Custom Configuration
You can tailor the default installation configuration and apply custom settings with Helm (see the table below for the full list of available parameters).
Configuration Parameters
| Name | Default Value | Description |
|---|---|---|
additionalArguments | [] | Additional arguments to be passed at Traefik Hub API Gateway's binary. All available options are below Use curly braces to pass values: helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}" |
hubTokenSecretName | hub-agent-token | Name of the Secret containing the Traefik Hub API Gateway token. |
ingressRoute.dashboard.annotations | {} | Additional IngressRoute annotations (e.g. for kubernetes.io/ingress.class) |
ingressRoute.dashboard.enabled | true | Create an IngressRoute for the dashboard |
ingressRoute.dashboard.entryPoints | ["traefik"] | Specify the allowed entrypoints to use for the dashboard IngressRoute, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. /!\ Do not expose your dashboard over the Internet without any protection /!\ |
ingressRoute.dashboard.labels | {} | Additional IngressRoute labels (e.g. for filtering IngressRoute by custom labels) |
ingressRoute.dashboard.matchRule | "PathPrefix(/dashboard`) | |
ingressRoute.dashboard.middlewares | [] | Additional IngressRoute middlewares (e.g. for authentication) |
ingressRoute.dashboard.tls | {} | TLS options (e.g. secret containing certificate) |
maxSurge | 1 | The maximum number of Pods that can be created over the desired number of Pods. |
replicas | 1 | Stable set of replicated Pods running within a cluster at any given time. |
resources.requests.memory | 64Mi | Kubernetes resource management for Pods and containers. |
resources.requests.cpu | 50m | Kubernetes resource management for Pods and containers. |
resources.limits.memory | 128Mi | Kubernetes resource management for Pods and containers. |
resources.limits.cpu | 80m | Kubernetes resource management for Pods and containers. |
service.type | ClusterIP | Kubernetes Service types allow you to specify what kind of Service you want. |
service.annotations | None | For defining external DNS annotations. |
Add the Helm Repository
helm repo add traefik https://traefik.github.io/charts
helm repo update
Create the Kubernetes Namespace for Traefik Hub
kubectl create namespace traefik-hub
Create the Secret with the API Gateway Token
kubectl create secret generic hub-agent-token --namespace traefik-hub --from-literal=token=YOUR-TRAEFIK-HUB-TOKEN
YOUR-TRAEFIK-HUB-TOKEN: Your token provided by Traefik Labs
You can adjust the default configuration by adjusting the values.
Adjust the Default Values
First, save the default configuration.
The following command will save it to a file with the name values.yaml in your working directory.
helm show values traefik/traefik-hub > values.yaml
Second, adjust the file.
The following example shows a configuration where the log level of the Traefik Hub API Gateway is set to DEBUG and the access log format to JSON.
additionalArguments:
- --log.level=debug
- --accessLog.format=json
Install the API Gateway with Your Custom Settings
Once you have the configuration adjusted to your needs, use Helm to deploy the Traefik Hub API Gateway with the new values:
helm upgrade --install --namespace traefik-hub traefik-hub traefik/traefik-hub --values values.yaml
Additional Arguments
--accesslog:
Access log settings. (Default: false)
--accesslog.bufferingsize:
Number of access log lines to process in a buffered way. (Default: 0)
--accesslog.fields.defaultmode:
Default mode for fields: keep | drop (Default: keep)
--accesslog.fields.headers.defaultmode:
Default mode for fields: keep | drop | redact (Default: drop)
--accesslog.fields.headers.names.<name>:
Override mode for headers
--accesslog.fields.names.<name>:
Override mode for fields
--accesslog.filepath:
Access log file path. Stdout is used when omitted or empty.
--accesslog.filters.minduration:
Keep access logs when request took longer than the specified duration. (Default: 0)
--accesslog.filters.retryattempts:
Keep access logs when at least one retry happened. (Default: false)
--accesslog.filters.statuscodes:
Keep access logs with status codes in the specified range.
--accesslog.format:
Access log format: json | common (Default: common)
--api:
Enable api/dashboard. (Default: false)
--api.dashboard:
Activate dashboard. (Default: true)
--api.debug:
Enable additional endpoints for debugging and profiling. (Default: false)
--api.disabledashboardad:
Disable ad in the dashboard. (Default: false)
--api.insecure:
Activate API directly on the entryPoint named traefik. (Default: false)
--certificatesresolvers.<name>:
Certificates resolvers configuration. (Default: false)
--certificatesresolvers.<name>.acme.caserver:
CA server to use. (Default: https://acme-v02.api.letsencrypt.org/directory)
--certificatesresolvers.<name>.acme.certificatesduration:
Certificates' duration in hours. (Default: 2160)
--certificatesresolvers.<name>.acme.dnschallenge:
Activate DNS-01 Challenge. (Default: false)
--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck:
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: 0)
--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck:
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: false)
--certificatesresolvers.<name>.acme.dnschallenge.provider:
Use a DNS-01 based challenge provider rather than HTTPS.
--certificatesresolvers.<name>.acme.dnschallenge.resolvers:
Use following DNS servers to resolve the FQDN authority.
--certificatesresolvers.<name>.acme.eab.hmacencoded:
Base64 encoded HMAC key from External CA.
--certificatesresolvers.<name>.acme.eab.kid:
Key identifier from External CA.
--certificatesresolvers.<name>.acme.email:
Email address used for registration.
--certificatesresolvers.<name>.acme.httpchallenge:
Activate HTTP-01 Challenge. (Default: false)
--certificatesresolvers.<name>.acme.httpchallenge.entrypoint:
HTTP challenge EntryPoint
--certificatesresolvers.<name>.acme.keytype:
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: RSA4096)
--certificatesresolvers.<name>.acme.preferredchain:
Preferred chain to use.
--certificatesresolvers.<name>.acme.storage:
Storage to use. (Default: acme.json)
--certificatesresolvers.<name>.acme.tlschallenge:
Activate TLS-ALPN-01 Challenge. (Default: true)
--entrypoints.<name>:
Entry points definition. (Default: false)
--entrypoints.<name>.address:
Entry point address.
--entrypoints.<name>.forwardedheaders.insecure:
Trust all forwarded headers. (Default: false)
--entrypoints.<name>.forwardedheaders.trustedips:
Trust only forwarded headers from selected IPs.
--entrypoints.<name>.http:
HTTP configuration.
--entrypoints.<name>.http.encodequerysemicolons:
Defines whether request query semicolons should be URLEncoded. (Default: false)
--entrypoints.<name>.http.middlewares:
Default middlewares for the routers linked to the entry point.
--entrypoints.<name>.http.redirections.entrypoint.permanent:
Applies a permanent redirection. (Default: true)
--entrypoints.<name>.http.redirections.entrypoint.priority:
Priority of the generated router. (Default: 9223372036854775806)
--entrypoints.<name>.http.redirections.entrypoint.scheme:
Scheme used for the redirection. (Default: https)
--entrypoints.<name>.http.redirections.entrypoint.to:
Targeted entry point of the redirection.
--entrypoints.<name>.http.tls:
Default TLS configuration for the routers linked to the entry point. (Default: false)
--entrypoints.<name>.http.tls.certresolver:
Default certificate resolver for the routers linked to the entry point.
--entrypoints.<name>.http.tls.domains:
Default TLS domains for the routers linked to the entry point.
--entrypoints.<name>.http.tls.domains[n].main:
Default subject name.
--entrypoints.<name>.http.tls.domains[n].sans:
Subject alternative names.
--entrypoints.<name>.http.tls.options:
Default TLS options for the routers linked to the entry point.
--entrypoints.<name>.http2.maxconcurrentstreams:
Specifies the number of concurrent streams per connection that each client is allowed to initiate. (Default: 250)
--entrypoints.<name>.http3:
HTTP/3 configuration. (Default: false)
--entrypoints.<name>.http3.advertisedport:
UDP port to advertise, on which HTTP/3 is available. (Default: 0)
--entrypoints.<name>.proxyprotocol:
Proxy-Protocol configuration. (Default: false)
--entrypoints.<name>.proxyprotocol.insecure:
Trust all. (Default: false)
--entrypoints.<name>.proxyprotocol.trustedips:
Trust only selected IPs.
--entrypoints.<name>.transport.keepalivemaxrequests:
Maximum number of requests before closing a keep-alive connection. (Default: 0)
--entrypoints.<name>.transport.keepalivemaxtime:
Maximum duration before closing a keep-alive connection. (Default: 0)
--entrypoints.<name>.transport.lifecycle.gracetimeout:
Duration to give active requests a chance to finish before Traefik stops. (Default: 10)
--entrypoints.<name>.transport.lifecycle.requestacceptgracetimeout:
Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: 0)
--entrypoints.<name>.transport.respondingtimeouts.idletimeout:
IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: 180)
--entrypoints.<name>.transport.respondingtimeouts.readtimeout:
ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: 0)
--entrypoints.<name>.transport.respondingtimeouts.writetimeout:
WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: 0)
--entrypoints.<name>.udp.timeout:
Timeout defines how long to wait on an idle session before releasing the related resources. (Default: 3)
--experimental.http3:
Enable HTTP3. (Default: false)
--experimental.kubernetesgateway:
Allow the Kubernetes gateway api provider usage. (Default: false)
--experimental.localplugins.<name>:
Local plugins configuration. (Default: false)
--experimental.localplugins.<name>.modulename:
plugin's module name.
--experimental.plugins.<name>.modulename:
plugin's module name.
--experimental.plugins.<name>.version:
plugin's version.
--global.checknewversion:
Periodically check if a new version has been released. (Default: true)
--global.sendanonymoususage:
Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. (Default: false)
--hostresolver:
Enable CNAME Flattening. (Default: false)
--hostresolver.cnameflattening:
A flag to enable/disable CNAME flattening (Default: false)
--hostresolver.resolvconfig:
resolv.conf used for DNS resolving (Default: /etc/resolv.conf)
--hostresolver.resolvdepth:
The maximal depth of DNS recursive resolving (Default: 5)
--log:
Traefik log settings. (Default: false)
--log.filepath:
Traefik log file path. Stdout is used when omitted or empty.
--log.format:
Traefik log format: json | common (Default: common)
--log.level:
Log level set to traefik logs. (Default: ERROR)
--metrics.datadog:
Datadog metrics exporter type. (Default: false)
--metrics.datadog.addentrypointslabels:
Enable metrics on entry points. (Default: true)
--metrics.datadog.address:
Datadog's address. (Default: localhost:8125)
--metrics.datadog.addrouterslabels:
Enable metrics on routers. (Default: false)
--metrics.datadog.addserviceslabels:
Enable metrics on services. (Default: true)
--metrics.datadog.prefix:
Prefix to use for metrics collection. (Default: traefik)
--metrics.datadog.pushinterval:
Datadog push interval. (Default: 10)
--metrics.influxdb:
InfluxDB metrics exporter type. (Default: false)
--metrics.influxdb.addentrypointslabels:
Enable metrics on entry points. (Default: true)
--metrics.influxdb.additionallabels.<name>:
Additional labels (influxdb tags) on all metrics
--metrics.influxdb.address:
InfluxDB address. (Default: localhost:8089)
--metrics.influxdb.addrouterslabels:
Enable metrics on routers. (Default: false)
--metrics.influxdb.addserviceslabels:
Enable metrics on services. (Default: true)
--metrics.influxdb.database:
InfluxDB database used when protocol is http.
--metrics.influxdb.password:
InfluxDB password (only with http).
--metrics.influxdb.protocol:
InfluxDB address protocol (udp or http). (Default: udp)
--metrics.influxdb.pushinterval:
InfluxDB push interval. (Default: 10)
--metrics.influxdb.retentionpolicy:
InfluxDB retention policy used when protocol is http.
--metrics.influxdb.username:
InfluxDB username (only with http).
--metrics.influxdb2:
InfluxDB v2 metrics exporter type. (Default: false)
--metrics.influxdb2.addentrypointslabels:
Enable metrics on entry points. (Default: true)
--metrics.influxdb2.additionallabels.<name>:
Additional labels (influxdb tags) on all metrics
--metrics.influxdb2.address:
InfluxDB v2 address. (Default: http://localhost:8086)
--metrics.influxdb2.addrouterslabels:
Enable metrics on routers. (Default: false)
--metrics.influxdb2.addserviceslabels:
Enable metrics on services. (Default: true)
--metrics.influxdb2.bucket:
InfluxDB v2 bucket ID.
--metrics.influxdb2.org:
InfluxDB v2 org ID.
--metrics.influxdb2.pushinterval:
InfluxDB v2 push interval. (Default: 10)
--metrics.influxdb2.token:
InfluxDB v2 access token.
--metrics.prometheus:
Prometheus metrics exporter type. (Default: false)
--metrics.prometheus.addentrypointslabels:
Enable metrics on entry points. (Default: true)
--metrics.prometheus.addrouterslabels:
Enable metrics on routers. (Default: false)
--metrics.prometheus.addserviceslabels:
Enable metrics on services. (Default: true)
--metrics.prometheus.buckets:
Buckets for latency metrics. (Default: 0.100000, 0.300000, 1.200000, 5.000000)
--metrics.prometheus.entrypoint:
EntryPoint (Default: traefik)
--metrics.prometheus.headerlabels.<name>:
Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label.
--metrics.prometheus.manualrouting:
Manual routing (Default: false)
--metrics.statsd:
StatsD metrics exporter type. (Default: false)
--metrics.statsd.addentrypointslabels:
Enable metrics on entry points. (Default: true)
--metrics.statsd.address:
StatsD address. (Default: localhost:8125)
--metrics.statsd.addrouterslabels:
Enable metrics on routers. (Default: false)
--metrics.statsd.addserviceslabels:
Enable metrics on services. (Default: true)
--metrics.statsd.prefix:
Prefix to use for metrics collection. (Default: traefik)
--metrics.statsd.pushinterval:
StatsD push interval. (Default: 10)
--ping:
Enable ping. (Default: false)
--ping.entrypoint:
EntryPoint (Default: traefik)
--ping.manualrouting:
Manual routing (Default: false)
--ping.terminatingstatuscode:
Terminating status code (Default: 503)
--providers.file.debugloggeneratedtemplate:
Enable debug logging of generated configuration template. (Default: false)
--providers.file.directory:
Load dynamic configuration from one or more .yml or .toml files in a directory.
--providers.file.filename:
Load dynamic configuration from a file.
--providers.file.watch:
Watch provider. (Default: true)
--providers.http:
Enable HTTP backend with default settings. (Default: false)
--providers.http.endpoint:
Load configuration from this endpoint.
--providers.http.pollinterval:
Polling interval for endpoint. (Default: 5)
--providers.http.polltimeout:
Polling timeout for endpoint. (Default: 5)
--providers.http.tls.ca:
TLS CA
--providers.http.tls.caoptional:
TLS CA.Optional (Default: false)
--providers.http.tls.cert:
TLS cert
--providers.http.tls.insecureskipverify:
TLS insecure skip verify (Default: false)
--providers.http.tls.key:
TLS key
--providers.kubernetescrd:
Enable Kubernetes backend with default settings. (Default: false)
--providers.kubernetescrd.allowcrossnamespace:
Allow cross namespace resource reference. (Default: false)
--providers.kubernetescrd.allowemptyservices:
Allow the creation of services without endpoints. (Default: false)
--providers.kubernetescrd.allowexternalnameservices:
Allow ExternalName services. (Default: false)
--providers.kubernetescrd.certauthfilepath:
Kubernetes certificate authority file path (not needed for in-cluster client).
--providers.kubernetescrd.endpoint:
Kubernetes server endpoint (required for external cluster client).
--providers.kubernetescrd.ingressclass:
Value of kubernetes.io/ingress.class annotation to watch for.
--providers.kubernetescrd.labelselector:
Kubernetes label selector to use.
--providers.kubernetescrd.namespaces:
Kubernetes namespaces.
--providers.kubernetescrd.throttleduration:
Ingress refresh throttle duration (Default: 0)
--providers.kubernetescrd.token:
Kubernetes bearer token (not needed for in-cluster client).
--providers.kubernetesgateway:
Enable Kubernetes gateway api provider with default settings. (Default: false)
--providers.kubernetesgateway.certauthfilepath:
Kubernetes certificate authority file path (not needed for in-cluster client).
--providers.kubernetesgateway.endpoint:
Kubernetes server endpoint (required for external cluster client).
--providers.kubernetesgateway.labelselector:
Kubernetes label selector to select specific GatewayClasses.
--providers.kubernetesgateway.namespaces:
Kubernetes namespaces.
--providers.kubernetesgateway.throttleduration:
Kubernetes refresh throttle duration (Default: 0)
--providers.kubernetesgateway.token:
Kubernetes bearer token (not needed for in-cluster client).
--providers.kubernetesingress:
Enable Kubernetes backend with default settings. (Default: false)
--providers.kubernetesingress.allowemptyservices:
Allow creation of services without endpoints. (Default: false)
--providers.kubernetesingress.allowexternalnameservices:
Allow ExternalName services. (Default: false)
--providers.kubernetesingress.certauthfilepath:
Kubernetes certificate authority file path (not needed for in-cluster client).
--providers.kubernetesingress.endpoint:
Kubernetes server endpoint (required for external cluster client).
--providers.kubernetesingress.ingressclass:
Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for.
--providers.kubernetesingress.ingressendpoint.hostname:
Hostname used for Kubernetes Ingress endpoints.
--providers.kubernetesingress.ingressendpoint.ip:
IP used for Kubernetes Ingress endpoints.
--providers.kubernetesingress.ingressendpoint.publishedservice:
Published Kubernetes Service to copy status from.
--providers.kubernetesingress.labelselector:
Kubernetes Ingress label selector to use.
--providers.kubernetesingress.namespaces:
Kubernetes namespaces.
--providers.kubernetesingress.throttleduration:
Ingress refresh throttle duration (Default: 0)
--providers.kubernetesingress.token:
Kubernetes bearer token (not needed for in-cluster client).
--serverstransport.forwardingtimeouts.dialtimeout:
The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: 30)
--serverstransport.forwardingtimeouts.idleconntimeout:
The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself (Default: 90)
--serverstransport.forwardingtimeouts.responseheadertimeout:
The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: 0)
--serverstransport.insecureskipverify:
Disable SSL certificate verification. (Default: false)
--serverstransport.maxidleconnsperhost:
If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: 200)
--serverstransport.rootcas:
Add cert file for self-signed certificate.
--tracing:
OpenTracing configuration. (Default: false)
--tracing.datadog:
Settings for Datadog. (Default: false)
--tracing.datadog.bagageprefixheadername:
Sets the header name prefix used to store baggage items in a map.
--tracing.datadog.debug:
Enables Datadog debug. (Default: false)
--tracing.datadog.globaltag:
Sets a key:value tag on all spans.
--tracing.datadog.globaltags.<name>:
Sets a list of key:value tags on all spans.
--tracing.datadog.localagenthostport:
Sets the Datadog Agent host:port. (Default: localhost:8126)
--tracing.datadog.localagentsocket:
Sets the socket for the Datadog Agent.
--tracing.datadog.parentidheadername:
Sets the header name used to store the parent ID.
--tracing.datadog.prioritysampling:
Enables priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: false)
--tracing.datadog.samplingpriorityheadername:
Sets the header name used to store the sampling priority.
--tracing.datadog.traceidheadername:
Sets the header name used to store the trace ID.
--tracing.elastic:
Settings for Elastic. (Default: false)
--tracing.elastic.secrettoken:
Sets the token used to connect to Elastic APM Server.
--tracing.elastic.serverurl:
Sets the URL of the Elastic APM server.
--tracing.elastic.serviceenvironment:
Sets the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
--tracing.haystack:
Settings for Haystack. (Default: false)
--tracing.haystack.baggageprefixheadername:
Sets the header name prefix used to store baggage items in a map.
--tracing.haystack.globaltag:
Sets a key:value tag on all spans.
--tracing.haystack.localagenthost:
Sets the Haystack Agent host. (Default: 127.0.0.1)
--tracing.haystack.localagentport:
Sets the Haystack Agent port. (Default: 35000)
--tracing.haystack.parentidheadername:
Sets the header name used to store the parent ID.
--tracing.haystack.spanidheadername:
Sets the header name used to store the span ID.
--tracing.haystack.traceidheadername:
Sets the header name used to store the trace ID.
--tracing.instana:
Settings for Instana. (Default: false)
--tracing.instana.enableautoprofile:
Enables automatic profiling for the Traefik process. (Default: false)
--tracing.instana.localagenthost:
Sets the Instana Agent host.
--tracing.instana.localagentport:
Sets the Instana Agent port. (Default: 42699)
--tracing.instana.loglevel:
Sets the log level for the Instana tracer. ('error','warn','info','debug') (Default: info)
--tracing.jaeger:
Settings for Jaeger. (Default: false)
--tracing.jaeger.collector.endpoint:
Instructs reporter to send spans to jaeger-collector at this URL.
--tracing.jaeger.collector.password:
Password for basic http authentication when sending spans to jaeger-collector.
--tracing.jaeger.collector.user:
User for basic http authentication when sending spans to jaeger-collector.
--tracing.jaeger.disableattemptreconnecting:
Disables the periodic re-resolution of the agent's hostname and reconnection if there was a change. (Default: true)
--tracing.jaeger.gen128bit:
Generates 128 bits span IDs. (Default: false)
--tracing.jaeger.localagenthostport:
Sets the Jaeger Agent host:port. (Default: 127.0.0.1:6831)
--tracing.jaeger.propagation:
Sets the propagation format (jaeger/b3). (Default: jaeger)
--tracing.jaeger.samplingparam:
Sets the sampling parameter. (Default: 1.000000)
--tracing.jaeger.samplingserverurl:
Sets the sampling server URL. (Default: http://localhost:5778/sampling)
--tracing.jaeger.samplingtype:
Sets the sampling type. (Default: const)
--tracing.jaeger.tracecontextheadername:
Sets the header name used to store the trace ID. (Default: uber-trace-id)
--tracing.servicename:
Set the name for this service. (Default: traefik)
--tracing.spannamelimit:
Set the maximum character limit for Span names (default 0 = no limit). (Default: 0)
--tracing.zipkin:
Settings for Zipkin. (Default: false)
--tracing.zipkin.httpendpoint:
Sets the HTTP Endpoint to report traces to. (Default: http://localhost:9411/api/v2/spans)
--tracing.zipkin.id128bit:
Uses 128 bits root span IDs. (Default: true)
--tracing.zipkin.samespan:
Uses SameSpan RPC style traces. (Default: false)
--tracing.zipkin.samplerate:
Sets the rate between 0.0 and 1.0 of requests to trace. (Default: 1.000000)