.nodePort }}
+    nodePort: {{ $config.nodePort }}
+    {{- end }}
+    {{- if $config.appProtocol }}
+    appProtocol: {{ $config.appProtocol }}
+    {{- end }}
+  {{- if and ($config.http3).enabled ($config.single) }}
+  {{- $http3Port := default $config.exposedPort $config.http3.advertisedPort }}
+  - port: {{ $http3Port }}
+    name: "{{ $name }}-http3"
+    targetPort: "{{ $name }}-http3"
+    protocol: UDP
+    {{- if $config.nodePort }}
+    nodePort: {{ $config.nodePort }}
+    {{- end }}
+    {{- if $config.appProtocol }}
+    appProtocol: {{ $config.appProtocol }}
+    {{- end }}
+   {{- end }}
+  {{- end }}
+ {{- end }}
+{{- end }}

charts/traefik1/templates/daemonset.yaml

@@ -0,0 +1,58 @@
+{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "DaemonSet") -}}
+  {{- with .Values.additionalArguments -}}
+    {{- range . -}}
+      {{- if contains ".acme." . -}}
+        {{- fail (printf "ACME functionality is not supported when running Traefik as a DaemonSet") -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }}
+    {{- fail "\n\n ERROR: latest tag should not be used" }}
+  {{- end }}
+  {{- with .Values.updateStrategy }}
+    {{- if and (eq (.type) "RollingUpdate") (.rollingUpdate) }}
+      {{- if not (contains "%" (toString .rollingUpdate.maxUnavailable)) }}
+        {{- if and ($.Values.hostNetwork) (lt (float64 .rollingUpdate.maxUnavailable) 1.0) }}
+          {{- fail "maxUnavailable should be greater than 1 when using hostNetwork." }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "traefik.fullname" . }}
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+  {{- with .Values.deployment.labels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  annotations:
+  {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }}
+    checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }}
+  {{- end }}
+  {{- with .Values.deployment.annotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "traefik.labelselector" . | nindent 6 }}
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    type: {{ .type }}
+    {{- if (eq .type "RollingUpdate") }}
+    rollingUpdate:
+      maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
+      maxSurge: {{ .rollingUpdate.maxSurge }}
+    {{- end }}
+  {{- end }}
+  minReadySeconds: {{ .Values.deployment.minReadySeconds }}
+  {{- if .Values.deployment.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
+  {{- end }}
+  template: {{ template "traefik.podTemplate" . }}
+{{- end -}}

charts/traefik1/templates/deployment.yaml

@@ -0,0 +1,58 @@
+{{/* check helm version */}}
+{{- if (semverCompare "<v3.9.0" (.Capabilities.HelmVersion.Version | default "v3.0.0")) -}}
+    {{- fail "ERROR: Helm >= 3.9.0 is required" -}}
+{{- end -}}
+
+{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "Deployment") -}}
+  {{- if gt (int .Values.deployment.replicas) 1 -}}
+    {{- with .Values.additionalArguments -}}
+      {{- range . -}}
+        {{- if contains ".acme." . -}}
+          {{- fail (printf "You can not enable acme if you set more than one traefik replica") -}}
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }}
+    {{- fail "\n\n ERROR: latest tag should not be used" }}
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "traefik.fullname" . }}
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+  {{- with .Values.deployment.labels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  annotations:
+  {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }}
+    checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }}
+  {{- end }}
+  {{- with .Values.deployment.annotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ default 1 .Values.deployment.replicas }}
+  {{- end }}
+  {{- if .Values.deployment.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "traefik.labelselector" . | nindent 6 }}
+  {{- with .Values.updateStrategy }}
+  strategy:
+    type: {{ .type }}
+    {{- if (eq .type "RollingUpdate") }}
+    rollingUpdate:
+      maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
+      maxSurge: {{ .rollingUpdate.maxSurge }}
+    {{- end }}
+  {{- end }}
+  minReadySeconds: {{ .Values.deployment.minReadySeconds }}
+  template: {{ template "traefik.podTemplate" . }}
+{{- end -}}

charts/traefik1/templates/extra-objects.yaml

@@ -0,0 +1,4 @@
+{{- range .Values.extraObjects }}
+---
+{{ include "traefik.render" (dict "value" . "context" $) }}
+{{- end }}

charts/traefik1/templates/gateway.yaml

@@ -0,0 +1,62 @@
+{{- if and (.Values.gateway).enabled (.Values.providers.kubernetesGateway).enabled }}
+  {{- if not .Values.gateway.listeners }}
+    {{- fail "ERROR: gateway must have at least one listener or should be disabled" }}
+  {{- end }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ default "traefik-gateway" .Values.gateway.name }}
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+  {{- with .Values.gateway.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  gatewayClassName: {{ default "traefik" .Values.gatewayClass.name }}
+  {{- with .Values.gateway.infrastructure }}
+  infrastructure:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+  listeners:
+    {{- range $name, $config := .Values.gateway.listeners }}
+    - name: {{ $name }}
+      {{ if not .port }}
+        {{- fail "ERROR: port needs to be specified" }}
+      {{- end -}}
+      {{ $found := false }}
+      {{- range $portName, $portConfig := $.Values.ports -}}
+        {{- if eq $portConfig.port $config.port -}}
+          {{ $found = true }}
+        {{- end -}}
+      {{- end -}}
+      {{ if not $found }}
+        {{- fail (printf "ERROR: port %0.f is not declared in ports" .port ) }}
+      {{- end -}}
+      port: {{ .port }}
+      protocol: {{ .protocol }}
+      {{- with .hostname }}
+      hostname: {{ . | toYaml }}
+      {{- end }}
+      {{- with .namespacePolicy }}
+      allowedRoutes:
+        namespaces:
+          from: {{ . }}
+      {{- end }}
+      {{ if and (eq .protocol  "HTTPS") (not .certificateRefs) }}
+        {{- fail "ERROR: certificateRefs needs to be specified using HTTPS" }}
+      {{- end }}
+      {{ if or .certificateRefs .mode }}
+      tls:
+        {{ with .mode }}
+        mode: {{ . }}
+        {{- end }}
+        {{ with .certificateRefs }}
+        certificateRefs:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+{{- end }}

charts/traefik1/templates/gatewayclass.yaml

@@ -0,0 +1,14 @@
+{{- if and (.Values.gatewayClass).enabled (.Values.providers.kubernetesGateway).enabled }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: {{ default "traefik" .Values.gatewayClass.name }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+    {{- with .Values.gatewayClass.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  controllerName: traefik.io/gateway-controller
+{{- end }}

charts/traefik1/templates/hpa.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.autoscaling.enabled }}
+
+{{- if not .Values.autoscaling.maxReplicas }}
+  {{- fail "ERROR: maxReplicas is required on HPA" }}
+{{- end }}
+
+{{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }}
+apiVersion: autoscaling/v2
+{{- else }}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "traefik.fullname" . }}
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ template "traefik.fullname" . }}
+{{- if .Values.autoscaling.minReplicas }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+{{- end }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+{{- if .Values.autoscaling.metrics }}
+  metrics:
+{{ toYaml .Values.autoscaling.metrics | indent 4 }}
+{{- end }}
+{{- if .Values.autoscaling.behavior }}
+  behavior:
+{{ toYaml .Values.autoscaling.behavior | indent 4 }}
+{{- end }}
+{{- end }}

charts/traefik1/templates/hub-admission-controller.yaml

@@ -0,0 +1,240 @@
+{{- if .Values.hub.token -}}
+{{- if .Values.hub.apimanagement.enabled }}
+{{- $cert := include "traefik-hub.webhook_cert" . | fromYaml }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: hub-agent-cert
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+data:
+  tls.crt: {{ $cert.Cert }}
+  tls.key: {{ $cert.Key  }}
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: hub-acp
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+webhooks:
+  - name: admission.traefik.svc
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /acp
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - accesscontrolpolicies
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: hub-api
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+webhooks:
+  - name: hub-agent.traefik.portal
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /api-portal
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - apiportals
+  - name: hub-agent.traefik.api
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /api
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - apis
+  - name: hub-agent.traefik.access
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /api-access
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - apiaccesses
+  - name: hub-agent.traefik.catalog-item
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /api-catalog-item
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - apicatalogitems
+  - name: hub-agent.traefik.managed-subscription
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /managed-subscription
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - managedsubscriptions
+  - name: hub-agent.traefik.plan
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /api-plan
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - apiplans
+  - name: hub-agent.traefik.bundle
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /api-bundle
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - apibundles
+  - name: hub-agent.traefik.version
+    clientConfig:
+      service:
+        name: admission
+        namespace: {{ template "traefik.namespace" . }}
+        path: /api-version
+      caBundle: {{ $cert.Cert }}
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - hub.traefik.io
+        apiVersions:
+          - v1alpha1
+        resources:
+          - apiversions
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: admission
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: admission
+  selector:
+  {{- include "traefik.labelselector" . | nindent 4 }}
+{{- end -}}
+{{- end -}}

charts/traefik1/templates/hub-apiportal.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.hub.apimanagement.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: apiportal
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+spec:
+  ports:
+    - name: apiportal
+      port: 9903
+      protocol: TCP
+      targetPort: apiportal
+  selector:
+  {{- include "traefik.labelselector" . | nindent 4 }}
+{{- end -}}
+

charts/traefik1/templates/ingressclass.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.ingressClass.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  annotations:
+    ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+  name: {{ .Values.ingressClass.name | default (include "traefik.fullname" .) }}
+spec:
+  controller: traefik.io/ingress-controller
+{{- end -}}

charts/traefik1/templates/ingressroute.yaml

@@ -0,0 +1,43 @@
+{{ range $name, $config := .Values.ingressRoute }}
+{{ if $config.enabled }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ $.Release.Name }}-{{ $name }}
+  namespace: {{ template "traefik.namespace" $ }}
+  annotations:
+    {{- if and $.Values.ingressClass.enabled $.Values.providers.kubernetesCRD.enabled $.Values.providers.kubernetesCRD.ingressClass }}
+    kubernetes.io/ingress.class: {{ $.Values.providers.kubernetesCRD.ingressClass }}
+    {{- end }}
+    {{- with $config.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "traefik.labels" $ | nindent 4 }}
+    {{- with $config.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  entryPoints:
+  {{- range $config.entryPoints }}
+  - {{ . }}
+  {{- end }}
+  routes:
+  - match: {{ $config.matchRule }}
+    kind: Rule
+    {{- with $config.services }}
+    services:
+      {{- toYaml . | nindent 6 }}
+    {{- end -}}
+    {{- with $config.middlewares }}
+    middlewares:
+      {{- toYaml . | nindent 6 }}
+    {{- end -}}
+
+  {{- with $config.tls }}
+  tls:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{ end }}

charts/traefik1/templates/poddisruptionbudget.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.podDisruptionBudget.enabled -}}
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "traefik.fullname" . }}
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "traefik.labelselector" . | nindent 6 }}
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end -}}

charts/traefik1/templates/prometheusrules.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.metrics.prometheus }}
+{{- if (.Values.metrics.prometheus.prometheusRule).enabled }}
+  {{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }}
+    {{- if (not (.Values.metrics.prometheus.disableAPICheck)) }}
+      {{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }}
+    {{- end }}
+  {{- end }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "traefik.fullname" . }}
+  namespace: {{ .Values.metrics.prometheus.prometheusRule.namespace | default (include "traefik.namespace" .) }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+    {{- with .Values.metrics.prometheus.prometheusRule.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.metrics.prometheus.prometheusRule.rules }}
+  groups:
+  - name: {{ template "traefik.name" $ }}
+    rules:
+    {{- with .Values.metrics.prometheus.prometheusRule.rules }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}

charts/traefik1/templates/provider-file-cm.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.providers.file.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "traefik.fullname" . }}-file-provider
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+  {{- include "traefik.labels" . | nindent 4 }}
+data:
+  config.yml:
+    {{ toYaml .Values.providers.file.content | nindent 4 }}
+{{- end -}}

charts/traefik1/templates/pvc.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "traefik.fullname" . }}
+  namespace: {{ template "traefik.namespace" . }}
+  annotations:
+  {{- with .Values.persistence.annotations  }}
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+    helm.sh/resource-policy: keep
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  {{- if .Values.persistence.volumeName }}
+  volumeName: {{ .Values.persistence.volumeName | quote }}
+  {{- end }}
+{{- end -}}

charts/traefik1/templates/rbac/clusterrole.yaml

@@ -0,0 +1,276 @@
+{{- $version := include "imageVersion" $ }}
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.clusterRoleName" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+    {{- range .Values.rbac.aggregateTo }}
+    rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
+    {{- end }}
+rules:
+  {{- if semverCompare ">=v3.1.0-0" $version }}
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+  {{- if (semverCompare "<v3.1.0-0" $version) }}
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+    {{- if $.Values.hub.token }}
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+    {{- end }}
+  {{- else }}
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  {{- end }}
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    {{- with .Values.rbac.secretResourceNames }}
+    resourceNames: {{ toYaml . | nindent 6 }}
+    {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+    {{- if and .Values.hub.token }}
+      - update
+      - create
+      - delete
+      - deletecollection
+    {{- end }}
+  {{- if .Values.podSecurityPolicy.enabled }}
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ template "traefik.fullname" . }}
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+  {{- end -}}
+  {{- if .Values.providers.kubernetesIngress.enabled }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  {{- end -}}
+  {{- if .Values.providers.kubernetesCRD.enabled }}
+   {{- if not .Values.providers.kubernetesIngress.enabled }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+   {{- end }}
+  - apiGroups:
+      - traefik.io
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - serverstransports
+      - serverstransporttcps
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end -}}
+  {{- if (.Values.providers.kubernetesGateway).enabled }}
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    {{- if (semverCompare "<v3.1.0-0" $version) }}
+      - endpoints
+    {{- end }}
+      - secrets
+      - services
+    {{- if semverCompare ">=v3.2.0-0" $version }}
+      - configmaps
+    {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies
+      {{- end }}
+      - gatewayclasses
+      - gateways
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes
+      {{- end }}
+      - httproutes
+      - referencegrants
+      - tcproutes
+      - tlsroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies/status
+      {{- end }}
+      - gatewayclasses/status
+      - gateways/status
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes/status
+      {{- end }}
+      - httproutes/status
+      - tcproutes/status
+      - tlsroutes/status
+    verbs:
+      - update
+  {{- end }}
+  {{- if .Values.hub.token }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  {{- end }}
+  {{- if .Values.hub.token }}
+    {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - list
+      - watch
+    {{- end }}
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    {{- if .Values.hub.apimanagement.enabled }}
+      - pods
+    {{- end }}
+    verbs:
+      - get
+      - list
+    {{- if .Values.hub.apimanagement.enabled }}
+      - watch
+    {{- end }}
+    {{- if .Values.hub.apimanagement.enabled }}
+  - apiGroups:
+      - hub.traefik.io
+    resources:
+      - accesscontrolpolicies
+      - apiaccesses
+      - apiportals
+      - apiratelimits
+      - apis
+      - apiversions
+      - apibundles
+      - apiplans
+      - apicatalogitems
+      - managedsubscriptions
+      - aiservices
+    verbs:
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get
+      - list
+      - watch
+      {{- if (semverCompare "<v3.1.0-0" $version) }}
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+      {{- end -}}
+    {{- end -}}
+  {{- end }}
+{{- end }}

charts/traefik1/templates/rbac/clusterrolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.clusterRoleName" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "traefik.clusterRoleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "traefik.serviceAccountName" . }}
+    namespace: {{ template "traefik.namespace" . }}
+{{- end -}}

charts/traefik1/templates/rbac/podsecuritypolicy.yaml

@@ -0,0 +1,68 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+{{- if semverCompare ">=v1.25.0-0" .Capabilities.KubeVersion.Version }}
+  {{- fail "ERROR: PodSecurityPolicy has been removed in Kubernetes v1.25+" }}
+{{- end }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+  name: {{ template "traefik.fullname" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+{{- if not .Values.securityContext.runAsNonRoot }}
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+{{- end }}
+  hostNetwork: {{ .Values.hostNetwork }}
+  hostIPC: false
+  hostPID: false
+  fsGroup:
+{{- if .Values.securityContext.runAsNonRoot }}
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+{{- else }}
+    rule: RunAsAny
+{{- end }}
+{{- if .Values.hostNetwork }}
+  hostPorts:
+  - max: 65535
+    min: 1
+{{- end }}
+  readOnlyRootFilesystem: true
+  runAsUser:
+{{- if .Values.securityContext.runAsNonRoot }}
+    rule: MustRunAsNonRoot
+{{- else }}
+    rule: RunAsAny
+{{- end }}
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+{{- if .Values.securityContext.runAsNonRoot }}
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+{{- else }}
+    rule: RunAsAny
+{{- end }}
+  volumes:
+  - configMap
+  - downwardAPI
+  - secret
+  - emptyDir
+  - projected
+{{- if .Values.persistence.enabled }}
+  - persistentVolumeClaim
+{{- end -}}
+{{- end -}}

charts/traefik1/templates/rbac/role.yaml

@@ -0,0 +1,143 @@
+{{- $version := include "imageVersion" $ }}
+{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
+{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
+{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}}
+
+{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
+{{- range $allNamespaces }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.fullname" $ }}
+  namespace: {{ . }}
+  labels:
+    {{- include "traefik.labels" $ | nindent 4 }}
+rules:
+  {{- if (semverCompare "<v3.1.0-0" $version) }}
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  {{- else }}
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  {{- end }}
+  # Required while https://github.com/traefik/traefik/issues/7097#issuecomment-1983581843
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    {{- if gt (len $.Values.rbac.secretResourceNames) 0 }}
+    resourceNames: {{ $.Values.rbac.secretResourceNames }}
+    {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+{{- end -}}
+{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }}
+  - apiGroups:
+      - traefik.io
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+      - serverstransports
+      - serverstransporttcps
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
+{{- if $.Values.podSecurityPolicy.enabled }}
+  - apiGroups:
+      - extensions
+    resourceNames:
+      - {{ template "traefik.fullname" $ }}
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+{{- end -}}
+{{- if $.Values.hub.token }}
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - namespaces
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+{{- end }}
+{{- end -}}
+{{- end -}}

charts/traefik1/templates/rbac/rolebinding.yaml

@@ -0,0 +1,25 @@
+{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
+{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
+{{- $gatewayNamespaces := concat (include "traefik.namespace" . | list) ((.Values.providers.kubernetesGateway).namespaces) -}}
+{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces $gatewayNamespaces)) -}}
+
+{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
+{{- range $allNamespaces }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.fullname" $ }}
+  namespace: {{ . }}
+  labels:
+    {{- include "traefik.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "traefik.fullname" $ }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "traefik.serviceAccountName" $ }}
+    namespace: {{ template "traefik.namespace" $ }}
+{{- end -}}
+{{- end -}}

charts/traefik1/templates/rbac/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if not .Values.serviceAccount.name -}}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ include "traefik.serviceAccountName" . }}
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.serviceAccountAnnotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: false
+{{- end -}}

charts/traefik1/templates/requirements.yaml

@@ -0,0 +1,45 @@
+{{- $version := include "imageVersion" $ }}
+{{- if (ne $version "experimental-v3.0") }}
+  {{- if (semverCompare "<v3.0.0-0" $version) }}
+    {{- fail "ERROR: This version of the Chart only supports Traefik Proxy v3" -}}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.certResolvers }}
+  {{- fail "ERROR: certResolvers setting has been removed. See v33.0.0 Changelog." }}
+{{- end }}
+
+{{- if and .Values.hub.enabled (not (contains "traefik-hub" .Values.image.repository)) }}
+  {{- fail "ERROR: traefik-hub image is required when enabling Traefik Hub" -}}
+{{- end }}
+
+{{- if and (.Values.providers.kubernetesGateway).enabled (and (semverCompare "<v3.1.0-rc3" $version) (not .Values.experimental.kubernetesGateway.enabled)) }}
+  {{- fail "ERROR: Before traefik v3.1.0-rc3, kubernetesGateway is experimental. Enable it by setting experimental.kubernetesGateway.enabled to true" -}}
+{{- end }}
+
+{{- if .Values.hub.token }}
+  {{- if and .Values.hub.apimanagement.enabled (and .Values.rbac.enabled .Values.rbac.namespaced) }}
+    {{- fail "ERROR: Currently Traefik Hub doesn't support namespaced RBACs" -}}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.rbac.namespaced }}
+  {{- if .Values.providers.kubernetesGateway.enabled }}
+    {{- fail "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced." }}
+  {{- end }}
+  {{- if and (not .Values.providers.kubernetesIngress.enabled) (not .Values.providers.kubernetesCRD.enabled) }}
+    {{- fail "ERROR: namespaced rbac requires Kubernetes CRD or Kubernetes Ingress provider." }}
+  {{- end }}
+{{- end }}
+
+{{- if and (semverCompare "<v3.3.0-0" $version) (.Values.experimental.abortOnPluginFailure)}}
+  {{- fail "ERROR: abortOnPluginFailure is an experimental feature only available for traefik >= v3.3.0." }}
+{{- end }}
+
+{{- if and (semverCompare "<3.2.0-0" $version) (.Values.providers.kubernetesGateway.nativeLBByDefault)}}
+  {{- fail "ERROR: nativeLBByDefault has been introduced in Kubernetes Gateway provider in v3.2.0" }}
+{{- end }}
+
+{{- if and (semverCompare "<v3.1.0-0" $version) .Values.tracing.safeQueryParams }}
+  {{ fail "ERROR: safeQueryParams is a feature only available for traefik >= v3.1.0."}}
+{{- end }}

charts/traefik1/templates/service-metrics.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.metrics.prometheus }}
+{{- if .Values.metrics.prometheus.service }}
+{{- if (.Values.metrics.prometheus.service).enabled -}}
+
+{{- $fullname := include "traefik.fullname" . }}
+{{- if ge (len $fullname) 50 }}
+  {{- fail "ERROR: Cannot create a metrics service when name contains more than 50 characters" }}
+{{- end }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "traefik.service-name" (dict "root" . "name" "metrics") }}
+  namespace: {{ template "traefik.namespace" . }}
+  {{- template "traefik.metrics-service-metadata" . }}
+  annotations:
+  {{- with .Values.metrics.prometheus.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: ClusterIP
+  selector:
+    {{- include "traefik.labelselector" . | nindent 4 }}
+  ports:
+  - port: {{ .Values.ports.metrics.port }}
+    name: "metrics"
+    targetPort: metrics
+    protocol: TCP
+    {{- if .Values.ports.metrics.nodePort }}
+    nodePort: {{ .Values.ports.metrics.nodePort }}
+    {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/traefik1/templates/service.yaml

@@ -0,0 +1,86 @@
+{{- $services := .Values.service.additionalServices -}}
+{{- $services = set $services "default" (omit .Values.service "additionalServices") }}
+
+{{- range $name, $service := $services -}}
+{{- if ne $service.enabled false -}}
+
+{{- $fullname := include "traefik.service-name" (dict "root" $ "name" $name) }}
+
+{{- $tcpPorts := dict -}}
+{{- $udpPorts := dict -}}
+{{- $exposedPorts := false -}}
+{{- range $portName, $config := $.Values.ports -}}
+  {{- if $config -}}
+    {{- if ($config.http3).enabled -}}
+      {{- if (not $config.tls.enabled) -}}
+        {{- fail "ERROR: You cannot enable http3 without enabling tls" -}}
+      {{- end -}}
+      {{ $udpConfig := deepCopy $config -}}
+      {{ $_ := set $udpConfig "protocol" "UDP" -}}
+      {{ $_ := set $udpConfig "exposedPort" (default $config.exposedPort $config.http3.advertisedPort) -}}
+      {{- if (not $service.single) }}
+        {{ $_ := set $udpPorts (printf "%s-http3" $portName) $udpConfig -}}
+      {{- else }}
+        {{ $_ := set $tcpPorts (printf "%s-http3" $portName) $udpConfig -}}
+      {{- end }}
+    {{- end -}}
+    {{- if eq (toString $config.protocol) "UDP" -}}
+      {{ $_ := set $udpPorts $portName $config -}}
+    {{- end -}}
+    {{- if eq (toString (default "TCP" $config.protocol)) "TCP" -}}
+      {{ $_ := set $tcpPorts $portName $config -}}
+    {{- end -}}
+    {{- if (index (default dict $config.expose) $name) -}}
+      {{- $exposedPorts = true -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if (eq $exposedPorts false) -}}
+  {{- fail (printf "ERROR: Cannot create Service %s without ports" $fullname) -}}
+{{- end -}}
+
+{{- if and $exposedPorts (or $tcpPorts $service.single) }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullname }}
+  namespace: {{ template "traefik.namespace" $ }}
+  {{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
+  annotations:
+  {{- with (merge dict (default dict $service.annotationsTCP) (default dict $service.annotations)) }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
+  ports:
+  {{- template "traefik.service-ports" (dict "ports" $tcpPorts "serviceName" $name) }}
+{{- if $service.single }}
+  {{- template "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
+{{- end }}
+{{- end }}
+
+{{- if and $exposedPorts (and $udpPorts (not $service.single)) }}
+ {{- $ports := include "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
+ {{- if not (empty $ports) }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullname }}-udp
+  namespace: {{ template "traefik.namespace" $ }}
+  {{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
+  annotations:
+  {{- with (merge dict (default dict $service.annotationsUDP) (default dict $service.annotations)) }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
+  ports:
+  {{- $ports }}
+ {{- end }}
+{{- end }}
+
+{{- end -}}
+{{- end -}}

charts/traefik1/templates/servicemonitor.yaml

@@ -0,0 +1,69 @@
+{{- if .Values.metrics.prometheus }}
+{{- if (.Values.metrics.prometheus.serviceMonitor).enabled }}
+  {{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }}
+    {{- if (not (.Values.metrics.prometheus.disableAPICheck)) }}
+      {{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }}
+    {{- end }}
+  {{- end }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "traefik.fullname" . }}
+  namespace: {{ .Values.metrics.prometheus.serviceMonitor.namespace | default (include "traefik.namespace" .) }}
+  labels:
+    {{- if (.Values.metrics.prometheus.service).enabled }}
+    {{- include "traefik.metricsservicelabels" . | nindent 4 }}
+    {{- else }}
+    {{- include "traefik.labels" . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.metrics.prometheus.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  jobLabel: {{ .Values.metrics.prometheus.serviceMonitor.jobLabel | default .Release.Name }}
+  endpoints:
+    - targetPort: metrics
+      path: /{{ .Values.metrics.prometheus.entryPoint }}
+      {{- with .Values.metrics.prometheus.serviceMonitor.honorLabels }}
+      honorLabels: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.prometheus.serviceMonitor.honorTimestamps }}
+      honorTimestamps: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.prometheus.serviceMonitor.enableHttp2 }}
+      enableHttp2: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.prometheus.serviceMonitor.followRedirects }}
+      followRedirects: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.prometheus.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.prometheus.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+{{- if .Values.metrics.prometheus.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+{{ tpl (toYaml .Values.metrics.prometheus.serviceMonitor.metricRelabelings | indent 6) . }}
+{{- end }}
+{{- if .Values.metrics.prometheus.serviceMonitor.relabelings }}
+      relabelings:
+{{ toYaml .Values.metrics.prometheus.serviceMonitor.relabelings | indent 6 }}
+{{- end }}
+  {{- if .Values.metrics.prometheus.serviceMonitor.namespaceSelector }}
+  namespaceSelector:
+{{ toYaml .Values.metrics.prometheus.serviceMonitor.namespaceSelector | indent 4 -}}
+  {{ else }}
+  namespaceSelector:
+    matchNames:
+      - {{ template "traefik.namespace" . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- if (.Values.metrics.prometheus.service).enabled }}
+      {{- include "traefik.metricslabelselector" . | nindent 6 }}
+      {{- else }}
+      {{- include "traefik.labelselector" . | nindent 6 }}
+      {{- end }}
+{{- end }}
+{{- end }}

charts/traefik1/templates/tlsoption.yaml

@@ -0,0 +1,39 @@
+{{- range $name, $config := .Values.tlsOptions }}
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: {{ $name }}
+  namespace: {{ template "traefik.namespace" $ }}
+  labels:
+    {{- include "traefik.labels" $ | nindent 4 }}
+    {{- with $config.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $config.alpnProtocols }}
+  alpnProtocols:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $config.cipherSuites }}
+  cipherSuites:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $config.clientAuth }}
+  clientAuth:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $config.curvePreferences }}
+  curvePreferences:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $config.maxVersion }}
+  maxVersion: {{ . }}
+  {{- end }}
+  {{- with $config.minVersion }}
+  minVersion: {{ . }}
+  {{- end }}
+  {{- with $config.sniStrict }}
+  sniStrict: {{ . }}
+  {{- end }}
+---
+{{- end -}}

charts/traefik1/templates/tlsstore.yaml

@@ -0,0 +1,12 @@
+{{- range $name, $config := .Values.tlsStore }}
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: {{ $name }}
+  namespace: {{ template "traefik.namespace" $ }}
+  labels:
+    {{- include "traefik.labels" $ | nindent 4 }}
+spec:
+  {{- toYaml $config | nindent 2 }}
+---
+{{- end -}}

charts/traefik1/values.yaml

@@ -0,0 +1,445 @@
+additionalArguments:
+- --entrypoints.web.forwardedHeaders.trustedIPs=0.0.0.0/0
+- --entrypoints.websecure.forwardedHeaders.trustedIPs=0.0.0.0/0
+- --entrypoints.ssh.address=:22
+- --providers.kubernetescrd.allowCrossNamespace=true
+- --log.level=INFO
+additionalVolumeMounts: []
+affinity: {}
+autoscaling:
+  enabled: false
+certificatesResolvers:
+  le:
+    acme:
+      email: sager@alaskar.dev
+      httpChallenge:
+        entryPoint: web
+      storage: /data/acme.json
+commonLabels: {}
+core:
+  defaultRuleSyntax: ''
+deployment:
+  additionalContainers: []
+  additionalVolumes: []
+  annotations: {}
+  dnsConfig: {}
+  dnsPolicy: ''
+  enabled: true
+  healthchecksHost: ''
+  healthchecksPort: null
+  healthchecksScheme: null
+  hostAliases: []
+  imagePullSecrets: []
+  initContainers: []
+  kind: Deployment
+  labels: {}
+  lifecycle: {}
+  livenessPath: ''
+  minReadySeconds: 0
+  podAnnotations: {}
+  podLabels: {}
+  readinessPath: ''
+  replicas: 1
+  revisionHistoryLimit: null
+  runtimeClassName: ''
+  shareProcessNamespace: false
+  terminationGracePeriodSeconds: 60
+env: []
+envFrom: []
+experimental:
+  abortOnPluginFailure: false
+  kubernetesGateway:
+    enabled: false
+  plugins:
+    traefik-umami-feeder:
+      moduleName: github.com/astappiev/traefik-umami-feeder
+      version: v1.2.0
+extraObjects: []
+gateway:
+  annotations: {}
+  enabled: true
+  infrastructure: {}
+  listeners:
+    web:
+      hostname: ''
+      namespacePolicy: null
+      port: 8000
+      protocol: HTTP
+  name: ''
+  namespace: ''
+gatewayClass:
+  enabled: true
+  labels: {}
+  name: ''
+globalArguments:
+- --global.checknewversion
+- --global.sendanonymoususage
+hostNetwork: false
+hub:
+  apimanagement:
+    admission:
+      listenAddr: ''
+      secretName: ''
+    enabled: false
+  redis:
+    cluster: null
+    database: null
+    endpoints: ''
+    password: ''
+    sentinel:
+      masterset: ''
+      password: ''
+      username: ''
+    timeout: ''
+    tls:
+      ca: ''
+      cert: ''
+      insecureSkipVerify: false
+      key: ''
+    username: ''
+  sendlogs: null
+  token: ''
+image:
+  pullPolicy: IfNotPresent
+  registry: docker.io
+  repository: traefik
+  tag: null
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+  name: traefik-ingress
+ingressRoute:
+  dashboard:
+    annotations: {}
+    enabled: false
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+    middlewares: []
+    services:
+    - kind: TraefikService
+      name: api@internal
+    tls: {}
+  healthcheck:
+    annotations: {}
+    enabled: false
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/ping`)
+    middlewares: []
+    services:
+    - kind: TraefikService
+      name: ping@internal
+    tls: {}
+initContainers:
+- command:
+  - sh
+  - -c
+  - mkdir -p /data && touch /data/acme.json && chmod 600 /data/acme.json
+  image: busybox:latest
+  name: volume-permissions
+  volumeMounts:
+  - mountPath: /data
+    name: data
+instanceLabelOverride: ''
+livenessProbe:
+  failureThreshold: 3
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+logs:
+  access:
+    addInternals: false
+    bufferingSize: null
+    enabled: false
+    fields:
+      general:
+        defaultmode: keep
+        names: {}
+      headers:
+        defaultmode: drop
+        names: {}
+    filters:
+      minduration: ''
+      retryattempts: false
+      statuscodes: ''
+    format: null
+  general:
+    filePath: ''
+    format: null
+    level: INFO
+    noColor: false
+metrics:
+  addInternals: false
+  otlp:
+    addEntryPointsLabels: null
+    addRoutersLabels: null
+    addServicesLabels: null
+    enabled: false
+    explicitBoundaries: []
+    grpc:
+      enabled: false
+      endpoint: ''
+      insecure: false
+      tls:
+        ca: ''
+        cert: ''
+        insecureSkipVerify: false
+        key: ''
+    http:
+      enabled: false
+      endpoint: ''
+      headers: {}
+      tls:
+        ca: ''
+        cert: ''
+        insecureSkipVerify: null
+        key: ''
+    pushInterval: ''
+  prometheus:
+    addEntryPointsLabels: null
+    addRoutersLabels: null
+    addServicesLabels: null
+    buckets: ''
+    disableAPICheck: null
+    entryPoint: metrics
+    manualRouting: false
+    prometheusRule:
+      additionalLabels: {}
+      enabled: false
+      namespace: ''
+    service:
+      annotations: {}
+      enabled: false
+      labels: {}
+    serviceMonitor:
+      additionalLabels: {}
+      enableHttp2: false
+      enabled: false
+      followRedirects: false
+      honorLabels: false
+      honorTimestamps: false
+      interval: ''
+      jobLabel: ''
+      metricRelabelings: []
+      namespace: ''
+      namespaceSelector: {}
+      relabelings: []
+      scrapeTimeout: ''
+namespaceOverride: ''
+nodeSelector:
+  kubernetes.io/hostname: alaskarserver
+persistence:
+  accessMode: ReadWriteOnce
+  annotations: {}
+  enabled: true
+  existingClaim: nfs-ssd-traefik-pvc
+  name: data
+  path: /data
+  size: 128Mi
+  storageClass: ''
+  subPath: certs
+  volumeName: ''
+podDisruptionBudget:
+  enabled: false
+  maxUnavailable: null
+  minAvailable: null
+podSecurityContext:
+  runAsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532
+podSecurityPolicy:
+  enabled: false
+ports:
+  metrics:
+    expose:
+      default: false
+    exposedPort: 9100
+    port: 9100
+    protocol: TCP
+  ssh:
+    nodePort: 30222
+    port: 22
+    targetport: 22
+  traefik:
+    expose:
+      default: false
+    exposedPort: 8080
+    hostIP: null
+    hostPort: null
+    port: 8080
+    protocol: TCP
+  web:
+    expose:
+      default: true
+    exposedPort: 80
+    forwardedHeaders:
+      insecure: false
+      trustedIPs: []
+    nodePort: 30808
+    port: 80
+    protocol: TCP
+    proxyProtocol:
+      insecure: false
+      trustedIPs: []
+    redirectTo: {}
+    targetPort: 80
+    transport:
+      keepAliveMaxRequests: null
+      keepAliveMaxTime: null
+      lifeCycle:
+        graceTimeOut: null
+        requestAcceptGraceTimeout: null
+      respondingTimeouts:
+        idleTimeout: null
+        readTimeout: null
+        writeTimeout: null
+  websecure:
+    allowACMEByPass: false
+    appProtocol: null
+    containerPort: null
+    expose:
+      default: true
+    exposedPort: 443
+    forwardedHeaders:
+      insecure: false
+      trustedIPs: []
+    hostPort: null
+    http3:
+      advertisedPort: null
+      enabled: false
+    middlewares: []
+    nodePort: 30443
+    port: 443
+    protocol: TCP
+    proxyProtocol:
+      insecure: false
+      trustedIPs: []
+    targetPort: 443
+    tls:
+      certResolver: ''
+      domains: []
+      enabled: true
+      options: ''
+    transport:
+      keepAliveMaxRequests: null
+      keepAliveMaxTime: null
+      lifeCycle:
+        graceTimeOut: null
+        requestAcceptGraceTimeout: null
+      respondingTimeouts:
+        idleTimeout: null
+        readTimeout: null
+        writeTimeout: null
+priorityClassName: ''
+providers:
+  file:
+    content: ''
+    enabled: false
+    watch: true
+  kubernetesCRD:
+    allowCrossNamespace: false
+    allowEmptyServices: true
+    allowExternalNameServices: false
+    enabled: true
+    ingressClass: ''
+    namespaces: []
+    nativeLBByDefault: false
+  kubernetesGateway:
+    enabled: false
+    experimentalChannel: false
+    labelselector: ''
+    namespaces: []
+    nativeLBByDefault: false
+    statusAddress:
+      hostname: ''
+      ip: ''
+      service:
+        name: '{{ (include "traefik.fullname" .) }}'
+        namespace: '{{ .Release.Namespace }}'
+  kubernetesIngress:
+    allowEmptyServices: true
+    allowExternalNameServices: false
+    enabled: true
+    ingressClass: null
+    namespaces: []
+    nativeLBByDefault: false
+    publishedService:
+      enabled: true
+      pathOverride: ''
+rbac:
+  aggregateTo: []
+  enabled: true
+  namespaced: false
+  secretResourceNames: []
+readinessProbe:
+  failureThreshold: 1
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+resources: {}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+service:
+  additionalServices: {}
+  annotations: {}
+  annotationsTCP: {}
+  annotationsUDP: {}
+  enabled: true
+  externalIPs: []
+  labels: {}
+  loadBalancerSourceRanges: []
+  single: true
+  spec:
+    externalTrafficPolicy: Local
+  type: LoadBalancer
+serviceAccount:
+  name: traefik
+serviceAccountAnnotations: {}
+startupProbe: {}
+tlsOptions: {}
+tlsStore: {}
+tolerations: []
+topologySpreadConstraints: []
+tracing:
+  addInternals: false
+  capturedRequestHeaders: []
+  capturedResponseHeaders: []
+  globalAttributes: {}
+  otlp:
+    enabled: false
+    grpc:
+      enabled: false
+      endpoint: ''
+      insecure: false
+      tls:
+        ca: ''
+        cert: ''
+        insecureSkipVerify: false
+        key: ''
+    http:
+      enabled: false
+      endpoint: ''
+      headers: {}
+      tls:
+        ca: ''
+        cert: ''
+        insecureSkipVerify: false
+        key: ''
+  safeQueryParams: []
+  sampleRate: null
+  serviceName: null
+updateStrategy:
+  rollingUpdate:
+    maxSurge: 1
+    maxUnavailable: 0
+  type: RollingUpdate
+volumes: []