Replace all CRLFs with LFs (#9593)

**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
⚒️ Fixes  # <!--(issue)-->

When looking at the catalog files on scale, I noticed that there is a
mix of CRLFs and LFs. I assume this was not intentional given the yaml
linter has a check to ensure chart yaml files use LFs. This change
converts all CRLFs to LFs.

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [x] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [x] ⚖️ My code follows the style guidelines of this project
- [x] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

**➕ App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

.all-contributorsrc

@@ -504,7 +504,8 @@
       "avatar_url": "https://avatars.githubusercontent.com/u/18377483?v=4",
       "profile": "https://github.com/j0hnby",
       "contributions": [
-        "bug"
+        "bug",
+        "doc"
       ]
     },
     {
@@ -1808,7 +1809,7 @@
       "profile": "https://github.com/kryojenik",
       "contributions": [
         "code"
-        ]
+      ]
     },
     {
       "login": "malcolmcdixon",
@@ -1818,6 +1819,24 @@
       "contributions": [
         "doc"
       ]
+    },
+    {
+      "login": "depasseg",
+      "name": "depasseg",
+      "avatar_url": "https://avatars.githubusercontent.com/u/3201827?v=4",
+      "profile": "https://github.com/depasseg",
+      "contributions": [
+        "doc"
+      ]
+    },
+    {
+      "login": "j1mbl3s",
+      "name": "j1mbl3s",
+      "avatar_url": "https://avatars.githubusercontent.com/u/44634577?v=4",
+      "profile": "https://github.com/j1mbl3s",
+      "contributions": [
+        "doc"
+      ]
     }
   ],
   "contributorsPerLine": 7,

.github/README.md

@@ -124,7 +124,7 @@ A lot of our work is based on the great effort of others. We would love to exten
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-193-orange.svg?style=for-the-badge)](#contributors)
+[![All Contributors](https://img.shields.io/badge/all_contributors-196-orange.svg?style=for-the-badge)](#contributors)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -201,7 +201,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     </tr>
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/eingemaischt"><img src="https://avatars.githubusercontent.com/u/151498?v=4?s=100" width="100px;" alt="Philipp"/><br /><sub><b>Philipp</b></sub></a><br /><a href="https://github.com/truecharts/charts/issues?q=author%3Aeingemaischt" title="Bug reports">🐛</a></td>
-      <td align="center" valign="top" width="14.28%"><a href="https://github.com/j0hnby"><img src="https://avatars.githubusercontent.com/u/18377483?v=4?s=100" width="100px;" alt="John"/><br /><sub><b>John</b></sub></a><br /><a href="https://github.com/truecharts/charts/issues?q=author%3Aj0hnby" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/j0hnby"><img src="https://avatars.githubusercontent.com/u/18377483?v=4?s=100" width="100px;" alt="John"/><br /><sub><b>John</b></sub></a><br /><a href="https://github.com/truecharts/charts/issues?q=author%3Aj0hnby" title="Bug reports">🐛</a> <a href="https://github.com/truecharts/charts/commits?author=j0hnby" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/john-parton"><img src="https://avatars.githubusercontent.com/u/2071543?v=4?s=100" width="100px;" alt="John Parton"/><br /><sub><b>John Parton</b></sub></a><br /><a href="https://github.com/truecharts/charts/issues?q=author%3Ajohn-parton" title="Bug reports">🐛</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/Amasis"><img src="https://avatars.githubusercontent.com/u/7325217?v=4?s=100" width="100px;" alt="Marc"/><br /><sub><b>Marc</b></sub></a><br /><a href="https://github.com/truecharts/charts/issues?q=author%3AAmasis" title="Bug reports">🐛</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/fdzaebel"><img src="https://avatars.githubusercontent.com/u/46503230?v=4?s=100" width="100px;" alt="fdzaebel"/><br /><sub><b>fdzaebel</b></sub></a><br /><a href="https://github.com/truecharts/charts/issues?q=author%3Afdzaebel" title="Bug reports">🐛</a></td>
@@ -385,6 +385,8 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/Emalton"><img src="https://avatars.githubusercontent.com/u/9328458?v=4?s=100" width="100px;" alt="John P"/><br /><sub><b>John P</b></sub></a><br /><a href="https://github.com/truecharts/charts/commits?author=Emalton" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/kryojenik"><img src="https://avatars.githubusercontent.com/u/845427?v=4?s=100" width="100px;" alt="kryojenik"/><br /><sub><b>kryojenik</b></sub></a><br /><a href="https://github.com/truecharts/charts/commits?author=kryojenik" title="Code">💻</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/malcolmcdixon"><img src="https://avatars.githubusercontent.com/u/56974882?v=4?s=100" width="100px;" alt="Malcolm"/><br /><sub><b>Malcolm</b></sub></a><br /><a href="https://github.com/truecharts/charts/commits?author=malcolmcdixon" title="Documentation">📖</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/depasseg"><img src="https://avatars.githubusercontent.com/u/3201827?v=4?s=100" width="100px;" alt="depasseg"/><br /><sub><b>depasseg</b></sub></a><br /><a href="https://github.com/truecharts/charts/commits?author=depasseg" title="Documentation">📖</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/j1mbl3s"><img src="https://avatars.githubusercontent.com/u/44634577?v=4?s=100" width="100px;" alt="j1mbl3s"/><br /><sub><b>j1mbl3s</b></sub></a><br /><a href="https://github.com/truecharts/charts/commits?author=j1mbl3s" title="Documentation">📖</a></td>
     </tr>
   </tbody>
 </table>

.github/workflows/catalog-test.yaml

@@ -17,7 +17,7 @@ jobs:
     container:
       image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         name: Checkout
         with:
           fetch-depth: 100

.github/workflows/charts-lint.yaml

@@ -22,13 +22,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout [master]
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: master
 
       - name: Checkout [commit]
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -107,7 +107,7 @@ jobs:
       - name: Create/Update comment
         if: steps.list-changed.outputs.detected == 'true'
         continue-on-error: true
-        uses: thollander/actions-comment-pull-request@632cf9ce90574d125be56b5f3405cda41a84e2fd # v2
+        uses: thollander/actions-comment-pull-request@dadb7667129e23f12ca3925c90dc5cd7121ab57e # v2
         with:
           filePath: /tmp/lint_result.txt
           comment_tag: lint_results

.github/workflows/charts-release.yaml

@@ -17,13 +17,13 @@ jobs:
       image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 1
 
       - name: Checkout Helm-Staging
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           repository: truecharts/helm-staging
@@ -92,7 +92,7 @@ jobs:
           GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}"
 
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 0
@@ -124,7 +124,7 @@ jobs:
           find . -name '*.sh' | xargs chmod +x
 
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         if: |
           steps.collect-changes.outputs.changesDetectedAfterTag == 'true'
         with:
@@ -238,7 +238,7 @@ jobs:
           git push
 
       - name: Checkout Catalog
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         if: |
           steps.collect-changes.outputs.changesDetectedAfterTag == 'true'
         with:

.github/workflows/charts-test.yaml

@@ -50,7 +50,7 @@ jobs:
       detected6: ${{ steps.list-changed.outputs.detected6 }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -115,7 +115,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -141,12 +141,27 @@ jobs:
           # Flags found here https://github.com/k3d-io/k3d
           k3d-args: --k3s-arg --disable=metrics-server@server:*
           github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Remove node taints
         run: |
           kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true
 
+      - name: Add Dependencies
+        run: |
+          ## TODO: Move to our Helm Charts
+          ## TODO: Only add when required
+          if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.20/releases/cnpg-1.20.0.yaml  --server-side --force-conflicts || echo "error fetching cnpg manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/prometheus-operator" ]]; then
+            kubectl apply -f  https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.65.2/bundle.yaml --server-side --force-conflicts || echo "error fetching prometheus operator manifest"
+          fi
+
       - name: Run chart-testing (install)
-        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" #--upgrade
+        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" # --upgrade
 
   install-charts2:
     needs:
@@ -160,7 +175,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -191,8 +206,20 @@ jobs:
         run: |
           kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true
 
+      - name: Add Dependencies
+        run: |
+          if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.17/releases/cnpg-1.17.5.yaml  --server-side --force-conflicts || echo "error fetching cnpg manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/prometheus-operator" ]]; then
+            kubectl apply -f  https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.65.2/bundle.yaml --server-side --force-conflicts || echo "error fetching prometheus operator manifest"
+          fi
+
       - name: Run chart-testing (install)
-        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" #--upgrade
+        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" # --upgrade
 
   install-charts3:
     needs:
@@ -206,7 +233,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -232,12 +259,25 @@ jobs:
           # Flags found here https://github.com/k3d-io/k3d
           k3d-args: --k3s-arg --disable=metrics-server@server:*
           github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Remove node taints
         run: |
           kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true
 
+      - name: Add Dependencies
+        run: |
+          if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.17/releases/cnpg-1.17.5.yaml  --server-side --force-conflicts || echo "error fetching cnpg manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/prometheus-operator" ]]; then
+            kubectl apply -f  https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.65.2/bundle.yaml --server-side --force-conflicts || echo "error fetching prometheus operator manifest"
+          fi
+
       - name: Run chart-testing (install)
-        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" #--upgrade
+        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" # --upgrade
 
   install-charts4:
     needs:
@@ -251,7 +291,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -277,12 +317,25 @@ jobs:
           # Flags found here https://github.com/k3d-io/k3d
           k3d-args: --k3s-arg --disable=metrics-server@server:*
           github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Remove node taints
         run: |
           kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true
 
+      - name: Add Dependencies
+        run: |
+          if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.17/releases/cnpg-1.17.5.yaml  --server-side --force-conflicts || echo "error fetching cnpg manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/prometheus-operator" ]]; then
+            kubectl apply -f  https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.65.2/bundle.yaml --server-side --force-conflicts || echo "error fetching prometheus operator manifest"
+          fi
+
       - name: Run chart-testing (install)
-        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" #--upgrade
+        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" # --upgrade
 
   install-charts5:
     needs:
@@ -296,7 +349,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -322,12 +375,25 @@ jobs:
           # Flags found here https://github.com/k3d-io/k3d
           k3d-args: --k3s-arg --disable=metrics-server@server:*
           github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Remove node taints
         run: |
           kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true
 
+      - name: Add Dependencies
+        run: |
+          if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then
+            kubectl apply -f --server-side --force-conflicts https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then
+            kubectl apply -f --server-side --force-conflicts https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.17/releases/cnpg-1.17.5.yaml
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/prometheus-operator" ]]; then
+            kubectl apply -f --server-side --force-conflicts --server-side --force-conflicts https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.65.2/bundle.yaml
+          fi
+
       - name: Run chart-testing (install)
-        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" #--upgrade
+        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" # --upgrade
 
   install-charts6:
     needs:
@@ -341,7 +407,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           ref: ${{ inputs.checkoutCommit }}
@@ -367,12 +433,25 @@ jobs:
           # Flags found here https://github.com/k3d-io/k3d
           k3d-args: --k3s-arg --disable=metrics-server@server:*
           github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Remove node taints
         run: |
           kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true
 
+      - name: Add Dependencies
+        run: |
+          if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then
+            kubectl apply -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.17/releases/cnpg-1.17.5.yaml  --server-side --force-conflicts || echo "error fetching cnpg manifest"
+          fi
+          if [[ "${{ matrix.chart }}" != "charts/operators/prometheus-operator" ]]; then
+            kubectl apply -f  https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.65.2/bundle.yaml --server-side --force-conflicts || echo "error fetching prometheus operator manifest"
+          fi
+
       - name: Run chart-testing (install)
-        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" #--upgrade
+        run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" # --upgrade
 
   # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
   install_success:

.github/workflows/daily.yaml

@@ -20,7 +20,7 @@ jobs:
       image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 1
@@ -55,7 +55,7 @@ jobs:
           done
 
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           repository: truecharts/website
           path: website
@@ -248,7 +248,7 @@ jobs:
           helm repo update
 
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 1
@@ -257,7 +257,7 @@ jobs:
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
       - name: Checkout website
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 1
           repository: truecharts/website
@@ -360,7 +360,7 @@ jobs:
   lock-threads:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836 # v4
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4
         with:
           github-token: ${{ secrets.BOT_TOKEN }}
           issue-inactive-days: "7"
@@ -377,7 +377,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 1

.github/workflows/pr-validate.yaml

@@ -17,7 +17,7 @@ jobs:
       addedOrModifiedCharts: ${{ steps.collect-changes.outputs.addedOrModifiedCharts }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
 
       - name: Collect changes
         id: collect-changes
@@ -57,7 +57,7 @@ jobs:
       head-commit-message: ${{ steps.get_head_commit_message.outputs.headCommitMsg }}
     steps:
       - name: Get repo
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: verbose head git commit message

.github/workflows/prune.yaml

@@ -9,7 +9,7 @@ jobs:
     name: "prune old releases"
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 0
       - uses: actions/delete-package-versions@0d39a63126868f5eefaa47169615edd3c0f61e20 # v4

.github/workflows/renovate-bump.yaml

@@ -14,12 +14,12 @@ jobs:
     container:
       image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         name: Checkout
         with:
           fetch-depth: 0
           token: ${{ secrets.BOT_TOKEN }}
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         name: Checkout
         with:
           fetch-depth: 0

.github/workflows/renovate.yml

@@ -8,11 +8,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           token: ${{ secrets.BOT_TOKEN }}
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@f9dfd286235d81ce4a68f95019018c2fd7df13a9 # v38.1.2
+        uses: renovatebot/github-action@5aa4bc2e097e751b391105d89ff88c0c80519c1a # v38.1.3
         with:
           configurationFile: .github/renovate-config.js
           token: ${{ secrets.BOT_TOKEN }}

.github/workflows/schedule-sync-labels.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           token: ${{ secrets.BOT_TOKEN }}
 

charts/dependency/clickhouse/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "23.4.2.11"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP).
 home: https://truecharts.org/charts/dependency/clickhouse
@@ -22,7 +22,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/clickhouse
   - https://clickhouse.com/
 type: application
-version: 5.0.37
+version: 5.0.41
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/kube-state-metrics/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: "2.8.2"
+appVersion: "2.9.2"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.
 home: https://truecharts.org/charts/dependency/kube-state-metrics
@@ -21,7 +21,7 @@ name: kube-state-metrics
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/kube-state-metrics
 type: application
-version: 1.0.15
+version: 1.0.20
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/dependency/kube-state-metrics/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/kube-state-metrics
   pullPolicy: IfNotPresent
-  tag: v2.8.2@sha256:35a4457d904190e4870a88d7955b26b6b2604a60ad82c108f9f672a3a6b09ab1
+  tag: v2.9.2@sha256:3ec0f0765cae3d8635edad876f3bca1315ea2d69c2ae5cbee9f46c881c85acf5
 
 service:
   main:
@@ -48,7 +48,7 @@ workload:
             - --resources=services
             - --resources=statefulsets
             - --resources=storageclasses
-            - --resources=verticalpodautoscalers
+            # - --resources=verticalpodautoscalers
             - --resources=validatingwebhookconfigurations
             - --resources=volumeattachments
 

charts/dependency/mariadb/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: "10.11.3"
+appVersion: "10.11.4"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: Fast, reliable, scalable, and easy to use open-source relational database system.
 home: https://truecharts.org/charts/dependency/mariadb
@@ -25,7 +25,7 @@ sources:
   - https://github.com/prometheus/mysqld_exporter
   - https://mariadb.org
 type: application
-version: 7.0.45
+version: 7.0.50
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/mariadb/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/mariadb
   pullPolicy: IfNotPresent
-  tag: v10.11.3@sha256:891f1dc04542670a3f82bb11c652d3fccca831310fd100397517284ff551d195
+  tag: v10.11.4@sha256:c36949f30cb56ed38498d794a0a4fb34d58dcf6c45aa9107f292ab9f1df1c54c
 
 workload:
   main:

charts/dependency/memcached/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "1.6.20"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: Memcached is a memory-backed database caching solution
 home: https://truecharts.org/charts/dependency/memcached
@@ -23,7 +23,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-memcached
   - http://memcached.org/
 type: application
-version: 6.0.55
+version: 6.0.59
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/memcached/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/memcached
   pullPolicy: IfNotPresent
-  tag: v1.6.20@sha256:ec4689bb5ae7fcf705858fa93f99d21917941bc8dbcdc4af26414a33826784df
+  tag: v1.6.20@sha256:ed57e787e5b280440220cd8246d87901dbfd436fa61cb63b640cfd4387e8a07c
 
 service:
   main:

charts/dependency/mongodb/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "6.0.6"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: Fast, reliable, scalable, and easy to use open-source no-sql database system.
 home: https://truecharts.org/charts/dependency/mongodb
@@ -23,7 +23,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-mongodb
   - https://www.mongodb.com
 type: application
-version: 6.0.44
+version: 6.0.48
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/mongodb/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/mongodb
   pullPolicy: IfNotPresent
-  tag: v6.0.6@sha256:d2ad82e7e701af53c1e4d8343d26f2cd7f9055d02c41c570d80c0d4beb572297
+  tag: v6.0.6@sha256:757f91b38a37e3a33710d3c77015eae68762fd890cb675d84c9b86668790f462
 
 workload:
   main:

charts/dependency/node-exporter/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "1.6.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: Prometheus exporter for hardware and OS metrics exposed by UNIX kernels, with pluggable metric collectors.
 home: https://truecharts.org/charts/dependency/node-exporter
@@ -21,7 +21,7 @@ name: node-exporter
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/node-exporter
 type: application
-version: 1.0.18
+version: 1.0.22
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/dependency/node-exporter/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/node-exporter
   pullPolicy: IfNotPresent
-  tag: v1.6.0@sha256:b5a9abd4a2aa65873f45b204cc452decc6a22d630adef022855cb520a5bb97bb
+  tag: v1.6.0@sha256:c286e5dab7f852d1464a01122c3bbd7c48149ecdec188499aea579aef379238b
 
 service:
   main:

charts/dependency/redis/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "7.0.11"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: Open source, advanced key-value store.
 home: https://truecharts.org/charts/dependency/redis
@@ -23,7 +23,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-redis
   - http://redis.io/
 type: application
-version: 6.0.54
+version: 6.0.58
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/solr/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "9.2.1"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.1
 deprecated: false
 description: Apache Solr
 home: https://truecharts.org/charts/dependency/solr
@@ -22,7 +22,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/solr
   - https://github.com/apache/solr
 type: application
-version: 4.0.44
+version: 4.0.48
 annotations:
   truecharts.org/catagories: |
     - search

charts/dependency/solr/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/solr
   pullPolicy: IfNotPresent
-  tag: v9.2.1@sha256:21b6e79cb4f4d36606ca75b5735780519855a85f42031a23d49da0640372c0db
+  tag: v9.2.1@sha256:04c6f6e9d7c3fcecf1a5c17ca6899223e5880370bd660c1321e11bf72d892bdd
 
 workload:
   main:

charts/enterprise/authelia/Chart.yaml

@@ -3,11 +3,11 @@ appVersion: "4.37.5"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
   - condition: redis.enabled
     name: redis
     repository: https://deps.truecharts.org
-    version: 6.0.53
+    version: 6.0.58
 deprecated: false
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 home: https://truecharts.org/charts/enterprise/authelia
@@ -35,7 +35,7 @@ sources:
   - https://github.com/authelia/chartrepo
   - https://github.com/authelia/authelia
 type: application
-version: 15.1.25
+version: 15.1.28
 annotations:
   truecharts.org/catagories: |
     - security

charts/enterprise/authelia/docs/Setup-Guide.md

@@ -0,0 +1,106 @@
+# Authelia + LLDAP + Traefik ForwardAuth Setup guide
+
+This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel
+
+## Prerequisites
+
+- Traefik installed (enable the `enterprise train`)
+- Clusterissuer for certificates
+- CloudnativePG operator (enable the `operators train`)
+
+## Setup LLDAP
+
+:::warning
+
+LLDAP is a `Stable` train chart and therefore isn't supported at the same level as the charts in the `Enterprise` train (Authelia and Traefik).
+
+:::
+
+- Follow the steps included in the [Installation Notes](https://truecharts.org/charts/stable/lldap/installation-notes) for [LLDAP](https://truecharts.org/charts/stable/lldap/). Pretty straightforward. Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also make sure you have the `Operators` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia`
+
+![LLDAP Config](img/LLDAPCatalogConfig.png)
+
+- I've set the services to `ClusterIP` since I'll be using ingress
+
+- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. I've created a user called `Steven`
+
+## Setup Authelia
+
+- The setup for Authelia is very specific, and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo.
+
+### App Configuration
+
+Domain: `mydomain.com` <- Your domain without https://
+Default Redirection URL: `auth.mydomain.com`
+  - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia`
+
+### LDAP Backend Configuration
+
+`Click Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend
+
+- Implementation: `Custom` (that's the default)
+- URL: `ldap://lldap-ldap.ix-lldap.svc.cluster.local:3890`
+- Connection Timeout: 5s
+- Start TLS: (Not necessary)
+- TLS Settings: (Not necessary)
+- Server Name: Leave blank
+- Skip Certificate Verification: Leave unchecked
+- Minimum TLS version: `TLS1.2`
+- Base DN: `DC=mydomain,DC=com`
+- Username Attribute: `uid`
+- Additional Users DN: `ou=people`
+- Users Filter: `(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))`
+- Additional Groups DN: `ou=groups`
+- Groups Filter: `(member={dn})`
+- Group name Attribute:`cn`
+- Mail Attribute:`mail`
+- Display Name Attribute:`displayName`
+- Admin User: `uid=Steven,ou=people,dc=mydomain,dc=com` <- Notice the uid=Steven, most of the time people use admin and a generated password
+- Password: `RANDOMPASSWORD`
+
+#### SMTP Configuration
+
+Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587`
+
+### Access Control Configuration
+
+- This section is to set rules to connect to `Authelia` and which users can go where. This is a basic general rule below where the main user (Steven) can access all the site using a wildcard
+
+Leave the default `one_factor` unless you've setup TOTP above. Then click `Add` next to `Rules` to get the screen below
+
+![AutheliaAccessControl](img/AutheliaAccessControl.png)
+
+- Add your `Domain` and a `Wildcard` for your subdomains.
+- Leave policy `one_factor`
+- Click `Add Subject` and add a subject of `group:lldap_password_manager` since `Steven` is part of that group
+
+#### Setup Authelia Ingress
+
+- Make sure you're using the same domain as the `Default Redirection URL` above, so for me that's `auth.mydomain.com`
+
+![AutheliaIngress](img/AutheliaIngress.png)
+
+## Traefik ForwardAuth Setup
+
+- This part is straight forward as long as you have a working `Traefik` install, please see our [How-To](https://truecharts.org/charts/enterprise/traefik/how-to) if you need more info on getting that running.
+
+- Scroll down to `forwardAuth` and click `Add`
+
+![TraefikForwardAuth](img/TraefikForwardAuth.png)
+
+- Name your `forwardauth` something you'll remember, since that's the middleware you'll add to your ingress going forward. Most people use `auth`
+- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from `Heavyscript`
+- Check `trustForwardHeader`
+- Add the following `authResponseHeaders` (press `Add` 4 times)
+  - `Remote-User`
+  - `Remote-Group`
+  - `Remote-Name`
+  - `Remote-Email`
+
+### References
+
+The origin material for this guide is available on the [LLDAP Github](https://github.com/lldap/lldap). While further information on Authelia can be found on their [Github](https://github.com/authelia/authelia) and [website](https://www.authelia.com/).
+
+### Support
+
+If you have any issues with following this guide, we can be reached using [Discord](https://discord.gg/tVsPTHWTtr) for real-time feedback and support.

charts/enterprise/blocky/Chart.yaml

@@ -3,11 +3,11 @@ appVersion: "0.21.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
   - condition: redis.enabled
     name: redis
     repository: https://deps.truecharts.org
-    version: 6.0.53
+    version: 6.0.58
 description: Blocky is a DNS proxy, DNS enhancer and ad-blocker for the local network written in Go
 home: https://truecharts.org/charts/enterprise/blocky
 icon: https://truecharts.org/img/hotlink-ok/chart-icons/blocky.png
@@ -25,7 +25,7 @@ sources:
   - https://0xerr0r.github.io/blocky/
   - https://github.com/0xERR0R/blocky
   - https://github.com/Mozart409/blocky-frontend
-version: 5.0.39
+version: 5.0.42
 annotations:
   truecharts.org/catagories: |
     - network

charts/enterprise/blocky/docs/installation-notes.md

@@ -55,10 +55,11 @@ However: this negatively affects rollback and high availability, so we _highly_
 
 ## k8s-gateway
 
-Our blocky Chart/App, includes build-in compatibility for [k8s_gateway](https://github.com/ori-edge/k8s_gateway), this tool can be used to ensure devices on your local network, connect directly to the LAN IP of any Charts/Apps using Ingress, instead of via the outside world or, in a lot of cases, having a bunch of connectivity issues.
+Our blocky Chart/App includes build-in compatibility for [k8s_gateway](https://github.com/ori-edge/k8s_gateway).
+This tool can be used to achieve [Split DNS](https://en.wikipedia.org/wiki/Split-horizon_DNS) to ensure devices on your local network connect directly to the LAN IP of any Charts/Apps using Ingress, instead of via the outside world or, in a lot of cases, having a bunch of connectivity issues.
 
-The setup of k8s_gateway is simple:
-Just add the domain(s), which will include and subdomains(!), to the k8s_gateway domains list.
+To setup k8s_gateway add **your** root domain(s) to the `k8s_gateway` section domains list, e.g. `mydomain.com`.
 From that point onwards we will take care to automatically apply the required `conditional` settings in `blocky` as well.
+This will automatically include all your app subdomains exposed via Ingress, e.g. `jellyfin.mydomain.com`.
 
-Please be mindfull that using `Blocky Style` configuration using the `blockyConfig` object in `values.yaml`, might override this automatic setup.
+Please be mindfull that using `Blocky Style` configuration, using the `blockyConfig` object in `values.yaml`, might override this automatic setup.

charts/enterprise/blocky/docs/setup-guide.md

@@ -0,0 +1,75 @@
+# Blocky Setup Guide
+
+This will guide you through the basic setup of Blocky which is the preferred DNS solution for TrueCharts. This guide will cover basic setup options which will get you up and running and is not all inclusive.
+
+## Upstream DNS
+
+Blocky has multiple DNS entries configured by default these can be overridden to your personal preferences or left as default.
+
+Blocky supports 3 methods for upstream DNS.
+
+UDP - Basic DNS  
+DoT - DNS over TLS  
+DoH - DNS over HTTPS  
+
+While UDP provides no security for DNS both DoT and DoH will encrypt DNS request. DoH has the added benefit of privacy since DNS traffic will appear as HTTPS traffic.
+
+### UDP DNS Setup
+
+Google DNS: `8.8.8.8` `8.8.4.4`  
+Cloudflare DNS: `1.1.1.1` `1.0.0.1`  
+
+![blocky-udp-upstream-google](./img/blocky-udp-upstream-google.png)
+
+### DoT DNS Setup
+
+Google DNS ([Bootstrap DNS Required](#bootstrap-dns)): `tcp-tls:dns.google:853`  
+Cloudflare DNS: `tcp-tls:1.1.1.1:853` `tcp-tls:1.0.0.1:853`  
+
+![blocky-dot-upstream-google](./img/blocky-dot-upstream-google.png)
+
+### DoH Upstream
+
+Google DNS ([Bootstrap DNS Required](#bootstrap-dns)): `https://dns.google/dns-query`  
+Cloudflare DNS: `https://1.1.1.1/dns-query` `https://1.0.0.1/dns-query`  
+
+![blocky-doh-upstream-google](./img/blocky-doh-upstream-google.png)
+
+## Bootstrap DNS
+
+For DNS providers that do not use an IP address for DoT or DoH a bootstrap DNS provider is needed to resolve the DoT or DoH address. This provider can be any UDP upstream DNS. In the below example I am using Google DNS.
+
+![blocky-bootstrap-google](./img/blocky-bootstrap-google.png)
+
+## DNS Blacklists
+
+DNS Blacklists are used to prevent DNS resolution of advertisement, malware, trackers and adult sites domains. This is completed with public maintained blocklists. A good source for these is [firebog.net](https://firebog.net).
+
+:::warning Warning
+
+While publicly maintained blocklists usually do a good job of allowing legitimate traffic they can sometimes be too broad and catch traffic that you wish to allow. You may need to disable certain blocklists if you find legitimate traffic being blocked.
+
+:::
+
+1. Pick a Group Name for your blocklists.
+
+2. Add List entries for each blocklist by URL.
+
+![blocky-blacklist](./img/blocky-blacklist.png)
+
+3. Add a Clients Group Block and set Client Group Name to `default`
+
+4. Under Groups Entry enter the Group name you used above.
+
+![blocky-blacklist-group](./img/blocky-blacklist-group.png)
+
+## k8s-Gateway Configuration
+
+k8s-Gateway will automatically provide split DNS for your local domain. This will allow you to resolve all ingress configured subdomains locally. All that is required for setup is to add your root domain in the Domain name block.
+
+![blocky-k8s-gateway](./img/blocky-k8s-gateway.png)
+
+## Prometheus/Grafana
+
+TBD
+

charts/enterprise/clusterissuer/Chart.yaml

@@ -10,7 +10,7 @@ keywords:
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 kubeVersion: ">=1.16.0-0"
 maintainers:
   - email: info@truecharts.org
@@ -21,7 +21,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/enterprise/clusterissuer
   - https://cert-manager.io/
 type: application
-version: 1.0.4
+version: 1.0.6
 annotations:
   truecharts.org/catagories: |
     - core

charts/enterprise/grafana/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: "9.5.2"
+appVersion: "9.5.3"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 deprecated: false
 description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, Elasticsearch, OpenTSDB, Prometheus and InfluxDB.
 home: https://truecharts.org/charts/enterprise/grafana
@@ -24,7 +24,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-grafana
   - https://grafana.com/
 type: application
-version: 7.0.46
+version: 7.0.50
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/enterprise/grafana/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/grafana
   pullPolicy: IfNotPresent
-  tag: v9.5.2@sha256:304f525b95932866808f519ccf76e93f96a38fb018b8dc944531f2088a8a596c
+  tag: v9.5.3@sha256:3f22fc64031f0a9e432ef397f8dd94173fd09c96777c5ba54fbe15ddce19e318
 manifestManager:
   enabled: true
 securityContext:

charts/enterprise/metallb-config/Chart.yaml

@@ -10,7 +10,7 @@ keywords:
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 kubeVersion: ">=1.16.0-0"
 maintainers:
   - email: info@truecharts.org
@@ -22,7 +22,7 @@ sources:
   - https://github.com/metallb/metallb
   - https://metallb.universe.tf
 type: application
-version: 1.1.6
+version: 1.1.8
 annotations:
   truecharts.org/catagories: |
     - core

charts/enterprise/metallb-config/docs/setup-guide.md

@@ -8,12 +8,26 @@ With MetalLB installed, apps will not be reachable using the integrated loadbala
 
 :::
 
-## 1. Configure Address Pool & L2 Advertisement
+## Prerequisites
+
+- Add the Operators & Enterprise trains to your TrueCharts Catalog.
+
+![metallb-addtrains](img/metallb_guide_trains.png)
+
+## 1. Install MetalLB Operator from Operators Train
+
+![metallb-apps](img/metallb_guide_apps.png)
+
+Install `metallb` from `operators` train first. There is no config, so just hit save.
+
+If you previously had `metallb` installed and are attempting to upgrade, follow the steps specified below in [Migrating an existing MetalLB config to operator-based version](#migrating-an-existing-metallb-config-to-operator-version)
+
+## 2. Set Address Pool & L2 Advertisement in MetalLB-Config
+
+Install `metallb-config` from enterprise train and create a new entry under `Configure IP Address Pools Object`
 
 ![metallb-addpoolbasic](img/metallb_guide_addresspool_basic.png)
 
-Create a new entry under `Configure IP Address Pools Object`
-
 - **Name**: Enter a general name for this IP range. Something like _apps_ or _charts_ for this field is fine.
 - **Auto Assign**: if you want MetalLB Services to auto-assign IPs from the configured address pool without needing to specify per app. Recommendation is to keep this checked. You can still specify an IP for apps as needed (see step 3).
 
@@ -30,15 +44,23 @@ Create a new entry under `Configure L2 Advertisements`.
 - **Name**: Enter a basic name for your layer 2 advertisement.
 - **Address Pool Entry:** This should match the **name** of the address pool created above (not the IP range itself).
 
-_For users with VLANs or multiple subnets, you may reference multiple address pool objects under a single L2 Advertisement entry as needed._
-
 :::info
 
-Once installed, MetalLB will always show as Stopped.
+Once installed, `metallb-config` will always show as Stopped.
 
 :::
 
-## 2. Disable SCALE's Default Loadbalancer
+## 3. Optional: Specify IP Address per App or Service
+
+![metallb-specifyIP](img/metallb_guide_specifyIP.png)
+
+With MetalLB installed, its is recommended (but optional) to specify IP addresses for your apps.
+
+For each app, under **Networking and Services**, select `LoadBalancer` Service Type for the Main Service.
+
+In the **LoadBalancer IP** field, specify an IP address that is within the MetalLB address pool that you configured. Apply the same IP address to the **LoadBalancer IP** field on other services within the app.
+
+## 4. Disable SCALE's Default Loadbalancer
 
 With MetalLB installed and configured, you must now disable SCALE's default loadbalancer.
 
@@ -48,19 +70,9 @@ In the SCALE UI, under **Apps** > **Settings** > **Advanced Settings**
 
 Uncheck `Enable Integrated Loadbalancer`.
 
-**This will trigger a restart of Kubernetes and all apps**. After roughly 5-10 minutes, your apps will redeploy using the MetalLB-assigned addresses.
+**This will trigger a restart of Kubernetes and all apps**. After roughly 5-10 minutes, your apps will redeploy using the MetalLB-assigned IP addresses.
 
-## 3. Optional: Specify IP Address per App or Service
-
-![metallb-specifyIP](img/metallb_guide_specifyIP.png)
-
-With MetalLB installed, you may optionally specify IP addresses for your apps.
-
-For each app, under **Networking and Services**, select `LoadBalancer` Service Type for the Main Service.
-
-In the **LoadBalancer IP** field, specify an IP address that is within the MetalLB address pool that you configured. Apply the same IP address to the **LoadBalancer IP** field on other services within the app.
-
-You may need to stop & restart the app for the IP address to take affect.
+## 5. Verify IP Addresses Are Assigned
 
 From your SCALE shell, run the command `k3s kubectl get svc -A` to verify the IP addresses assigned for each of your apps. The IPs will be listed under the `EXTERNAL-IP` column.
 
@@ -75,3 +87,9 @@ Known Issue: On the SCALE Installed Applications page, the **Open** buttons on e
 :::
 
 For details on other configuration options, please reference the [MetaLB documentation](https://metallb.universe.tf/configuration/)
+
+## Migrating an existing MetalLB config to operator version
+
+- remove the old `metallb` chart coming from the `enterprise` train
+- run this in a **root** shell: `k3s kubectl delete  --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete`
+- Proceed with Steps 1 & 2 in the setup guide above

charts/enterprise/prometheus/Chart.yaml

@@ -3,15 +3,15 @@ appVersion: "2.44.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
   - condition: exporters.enabled,exporters.node-exporter.enabled
     name: node-exporter
     repository: https://deps.truecharts.org
-    version: 1.0.17
+    version: 1.0.22
   - condition: exporters.enabled,exporters.kube-state-metrics.enabled
     name: kube-state-metrics
     repository: https://deps.truecharts.org
-    version: 1.0.14
+    version: 1.0.20
 deprecated: false
 description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
 icon: https://truecharts.org/img/hotlink-ok/chart-icons/prometheus.png
@@ -29,7 +29,7 @@ sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
 type: application
-version: 9.0.17
+version: 9.0.21
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/enterprise/prometheus/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: tccr.io/truecharts/prometheus
-  tag: v2.44.0@sha256:06293c2f006b06d0a896d322d502032f651a50960d6af8c8625af50c750ac2f9
+  tag: v2.44.0@sha256:e35ebfcbc50d3655030eb4162ab1a33438a5d2dbadac2dcb4bcc0d794a8dadf7
 
 thanosImage:
   repository: tccr.io/truecharts/thanos

charts/enterprise/traefik/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "2.10.1"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 deprecated: false
 description: Traefik is a flexible reverse proxy and Ingress Provider.
 home: https://truecharts.org/charts/enterprise/traefik
@@ -23,7 +23,7 @@ sources:
   - https://github.com/traefik/traefik-helm-chart
   - https://traefik.io/
 type: application
-version: 18.0.10
+version: 18.0.15
 annotations:
   truecharts.org/catagories: |
     - network

charts/enterprise/traefik/crds/traefik.containo.us_ingressroutes.yaml

@@ -0,0 +1,267 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: ingressroutes.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: IngressRoute
+    listKind: IngressRouteList
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteSpec defines the desired state of IngressRoute.
+            properties:
+              entryPoints:
+                description: 'EntryPoints defines the list of entry point names to
+                  bind to. Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  Default: all.'
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: Route holds the HTTP route configuration.
+                  properties:
+                    kind:
+                      description: Kind defines the kind of the route. Rule is the
+                        only supported kind.
+                      enum:
+                      - Rule
+                      type: string
+                    match:
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule'
+                      type: string
+                    middlewares:
+                      description: 'Middlewares defines the list of references to
+                        Middleware resources. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-middleware'
+                      items:
+                        description: MiddlewareRef is a reference to a Middleware
+                          resource.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Middleware
+                              resource.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Middleware resource.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    priority:
+                      description: 'Priority defines the router''s priority. More
+                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority'
+                      type: integer
+                    services:
+                      description: Services defines the list of Service. It can contain
+                        any combination of TraefikService and/or reference to a Kubernetes
+                        Service.
+                      items:
+                        description: Service defines an upstream HTTP service to proxy
+                          traffic to.
+                        properties:
+                          kind:
+                            description: Kind defines the kind of the Service.
+                            enum:
+                            - Service
+                            - TraefikService
+                            type: string
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service or TraefikService. The differentiation between
+                              the two is specified in the Kind field.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service or TraefikService.
+                            type: string
+                          passHostHeader:
+                            description: PassHostHeader defines whether the client
+                              Host header is forwarded to the upstream Kubernetes
+                              Service. By default, passHostHeader is true.
+                            type: boolean
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          responseForwarding:
+                            description: ResponseForwarding defines how Traefik forwards
+                              the response from the upstream Kubernetes Service to
+                              the client.
+                            properties:
+                              flushInterval:
+                                description: 'FlushInterval defines the interval,
+                                  in milliseconds, in between flushes to the client
+                                  while copying the response body. A negative value
+                                  means to flush immediately after each write to the
+                                  client. This configuration is ignored when ReverseProxy
+                                  recognizes a response as a streaming response; for
+                                  such responses, writes are flushed to the client
+                                  immediately. Default: 100ms'
+                                type: string
+                            type: object
+                          scheme:
+                            description: Scheme defines the scheme to use for the
+                              request to the upstream Kubernetes Service. It defaults
+                              to https when Kubernetes Service port is 443, http otherwise.
+                            type: string
+                          serversTransport:
+                            description: ServersTransport defines the name of ServersTransport
+                              resource to use. It allows to configure the transport
+                              between Traefik and your servers. Can only be used on
+                              a Kubernetes Service.
+                            type: string
+                          sticky:
+                            description: 'Sticky defines the sticky sessions configuration.
+                              More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                            properties:
+                              cookie:
+                                description: Cookie defines the sticky cookie configuration.
+                                properties:
+                                  httpOnly:
+                                    description: HTTPOnly defines whether the cookie
+                                      can be accessed by client-side APIs, such as
+                                      JavaScript.
+                                    type: boolean
+                                  name:
+                                    description: Name defines the Cookie name.
+                                    type: string
+                                  sameSite:
+                                    description: 'SameSite defines the same site policy.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                    type: string
+                                  secure:
+                                    description: Secure defines whether the cookie
+                                      can only be transmitted over an encrypted connection
+                                      (i.e. HTTPS).
+                                    type: boolean
+                                type: object
+                            type: object
+                          strategy:
+                            description: Strategy defines the load balancing strategy
+                              between the servers. RoundRobin is the only supported
+                              value at the moment.
+                            type: string
+                          weight:
+                            description: Weight defines the weight and should only
+                              be specified when Name references a TraefikService object
+                              (and to be precise, one that embeds a Weighted Round
+                              Robin).
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      type: array
+                  required:
+                  - kind
+                  - match
+                  type: object
+                type: array
+              tls:
+                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls'
+                properties:
+                  certResolver:
+                    description: 'CertResolver defines the name of the certificate
+                      resolver to use. Cert resolvers have to be configured in the
+                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
+                    type: string
+                  domains:
+                    description: 'Domains defines the list of domains that will be
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
+                    items:
+                      description: Domain holds a domain name with SANs.
+                      properties:
+                        main:
+                          description: Main defines the main domain name.
+                          type: string
+                        sans:
+                          description: SANs defines the subject alternative domain
+                            names.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  options:
+                    description: 'Options defines the reference to a TLSOption, that
+                      specifies the parameters of the TLS connection. If not defined,
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+                    properties:
+                      name:
+                        description: 'Name defines the name of the referenced TLSOption.
+                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
+                        type: string
+                      namespace:
+                        description: 'Namespace defines the namespace of the referenced
+                          TLSOption. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                  store:
+                    description: Store defines the reference to the TLSStore, that
+                      will be used to store certificates. Please note that only `default`
+                      TLSStore can be used.
+                    properties:
+                      name:
+                        description: 'Name defines the name of the referenced TLSStore.
+                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
+                        type: string
+                      namespace:
+                        description: 'Namespace defines the namespace of the referenced
+                          TLSStore. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_ingressroutetcps.yaml

@@ -0,0 +1,211 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: ingressroutetcps.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: IngressRouteTCP
+    listKind: IngressRouteTCPList
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
+            properties:
+              entryPoints:
+                description: 'EntryPoints defines the list of entry point names to
+                  bind to. Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  Default: all.'
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: RouteTCP holds the TCP route configuration.
+                  properties:
+                    match:
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule_1'
+                      type: string
+                    middlewares:
+                      description: Middlewares defines the list of references to MiddlewareTCP
+                        resources.
+                      items:
+                        description: ObjectReference is a generic reference to a Traefik
+                          resource.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Traefik
+                              resource.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Traefik resource.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    priority:
+                      description: 'Priority defines the router''s priority. More
+                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority_1'
+                      type: integer
+                    services:
+                      description: Services defines the list of TCP services.
+                      items:
+                        description: ServiceTCP defines an upstream TCP service to
+                          proxy traffic to.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service.
+                            type: string
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          proxyProtocol:
+                            description: 'ProxyProtocol defines the PROXY protocol
+                              configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#proxy-protocol'
+                            properties:
+                              version:
+                                description: Version defines the PROXY Protocol version
+                                  to use.
+                                type: integer
+                            type: object
+                          terminationDelay:
+                            description: TerminationDelay defines the deadline that
+                              the proxy sets, after one of its connected peers indicates
+                              it has closed the writing capability of its connection,
+                              to close the reading capability as well, hence fully
+                              terminating the connection. It is a duration in milliseconds,
+                              defaulting to 100. A negative value means an infinite
+                              deadline (i.e. the reading capability is never closed).
+                            type: integer
+                          weight:
+                            description: Weight defines the weight used when balancing
+                              requests between multiple Kubernetes Service.
+                            type: integer
+                        required:
+                        - name
+                        - port
+                        type: object
+                      type: array
+                  required:
+                  - match
+                  type: object
+                type: array
+              tls:
+                description: 'TLS defines the TLS configuration on a layer 4 / TCP
+                  Route. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls_1'
+                properties:
+                  certResolver:
+                    description: 'CertResolver defines the name of the certificate
+                      resolver to use. Cert resolvers have to be configured in the
+                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
+                    type: string
+                  domains:
+                    description: 'Domains defines the list of domains that will be
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
+                    items:
+                      description: Domain holds a domain name with SANs.
+                      properties:
+                        main:
+                          description: Main defines the main domain name.
+                          type: string
+                        sans:
+                          description: SANs defines the subject alternative domain
+                            names.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  options:
+                    description: 'Options defines the reference to a TLSOption, that
+                      specifies the parameters of the TLS connection. If not defined,
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+                    properties:
+                      name:
+                        description: Name defines the name of the referenced Traefik
+                          resource.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Traefik resource.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  passthrough:
+                    description: Passthrough defines whether a TLS router will terminate
+                      the TLS connection.
+                    type: boolean
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                  store:
+                    description: Store defines the reference to the TLSStore, that
+                      will be used to store certificates. Please note that only `default`
+                      TLSStore can be used.
+                    properties:
+                      name:
+                        description: Name defines the name of the referenced Traefik
+                          resource.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Traefik resource.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_ingressrouteudps.yaml

@@ -0,0 +1,98 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: ingressrouteudps.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: IngressRouteUDP
+    listKind: IngressRouteUDPList
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
+            properties:
+              entryPoints:
+                description: 'EntryPoints defines the list of entry point names to
+                  bind to. Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  Default: all.'
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: RouteUDP holds the UDP route configuration.
+                  properties:
+                    services:
+                      description: Services defines the list of UDP services.
+                      items:
+                        description: ServiceUDP defines an upstream UDP service to
+                          proxy traffic to.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service.
+                            type: string
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          weight:
+                            description: Weight defines the weight used when balancing
+                              requests between multiple Kubernetes Service.
+                            type: integer
+                        required:
+                        - name
+                        - port
+                        type: object
+                      type: array
+                  type: object
+                type: array
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_middlewares.yaml

@@ -0,0 +1,917 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: middlewares.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: Middleware
+    listKind: MiddlewareList
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'Middleware is the CRD implementation of a Traefik Middleware.
+          More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/overview/'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MiddlewareSpec defines the desired state of a Middleware.
+            properties:
+              addPrefix:
+                description: 'AddPrefix holds the add prefix middleware configuration.
+                  This middleware updates the path of a request before forwarding
+                  it. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/addprefix/'
+                properties:
+                  prefix:
+                    description: Prefix is the string to add before the current path
+                      in the requested URL. It should include a leading slash (/).
+                    type: string
+                type: object
+              basicAuth:
+                description: 'BasicAuth holds the basic auth middleware configuration.
+                  This middleware restricts access to your services to known users.
+                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/'
+                properties:
+                  headerField:
+                    description: 'HeaderField defines a header field to store the
+                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
+                    type: string
+                  realm:
+                    description: 'Realm allows the protected resources on a server
+                      to be partitioned into a set of protection spaces, each with
+                      its own authentication scheme. Default: traefik.'
+                    type: string
+                  removeHeader:
+                    description: 'RemoveHeader sets the removeHeader option to true
+                      to remove the authorization header before forwarding the request
+                      to your service. Default: false.'
+                    type: boolean
+                  secret:
+                    description: Secret is the name of the referenced Kubernetes Secret
+                      containing user credentials.
+                    type: string
+                type: object
+              buffering:
+                description: 'Buffering holds the buffering middleware configuration.
+                  This middleware retries or limits the size of requests that can
+                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#maxrequestbodybytes'
+                properties:
+                  maxRequestBodyBytes:
+                    description: 'MaxRequestBodyBytes defines the maximum allowed
+                      body size for the request (in bytes). If the request exceeds
+                      the allowed size, it is not forwarded to the service, and the
+                      client gets a 413 (Request Entity Too Large) response. Default:
+                      0 (no maximum).'
+                    format: int64
+                    type: integer
+                  maxResponseBodyBytes:
+                    description: 'MaxResponseBodyBytes defines the maximum allowed
+                      response size from the service (in bytes). If the response exceeds
+                      the allowed size, it is not forwarded to the client. The client
+                      gets a 500 (Internal Server Error) response instead. Default:
+                      0 (no maximum).'
+                    format: int64
+                    type: integer
+                  memRequestBodyBytes:
+                    description: 'MemRequestBodyBytes defines the threshold (in bytes)
+                      from which the request will be buffered on disk instead of in
+                      memory. Default: 1048576 (1Mi).'
+                    format: int64
+                    type: integer
+                  memResponseBodyBytes:
+                    description: 'MemResponseBodyBytes defines the threshold (in bytes)
+                      from which the response will be buffered on disk instead of
+                      in memory. Default: 1048576 (1Mi).'
+                    format: int64
+                    type: integer
+                  retryExpression:
+                    description: 'RetryExpression defines the retry conditions. It
+                      is a logical combination of functions with operators AND (&&)
+                      and OR (||). More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#retryexpression'
+                    type: string
+                type: object
+              chain:
+                description: 'Chain holds the configuration of the chain middleware.
+                  This middleware enables to define reusable combinations of other
+                  pieces of middleware. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/chain/'
+                properties:
+                  middlewares:
+                    description: Middlewares is the list of MiddlewareRef which composes
+                      the chain.
+                    items:
+                      description: MiddlewareRef is a reference to a Middleware resource.
+                      properties:
+                        name:
+                          description: Name defines the name of the referenced Middleware
+                            resource.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Middleware resource.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              circuitBreaker:
+                description: CircuitBreaker holds the circuit breaker configuration.
+                properties:
+                  checkPeriod:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: CheckPeriod is the interval between successive checks
+                      of the circuit breaker condition (when in standby state).
+                    x-kubernetes-int-or-string: true
+                  expression:
+                    description: Expression is the condition that triggers the tripped
+                      state.
+                    type: string
+                  fallbackDuration:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: FallbackDuration is the duration for which the circuit
+                      breaker will wait before trying to recover (from a tripped state).
+                    x-kubernetes-int-or-string: true
+                  recoveryDuration:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: RecoveryDuration is the duration for which the circuit
+                      breaker will try to recover (as soon as it is in recovering
+                      state).
+                    x-kubernetes-int-or-string: true
+                type: object
+              compress:
+                description: 'Compress holds the compress middleware configuration.
+                  This middleware compresses responses before sending them to the
+                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/compress/'
+                properties:
+                  excludedContentTypes:
+                    description: ExcludedContentTypes defines the list of content
+                      types to compare the Content-Type header of the incoming requests
+                      and responses before compressing.
+                    items:
+                      type: string
+                    type: array
+                  minResponseBodyBytes:
+                    description: 'MinResponseBodyBytes defines the minimum amount
+                      of bytes a response body must have to be compressed. Default:
+                      1024.'
+                    type: integer
+                type: object
+              contentType:
+                description: ContentType holds the content-type middleware configuration.
+                  This middleware exists to enable the correct behavior until at least
+                  the default one can be changed in a future version.
+                properties:
+                  autoDetect:
+                    description: AutoDetect specifies whether to let the `Content-Type`
+                      header, if it has not been set by the backend, be automatically
+                      set to a value derived from the contents of the response. As
+                      a proxy, the default behavior should be to leave the header
+                      alone, regardless of what the backend did with it. However,
+                      the historic default was to always auto-detect and set the header
+                      if it was nil, and it is going to be kept that way in order
+                      to support users currently relying on it.
+                    type: boolean
+                type: object
+              digestAuth:
+                description: 'DigestAuth holds the digest auth middleware configuration.
+                  This middleware restricts access to your services to known users.
+                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/digestauth/'
+                properties:
+                  headerField:
+                    description: 'HeaderField defines a header field to store the
+                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
+                    type: string
+                  realm:
+                    description: 'Realm allows the protected resources on a server
+                      to be partitioned into a set of protection spaces, each with
+                      its own authentication scheme. Default: traefik.'
+                    type: string
+                  removeHeader:
+                    description: RemoveHeader defines whether to remove the authorization
+                      header before forwarding the request to the backend.
+                    type: boolean
+                  secret:
+                    description: Secret is the name of the referenced Kubernetes Secret
+                      containing user credentials.
+                    type: string
+                type: object
+              errors:
+                description: 'ErrorPage holds the custom error middleware configuration.
+                  This middleware returns a custom page in lieu of the default, according
+                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/'
+                properties:
+                  query:
+                    description: Query defines the URL for the error page (hosted
+                      by service). The {status} variable can be used in order to insert
+                      the status code in the URL.
+                    type: string
+                  service:
+                    description: 'Service defines the reference to a Kubernetes Service
+                      that will serve the error page. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/#service'
+                    properties:
+                      kind:
+                        description: Kind defines the kind of the Service.
+                        enum:
+                        - Service
+                        - TraefikService
+                        type: string
+                      name:
+                        description: Name defines the name of the referenced Kubernetes
+                          Service or TraefikService. The differentiation between the
+                          two is specified in the Kind field.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Kubernetes Service or TraefikService.
+                        type: string
+                      passHostHeader:
+                        description: PassHostHeader defines whether the client Host
+                          header is forwarded to the upstream Kubernetes Service.
+                          By default, passHostHeader is true.
+                        type: boolean
+                      port:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: Port defines the port of a Kubernetes Service.
+                          This can be a reference to a named port.
+                        x-kubernetes-int-or-string: true
+                      responseForwarding:
+                        description: ResponseForwarding defines how Traefik forwards
+                          the response from the upstream Kubernetes Service to the
+                          client.
+                        properties:
+                          flushInterval:
+                            description: 'FlushInterval defines the interval, in milliseconds,
+                              in between flushes to the client while copying the response
+                              body. A negative value means to flush immediately after
+                              each write to the client. This configuration is ignored
+                              when ReverseProxy recognizes a response as a streaming
+                              response; for such responses, writes are flushed to
+                              the client immediately. Default: 100ms'
+                            type: string
+                        type: object
+                      scheme:
+                        description: Scheme defines the scheme to use for the request
+                          to the upstream Kubernetes Service. It defaults to https
+                          when Kubernetes Service port is 443, http otherwise.
+                        type: string
+                      serversTransport:
+                        description: ServersTransport defines the name of ServersTransport
+                          resource to use. It allows to configure the transport between
+                          Traefik and your servers. Can only be used on a Kubernetes
+                          Service.
+                        type: string
+                      sticky:
+                        description: 'Sticky defines the sticky sessions configuration.
+                          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                        properties:
+                          cookie:
+                            description: Cookie defines the sticky cookie configuration.
+                            properties:
+                              httpOnly:
+                                description: HTTPOnly defines whether the cookie can
+                                  be accessed by client-side APIs, such as JavaScript.
+                                type: boolean
+                              name:
+                                description: Name defines the Cookie name.
+                                type: string
+                              sameSite:
+                                description: 'SameSite defines the same site policy.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                type: string
+                              secure:
+                                description: Secure defines whether the cookie can
+                                  only be transmitted over an encrypted connection
+                                  (i.e. HTTPS).
+                                type: boolean
+                            type: object
+                        type: object
+                      strategy:
+                        description: Strategy defines the load balancing strategy
+                          between the servers. RoundRobin is the only supported value
+                          at the moment.
+                        type: string
+                      weight:
+                        description: Weight defines the weight and should only be
+                          specified when Name references a TraefikService object (and
+                          to be precise, one that embeds a Weighted Round Robin).
+                        type: integer
+                    required:
+                    - name
+                    type: object
+                  status:
+                    description: Status defines which status or range of statuses
+                      should result in an error page. It can be either a status code
+                      as a number (500), as multiple comma-separated numbers (500,502),
+                      as ranges by separating two codes with a dash (500-599), or
+                      a combination of the two (404,418,500-599).
+                    items:
+                      type: string
+                    type: array
+                type: object
+              forwardAuth:
+                description: 'ForwardAuth holds the forward auth middleware configuration.
+                  This middleware delegates the request authentication to a Service.
+                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/'
+                properties:
+                  address:
+                    description: Address defines the authentication server address.
+                    type: string
+                  authRequestHeaders:
+                    description: AuthRequestHeaders defines the list of the headers
+                      to copy from the request to the authentication server. If not
+                      set or empty then all request headers are passed.
+                    items:
+                      type: string
+                    type: array
+                  authResponseHeaders:
+                    description: AuthResponseHeaders defines the list of headers to
+                      copy from the authentication server response and set on forwarded
+                      request, replacing any existing conflicting headers.
+                    items:
+                      type: string
+                    type: array
+                  authResponseHeadersRegex:
+                    description: 'AuthResponseHeadersRegex defines the regex to match
+                      headers to copy from the authentication server response and
+                      set on forwarded request, after stripping all headers that match
+                      the regex. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/#authresponseheadersregex'
+                    type: string
+                  tls:
+                    description: TLS defines the configuration used to secure the
+                      connection to the authentication server.
+                    properties:
+                      caOptional:
+                        type: boolean
+                      caSecret:
+                        description: CASecret is the name of the referenced Kubernetes
+                          Secret containing the CA to validate the server certificate.
+                          The CA certificate is extracted from key `tls.ca` or `ca.crt`.
+                        type: string
+                      certSecret:
+                        description: CertSecret is the name of the referenced Kubernetes
+                          Secret containing the client certificate. The client certificate
+                          is extracted from the keys `tls.crt` and `tls.key`.
+                        type: string
+                      insecureSkipVerify:
+                        description: InsecureSkipVerify defines whether the server
+                          certificates should be validated.
+                        type: boolean
+                    type: object
+                  trustForwardHeader:
+                    description: 'TrustForwardHeader defines whether to trust (ie:
+                      forward) all X-Forwarded-* headers.'
+                    type: boolean
+                type: object
+              headers:
+                description: 'Headers holds the headers middleware configuration.
+                  This middleware manages the requests and responses headers. More
+                  info: https://doc.traefik.io/traefik/v2.9/middlewares/http/headers/#customrequestheaders'
+                properties:
+                  accessControlAllowCredentials:
+                    description: AccessControlAllowCredentials defines whether the
+                      request can include user credentials.
+                    type: boolean
+                  accessControlAllowHeaders:
+                    description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
+                      values sent in preflight response.
+                    items:
+                      type: string
+                    type: array
+                  accessControlAllowMethods:
+                    description: AccessControlAllowMethods defines the Access-Control-Request-Method
+                      values sent in preflight response.
+                    items:
+                      type: string
+                    type: array
+                  accessControlAllowOriginList:
+                    description: AccessControlAllowOriginList is a list of allowable
+                      origins. Can also be a wildcard origin "*".
+                    items:
+                      type: string
+                    type: array
+                  accessControlAllowOriginListRegex:
+                    description: AccessControlAllowOriginListRegex is a list of allowable
+                      origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
+                    items:
+                      type: string
+                    type: array
+                  accessControlExposeHeaders:
+                    description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
+                      values sent in preflight response.
+                    items:
+                      type: string
+                    type: array
+                  accessControlMaxAge:
+                    description: AccessControlMaxAge defines the time that a preflight
+                      request may be cached.
+                    format: int64
+                    type: integer
+                  addVaryHeader:
+                    description: AddVaryHeader defines whether the Vary header is
+                      automatically added/updated when the AccessControlAllowOriginList
+                      is set.
+                    type: boolean
+                  allowedHosts:
+                    description: AllowedHosts defines the fully qualified list of
+                      allowed domain names.
+                    items:
+                      type: string
+                    type: array
+                  browserXssFilter:
+                    description: BrowserXSSFilter defines whether to add the X-XSS-Protection
+                      header with the value 1; mode=block.
+                    type: boolean
+                  contentSecurityPolicy:
+                    description: ContentSecurityPolicy defines the Content-Security-Policy
+                      header value.
+                    type: string
+                  contentTypeNosniff:
+                    description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
+                      header with the nosniff value.
+                    type: boolean
+                  customBrowserXSSValue:
+                    description: CustomBrowserXSSValue defines the X-XSS-Protection
+                      header value. This overrides the BrowserXssFilter option.
+                    type: string
+                  customFrameOptionsValue:
+                    description: CustomFrameOptionsValue defines the X-Frame-Options
+                      header value. This overrides the FrameDeny option.
+                    type: string
+                  customRequestHeaders:
+                    additionalProperties:
+                      type: string
+                    description: CustomRequestHeaders defines the header names and
+                      values to apply to the request.
+                    type: object
+                  customResponseHeaders:
+                    additionalProperties:
+                      type: string
+                    description: CustomResponseHeaders defines the header names and
+                      values to apply to the response.
+                    type: object
+                  featurePolicy:
+                    description: 'Deprecated: use PermissionsPolicy instead.'
+                    type: string
+                  forceSTSHeader:
+                    description: ForceSTSHeader defines whether to add the STS header
+                      even when the connection is HTTP.
+                    type: boolean
+                  frameDeny:
+                    description: FrameDeny defines whether to add the X-Frame-Options
+                      header with the DENY value.
+                    type: boolean
+                  hostsProxyHeaders:
+                    description: HostsProxyHeaders defines the header keys that may
+                      hold a proxied hostname value for the request.
+                    items:
+                      type: string
+                    type: array
+                  isDevelopment:
+                    description: IsDevelopment defines whether to mitigate the unwanted
+                      effects of the AllowedHosts, SSL, and STS options when developing.
+                      Usually testing takes place using HTTP, not HTTPS, and on localhost,
+                      not your production domain. If you would like your development
+                      environment to mimic production with complete Host blocking,
+                      SSL redirects, and STS headers, leave this as false.
+                    type: boolean
+                  permissionsPolicy:
+                    description: PermissionsPolicy defines the Permissions-Policy
+                      header value. This allows sites to control browser features.
+                    type: string
+                  publicKey:
+                    description: PublicKey is the public key that implements HPKP
+                      to prevent MITM attacks with forged certificates.
+                    type: string
+                  referrerPolicy:
+                    description: ReferrerPolicy defines the Referrer-Policy header
+                      value. This allows sites to control whether browsers forward
+                      the Referer header to other sites.
+                    type: string
+                  sslForceHost:
+                    description: 'Deprecated: use RedirectRegex instead.'
+                    type: boolean
+                  sslHost:
+                    description: 'Deprecated: use RedirectRegex instead.'
+                    type: string
+                  sslProxyHeaders:
+                    additionalProperties:
+                      type: string
+                    description: 'SSLProxyHeaders defines the header keys with associated
+                      values that would indicate a valid HTTPS request. It can be
+                      useful when using other proxies (example: "X-Forwarded-Proto":
+                      "https").'
+                    type: object
+                  sslRedirect:
+                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
+                      instead.'
+                    type: boolean
+                  sslTemporaryRedirect:
+                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
+                      instead.'
+                    type: boolean
+                  stsIncludeSubdomains:
+                    description: STSIncludeSubdomains defines whether the includeSubDomains
+                      directive is appended to the Strict-Transport-Security header.
+                    type: boolean
+                  stsPreload:
+                    description: STSPreload defines whether the preload flag is appended
+                      to the Strict-Transport-Security header.
+                    type: boolean
+                  stsSeconds:
+                    description: STSSeconds defines the max-age of the Strict-Transport-Security
+                      header. If set to 0, the header is not set.
+                    format: int64
+                    type: integer
+                type: object
+              inFlightReq:
+                description: 'InFlightReq holds the in-flight request middleware configuration.
+                  This middleware limits the number of requests being processed and
+                  served concurrently. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/'
+                properties:
+                  amount:
+                    description: Amount defines the maximum amount of allowed simultaneous
+                      in-flight request. The middleware responds with HTTP 429 Too
+                      Many Requests if there are already amount requests in progress
+                      (based on the same sourceCriterion strategy).
+                    format: int64
+                    type: integer
+                  sourceCriterion:
+                    description: 'SourceCriterion defines what criterion is used to
+                      group requests as originating from a common source. If several
+                      strategies are defined at the same time, an error will be raised.
+                      If none are set, the default is to use the requestHost. More
+                      info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/#sourcecriterion'
+                    properties:
+                      ipStrategy:
+                        description: 'IPStrategy holds the IP strategy configuration
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                        properties:
+                          depth:
+                            description: Depth tells Traefik to use the X-Forwarded-For
+                              header and take the IP located at the depth position
+                              (starting from the right).
+                            type: integer
+                          excludedIPs:
+                            description: ExcludedIPs configures Traefik to scan the
+                              X-Forwarded-For header and select the first IP not in
+                              the list.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      requestHeaderName:
+                        description: RequestHeaderName defines the name of the header
+                          used to group incoming requests.
+                        type: string
+                      requestHost:
+                        description: RequestHost defines whether to consider the request
+                          Host as the source.
+                        type: boolean
+                    type: object
+                type: object
+              ipWhiteList:
+                description: 'IPWhiteList holds the IP whitelist middleware configuration.
+                  This middleware accepts / refuses requests based on the client IP.
+                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
+                properties:
+                  ipStrategy:
+                    description: 'IPStrategy holds the IP strategy configuration used
+                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                    properties:
+                      depth:
+                        description: Depth tells Traefik to use the X-Forwarded-For
+                          header and take the IP located at the depth position (starting
+                          from the right).
+                        type: integer
+                      excludedIPs:
+                        description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
+                          header and select the first IP not in the list.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  sourceRange:
+                    description: SourceRange defines the set of allowed IPs (or ranges
+                      of allowed IPs by using CIDR notation).
+                    items:
+                      type: string
+                    type: array
+                type: object
+              passTLSClientCert:
+                description: 'PassTLSClientCert holds the pass TLS client cert middleware
+                  configuration. This middleware adds the selected data from the passed
+                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/passtlsclientcert/'
+                properties:
+                  info:
+                    description: Info selects the specific client certificate details
+                      you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
+                    properties:
+                      issuer:
+                        description: Issuer defines the client certificate issuer
+                          details to add to the X-Forwarded-Tls-Client-Cert-Info header.
+                        properties:
+                          commonName:
+                            description: CommonName defines whether to add the organizationalUnit
+                              information into the issuer.
+                            type: boolean
+                          country:
+                            description: Country defines whether to add the country
+                              information into the issuer.
+                            type: boolean
+                          domainComponent:
+                            description: DomainComponent defines whether to add the
+                              domainComponent information into the issuer.
+                            type: boolean
+                          locality:
+                            description: Locality defines whether to add the locality
+                              information into the issuer.
+                            type: boolean
+                          organization:
+                            description: Organization defines whether to add the organization
+                              information into the issuer.
+                            type: boolean
+                          province:
+                            description: Province defines whether to add the province
+                              information into the issuer.
+                            type: boolean
+                          serialNumber:
+                            description: SerialNumber defines whether to add the serialNumber
+                              information into the issuer.
+                            type: boolean
+                        type: object
+                      notAfter:
+                        description: NotAfter defines whether to add the Not After
+                          information from the Validity part.
+                        type: boolean
+                      notBefore:
+                        description: NotBefore defines whether to add the Not Before
+                          information from the Validity part.
+                        type: boolean
+                      sans:
+                        description: Sans defines whether to add the Subject Alternative
+                          Name information from the Subject Alternative Name part.
+                        type: boolean
+                      serialNumber:
+                        description: SerialNumber defines whether to add the client
+                          serialNumber information.
+                        type: boolean
+                      subject:
+                        description: Subject defines the client certificate subject
+                          details to add to the X-Forwarded-Tls-Client-Cert-Info header.
+                        properties:
+                          commonName:
+                            description: CommonName defines whether to add the organizationalUnit
+                              information into the subject.
+                            type: boolean
+                          country:
+                            description: Country defines whether to add the country
+                              information into the subject.
+                            type: boolean
+                          domainComponent:
+                            description: DomainComponent defines whether to add the
+                              domainComponent information into the subject.
+                            type: boolean
+                          locality:
+                            description: Locality defines whether to add the locality
+                              information into the subject.
+                            type: boolean
+                          organization:
+                            description: Organization defines whether to add the organization
+                              information into the subject.
+                            type: boolean
+                          organizationalUnit:
+                            description: OrganizationalUnit defines whether to add
+                              the organizationalUnit information into the subject.
+                            type: boolean
+                          province:
+                            description: Province defines whether to add the province
+                              information into the subject.
+                            type: boolean
+                          serialNumber:
+                            description: SerialNumber defines whether to add the serialNumber
+                              information into the subject.
+                            type: boolean
+                        type: object
+                    type: object
+                  pem:
+                    description: PEM sets the X-Forwarded-Tls-Client-Cert header with
+                      the escaped certificate.
+                    type: boolean
+                type: object
+              plugin:
+                additionalProperties:
+                  x-kubernetes-preserve-unknown-fields: true
+                description: 'Plugin defines the middleware plugin configuration.
+                  More info: https://doc.traefik.io/traefik/plugins/'
+                type: object
+              rateLimit:
+                description: 'RateLimit holds the rate limit configuration. This middleware
+                  ensures that services will receive a fair amount of requests, and
+                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ratelimit/'
+                properties:
+                  average:
+                    description: Average is the maximum rate, by default in requests/s,
+                      allowed for the given source. It defaults to 0, which means
+                      no rate limiting. The rate is actually defined by dividing Average
+                      by Period. So for a rate below 1req/s, one needs to define a
+                      Period larger than a second.
+                    format: int64
+                    type: integer
+                  burst:
+                    description: Burst is the maximum number of requests allowed to
+                      arrive in the same arbitrarily small period of time. It defaults
+                      to 1.
+                    format: int64
+                    type: integer
+                  period:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: 'Period, in combination with Average, defines the
+                      actual maximum rate, such as: r = Average / Period. It defaults
+                      to a second.'
+                    x-kubernetes-int-or-string: true
+                  sourceCriterion:
+                    description: SourceCriterion defines what criterion is used to
+                      group requests as originating from a common source. If several
+                      strategies are defined at the same time, an error will be raised.
+                      If none are set, the default is to use the request's remote
+                      address field (as an ipStrategy).
+                    properties:
+                      ipStrategy:
+                        description: 'IPStrategy holds the IP strategy configuration
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                        properties:
+                          depth:
+                            description: Depth tells Traefik to use the X-Forwarded-For
+                              header and take the IP located at the depth position
+                              (starting from the right).
+                            type: integer
+                          excludedIPs:
+                            description: ExcludedIPs configures Traefik to scan the
+                              X-Forwarded-For header and select the first IP not in
+                              the list.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      requestHeaderName:
+                        description: RequestHeaderName defines the name of the header
+                          used to group incoming requests.
+                        type: string
+                      requestHost:
+                        description: RequestHost defines whether to consider the request
+                          Host as the source.
+                        type: boolean
+                    type: object
+                type: object
+              redirectRegex:
+                description: 'RedirectRegex holds the redirect regex middleware configuration.
+                  This middleware redirects a request using regex matching and replacement.
+                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectregex/#regex'
+                properties:
+                  permanent:
+                    description: Permanent defines whether the redirection is permanent
+                      (301).
+                    type: boolean
+                  regex:
+                    description: Regex defines the regex used to match and capture
+                      elements from the request URL.
+                    type: string
+                  replacement:
+                    description: Replacement defines how to modify the URL to have
+                      the new target URL.
+                    type: string
+                type: object
+              redirectScheme:
+                description: 'RedirectScheme holds the redirect scheme middleware
+                  configuration. This middleware redirects requests from a scheme/port
+                  to another. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectscheme/'
+                properties:
+                  permanent:
+                    description: Permanent defines whether the redirection is permanent
+                      (301).
+                    type: boolean
+                  port:
+                    description: Port defines the port of the new URL.
+                    type: string
+                  scheme:
+                    description: Scheme defines the scheme of the new URL.
+                    type: string
+                type: object
+              replacePath:
+                description: 'ReplacePath holds the replace path middleware configuration.
+                  This middleware replaces the path of the request URL and store the
+                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepath/'
+                properties:
+                  path:
+                    description: Path defines the path to use as replacement in the
+                      request URL.
+                    type: string
+                type: object
+              replacePathRegex:
+                description: 'ReplacePathRegex holds the replace path regex middleware
+                  configuration. This middleware replaces the path of a URL using
+                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepathregex/'
+                properties:
+                  regex:
+                    description: Regex defines the regular expression used to match
+                      and capture the path from the request URL.
+                    type: string
+                  replacement:
+                    description: Replacement defines the replacement path format,
+                      which can include captured variables.
+                    type: string
+                type: object
+              retry:
+                description: 'Retry holds the retry middleware configuration. This
+                  middleware reissues requests a given number of times to a backend
+                  server if that server does not reply. As soon as the server answers,
+                  the middleware stops retrying, regardless of the response status.
+                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/retry/'
+                properties:
+                  attempts:
+                    description: Attempts defines how many times the request should
+                      be retried.
+                    type: integer
+                  initialInterval:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: InitialInterval defines the first wait time in the
+                      exponential backoff series. The maximum interval is calculated
+                      as twice the initialInterval. If unspecified, requests will
+                      be retried immediately. The value of initialInterval should
+                      be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
+                    x-kubernetes-int-or-string: true
+                type: object
+              stripPrefix:
+                description: 'StripPrefix holds the strip prefix middleware configuration.
+                  This middleware removes the specified prefixes from the URL path.
+                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
+                properties:
+                  forceSlash:
+                    description: 'ForceSlash ensures that the resulting stripped path
+                      is not the empty string, by replacing it with / when necessary.
+                      Default: true.'
+                    type: boolean
+                  prefixes:
+                    description: Prefixes defines the prefixes to strip from the request
+                      URL.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              stripPrefixRegex:
+                description: 'StripPrefixRegex holds the strip prefix regex middleware
+                  configuration. This middleware removes the matching prefixes from
+                  the URL path. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefixregex/'
+                properties:
+                  regex:
+                    description: Regex defines the regular expression to match the
+                      path prefix from the request URL.
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_middlewaretcps.yaml

@@ -0,0 +1,72 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: middlewaretcps.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: MiddlewareTCP
+    listKind: MiddlewareTCPList
+    plural: middlewaretcps
+    singular: middlewaretcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+          More info: https://doc.traefik.io/traefik/v2.9/middlewares/overview/'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
+            properties:
+              inFlightConn:
+                description: InFlightConn defines the InFlightConn middleware configuration.
+                properties:
+                  amount:
+                    description: Amount defines the maximum amount of allowed simultaneous
+                      connections. The middleware closes the connection if there are
+                      already amount connections opened.
+                    format: int64
+                    type: integer
+                type: object
+              ipWhiteList:
+                description: IPWhiteList defines the IPWhiteList middleware configuration.
+                properties:
+                  sourceRange:
+                    description: SourceRange defines the allowed IPs (or ranges of
+                      allowed IPs by using CIDR notation).
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_serverstransports.yaml

@@ -0,0 +1,128 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: serverstransports.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: ServersTransport
+    listKind: ServersTransportList
+    plural: serverstransports
+    singular: serverstransport
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'ServersTransport is the CRD implementation of a ServersTransport.
+          If no serversTransport is specified, the default@internal will be used.
+          The default@internal serversTransport is created from the static configuration.
+          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#serverstransport_1'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ServersTransportSpec defines the desired state of a ServersTransport.
+            properties:
+              certificatesSecrets:
+                description: CertificatesSecrets defines a list of secret storing
+                  client certificates for mTLS.
+                items:
+                  type: string
+                type: array
+              disableHTTP2:
+                description: DisableHTTP2 disables HTTP/2 for connections with backend
+                  servers.
+                type: boolean
+              forwardingTimeouts:
+                description: ForwardingTimeouts defines the timeouts for requests
+                  forwarded to the backend servers.
+                properties:
+                  dialTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: DialTimeout is the amount of time to wait until a
+                      connection to a backend server can be established.
+                    x-kubernetes-int-or-string: true
+                  idleConnTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: IdleConnTimeout is the maximum period for which an
+                      idle HTTP keep-alive connection will remain open before closing
+                      itself.
+                    x-kubernetes-int-or-string: true
+                  pingTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: PingTimeout is the timeout after which the HTTP/2
+                      connection will be closed if a response to ping is not received.
+                    x-kubernetes-int-or-string: true
+                  readIdleTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: ReadIdleTimeout is the timeout after which a health
+                      check using ping frame will be carried out if no frame is received
+                      on the HTTP/2 connection.
+                    x-kubernetes-int-or-string: true
+                  responseHeaderTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: ResponseHeaderTimeout is the amount of time to wait
+                      for a server's response headers after fully writing the request
+                      (including its body, if any).
+                    x-kubernetes-int-or-string: true
+                type: object
+              insecureSkipVerify:
+                description: InsecureSkipVerify disables SSL certificate verification.
+                type: boolean
+              maxIdleConnsPerHost:
+                description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
+                  to keep per-host.
+                type: integer
+              peerCertURI:
+                description: PeerCertURI defines the peer cert URI used to match against
+                  SAN URI during the peer certificate verification.
+                type: string
+              rootCAsSecrets:
+                description: RootCAsSecrets defines a list of CA secret used to validate
+                  self-signed certificate.
+                items:
+                  type: string
+                type: array
+              serverName:
+                description: ServerName defines the server name used to contact the
+                  server.
+                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_tlsoptions.yaml

@@ -0,0 +1,113 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: tlsoptions.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: TLSOption
+    listKind: TLSOptionList
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
+          allowing to configure some parameters of the TLS connection. More info:
+          https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSOptionSpec defines the desired state of a TLSOption.
+            properties:
+              alpnProtocols:
+                description: 'ALPNProtocols defines the list of supported application
+                  level protocols for the TLS handshake, in order of preference. More
+                  info: https://doc.traefik.io/traefik/v2.9/https/tls/#alpn-protocols'
+                items:
+                  type: string
+                type: array
+              cipherSuites:
+                description: 'CipherSuites defines the list of supported cipher suites
+                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#cipher-suites'
+                items:
+                  type: string
+                type: array
+              clientAuth:
+                description: ClientAuth defines the server's policy for TLS Client
+                  Authentication.
+                properties:
+                  clientAuthType:
+                    description: ClientAuthType defines the client authentication
+                      type to apply.
+                    enum:
+                    - NoClientCert
+                    - RequestClientCert
+                    - RequireAnyClientCert
+                    - VerifyClientCertIfGiven
+                    - RequireAndVerifyClientCert
+                    type: string
+                  secretNames:
+                    description: SecretNames defines the names of the referenced Kubernetes
+                      Secret storing certificate details.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              curvePreferences:
+                description: 'CurvePreferences defines the preferred elliptic curves
+                  in a specific order. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#curve-preferences'
+                items:
+                  type: string
+                type: array
+              maxVersion:
+                description: 'MaxVersion defines the maximum TLS version that Traefik
+                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
+                  VersionTLS13. Default: None.'
+                type: string
+              minVersion:
+                description: 'MinVersion defines the minimum TLS version that Traefik
+                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
+                  VersionTLS13. Default: VersionTLS10.'
+                type: string
+              preferServerCipherSuites:
+                description: 'PreferServerCipherSuites defines whether the server
+                  chooses a cipher suite among his own instead of among the client''s.
+                  It is enabled automatically when minVersion or maxVersion is set.
+                  Deprecated: https://github.com/golang/go/issues/45430'
+                type: boolean
+              sniStrict:
+                description: SniStrict defines whether Traefik allows connections
+                  from clients connections that do not specify a server_name extension.
+                type: boolean
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_tlsstores.yaml

@@ -0,0 +1,99 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: tlsstores.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: TLSStore
+    listKind: TLSStoreList
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
+          the time being, only the TLSStore named default is supported. This means
+          that you cannot have two stores that are named default in different Kubernetes
+          namespaces. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#certificates-stores'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSStoreSpec defines the desired state of a TLSStore.
+            properties:
+              certificates:
+                description: Certificates is a list of secret names, each secret holding
+                  a key/certificate pair to add to the store.
+                items:
+                  description: Certificate holds a secret name for the TLSStore resource.
+                  properties:
+                    secretName:
+                      description: SecretName is the name of the referenced Kubernetes
+                        Secret to specify the certificate details.
+                      type: string
+                  required:
+                  - secretName
+                  type: object
+                type: array
+              defaultCertificate:
+                description: DefaultCertificate defines the default certificate configuration.
+                properties:
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                required:
+                - secretName
+                type: object
+              defaultGeneratedCert:
+                description: DefaultGeneratedCert defines the default generated certificate
+                  configuration.
+                properties:
+                  domain:
+                    description: Domain is the domain definition for the DefaultCertificate.
+                    properties:
+                      main:
+                        description: Main defines the main domain name.
+                        type: string
+                      sans:
+                        description: SANs defines the subject alternative domain names.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  resolver:
+                    description: Resolver is the name of the resolver that will be
+                      used to issue the DefaultCertificate.
+                    type: string
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.containo.us_traefikservices.yaml

@@ -0,0 +1,381 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: traefikservices.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: TraefikService
+    listKind: TraefikServiceList
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'TraefikService is the CRD implementation of a Traefik Service.
+          TraefikService object allows to: - Apply weight to Services on load-balancing
+          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-traefikservice'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TraefikServiceSpec defines the desired state of a TraefikService.
+            properties:
+              mirroring:
+                description: Mirroring defines the Mirroring service configuration.
+                properties:
+                  kind:
+                    description: Kind defines the kind of the Service.
+                    enum:
+                    - Service
+                    - TraefikService
+                    type: string
+                  maxBodySize:
+                    description: MaxBodySize defines the maximum size allowed for
+                      the body of the request. If the body is larger, the request
+                      is not mirrored. Default value is -1, which means unlimited
+                      size.
+                    format: int64
+                    type: integer
+                  mirrors:
+                    description: Mirrors defines the list of mirrors where Traefik
+                      will duplicate the traffic.
+                    items:
+                      description: MirrorService holds the mirror configuration.
+                      properties:
+                        kind:
+                          description: Kind defines the kind of the Service.
+                          enum:
+                          - Service
+                          - TraefikService
+                          type: string
+                        name:
+                          description: Name defines the name of the referenced Kubernetes
+                            Service or TraefikService. The differentiation between
+                            the two is specified in the Kind field.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Kubernetes Service or TraefikService.
+                          type: string
+                        passHostHeader:
+                          description: PassHostHeader defines whether the client Host
+                            header is forwarded to the upstream Kubernetes Service.
+                            By default, passHostHeader is true.
+                          type: boolean
+                        percent:
+                          description: 'Percent defines the part of the traffic to
+                            mirror. Supported values: 0 to 100.'
+                          type: integer
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: Port defines the port of a Kubernetes Service.
+                            This can be a reference to a named port.
+                          x-kubernetes-int-or-string: true
+                        responseForwarding:
+                          description: ResponseForwarding defines how Traefik forwards
+                            the response from the upstream Kubernetes Service to the
+                            client.
+                          properties:
+                            flushInterval:
+                              description: 'FlushInterval defines the interval, in
+                                milliseconds, in between flushes to the client while
+                                copying the response body. A negative value means
+                                to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes
+                                a response as a streaming response; for such responses,
+                                writes are flushed to the client immediately. Default:
+                                100ms'
+                              type: string
+                          type: object
+                        scheme:
+                          description: Scheme defines the scheme to use for the request
+                            to the upstream Kubernetes Service. It defaults to https
+                            when Kubernetes Service port is 443, http otherwise.
+                          type: string
+                        serversTransport:
+                          description: ServersTransport defines the name of ServersTransport
+                            resource to use. It allows to configure the transport
+                            between Traefik and your servers. Can only be used on
+                            a Kubernetes Service.
+                          type: string
+                        sticky:
+                          description: 'Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                          properties:
+                            cookie:
+                              description: Cookie defines the sticky cookie configuration.
+                              properties:
+                                httpOnly:
+                                  description: HTTPOnly defines whether the cookie
+                                    can be accessed by client-side APIs, such as JavaScript.
+                                  type: boolean
+                                name:
+                                  description: Name defines the Cookie name.
+                                  type: string
+                                sameSite:
+                                  description: 'SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                  type: string
+                                secure:
+                                  description: Secure defines whether the cookie can
+                                    only be transmitted over an encrypted connection
+                                    (i.e. HTTPS).
+                                  type: boolean
+                              type: object
+                          type: object
+                        strategy:
+                          description: Strategy defines the load balancing strategy
+                            between the servers. RoundRobin is the only supported
+                            value at the moment.
+                          type: string
+                        weight:
+                          description: Weight defines the weight and should only be
+                            specified when Name references a TraefikService object
+                            (and to be precise, one that embeds a Weighted Round Robin).
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  name:
+                    description: Name defines the name of the referenced Kubernetes
+                      Service or TraefikService. The differentiation between the two
+                      is specified in the Kind field.
+                    type: string
+                  namespace:
+                    description: Namespace defines the namespace of the referenced
+                      Kubernetes Service or TraefikService.
+                    type: string
+                  passHostHeader:
+                    description: PassHostHeader defines whether the client Host header
+                      is forwarded to the upstream Kubernetes Service. By default,
+                      passHostHeader is true.
+                    type: boolean
+                  port:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: Port defines the port of a Kubernetes Service. This
+                      can be a reference to a named port.
+                    x-kubernetes-int-or-string: true
+                  responseForwarding:
+                    description: ResponseForwarding defines how Traefik forwards the
+                      response from the upstream Kubernetes Service to the client.
+                    properties:
+                      flushInterval:
+                        description: 'FlushInterval defines the interval, in milliseconds,
+                          in between flushes to the client while copying the response
+                          body. A negative value means to flush immediately after
+                          each write to the client. This configuration is ignored
+                          when ReverseProxy recognizes a response as a streaming response;
+                          for such responses, writes are flushed to the client immediately.
+                          Default: 100ms'
+                        type: string
+                    type: object
+                  scheme:
+                    description: Scheme defines the scheme to use for the request
+                      to the upstream Kubernetes Service. It defaults to https when
+                      Kubernetes Service port is 443, http otherwise.
+                    type: string
+                  serversTransport:
+                    description: ServersTransport defines the name of ServersTransport
+                      resource to use. It allows to configure the transport between
+                      Traefik and your servers. Can only be used on a Kubernetes Service.
+                    type: string
+                  sticky:
+                    description: 'Sticky defines the sticky sessions configuration.
+                      More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                    properties:
+                      cookie:
+                        description: Cookie defines the sticky cookie configuration.
+                        properties:
+                          httpOnly:
+                            description: HTTPOnly defines whether the cookie can be
+                              accessed by client-side APIs, such as JavaScript.
+                            type: boolean
+                          name:
+                            description: Name defines the Cookie name.
+                            type: string
+                          sameSite:
+                            description: 'SameSite defines the same site policy. More
+                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                            type: string
+                          secure:
+                            description: Secure defines whether the cookie can only
+                              be transmitted over an encrypted connection (i.e. HTTPS).
+                            type: boolean
+                        type: object
+                    type: object
+                  strategy:
+                    description: Strategy defines the load balancing strategy between
+                      the servers. RoundRobin is the only supported value at the moment.
+                    type: string
+                  weight:
+                    description: Weight defines the weight and should only be specified
+                      when Name references a TraefikService object (and to be precise,
+                      one that embeds a Weighted Round Robin).
+                    type: integer
+                required:
+                - name
+                type: object
+              weighted:
+                description: Weighted defines the Weighted Round Robin configuration.
+                properties:
+                  services:
+                    description: Services defines the list of Kubernetes Service and/or
+                      TraefikService to load-balance, with weight.
+                    items:
+                      description: Service defines an upstream HTTP service to proxy
+                        traffic to.
+                      properties:
+                        kind:
+                          description: Kind defines the kind of the Service.
+                          enum:
+                          - Service
+                          - TraefikService
+                          type: string
+                        name:
+                          description: Name defines the name of the referenced Kubernetes
+                            Service or TraefikService. The differentiation between
+                            the two is specified in the Kind field.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Kubernetes Service or TraefikService.
+                          type: string
+                        passHostHeader:
+                          description: PassHostHeader defines whether the client Host
+                            header is forwarded to the upstream Kubernetes Service.
+                            By default, passHostHeader is true.
+                          type: boolean
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: Port defines the port of a Kubernetes Service.
+                            This can be a reference to a named port.
+                          x-kubernetes-int-or-string: true
+                        responseForwarding:
+                          description: ResponseForwarding defines how Traefik forwards
+                            the response from the upstream Kubernetes Service to the
+                            client.
+                          properties:
+                            flushInterval:
+                              description: 'FlushInterval defines the interval, in
+                                milliseconds, in between flushes to the client while
+                                copying the response body. A negative value means
+                                to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes
+                                a response as a streaming response; for such responses,
+                                writes are flushed to the client immediately. Default:
+                                100ms'
+                              type: string
+                          type: object
+                        scheme:
+                          description: Scheme defines the scheme to use for the request
+                            to the upstream Kubernetes Service. It defaults to https
+                            when Kubernetes Service port is 443, http otherwise.
+                          type: string
+                        serversTransport:
+                          description: ServersTransport defines the name of ServersTransport
+                            resource to use. It allows to configure the transport
+                            between Traefik and your servers. Can only be used on
+                            a Kubernetes Service.
+                          type: string
+                        sticky:
+                          description: 'Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                          properties:
+                            cookie:
+                              description: Cookie defines the sticky cookie configuration.
+                              properties:
+                                httpOnly:
+                                  description: HTTPOnly defines whether the cookie
+                                    can be accessed by client-side APIs, such as JavaScript.
+                                  type: boolean
+                                name:
+                                  description: Name defines the Cookie name.
+                                  type: string
+                                sameSite:
+                                  description: 'SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                  type: string
+                                secure:
+                                  description: Secure defines whether the cookie can
+                                    only be transmitted over an encrypted connection
+                                    (i.e. HTTPS).
+                                  type: boolean
+                              type: object
+                          type: object
+                        strategy:
+                          description: Strategy defines the load balancing strategy
+                            between the servers. RoundRobin is the only supported
+                            value at the moment.
+                          type: string
+                        weight:
+                          description: Weight defines the weight and should only be
+                            specified when Name references a TraefikService object
+                            (and to be precise, one that embeds a Weighted Round Robin).
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  sticky:
+                    description: 'Sticky defines whether sticky sessions are enabled.
+                      More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
+                    properties:
+                      cookie:
+                        description: Cookie defines the sticky cookie configuration.
+                        properties:
+                          httpOnly:
+                            description: HTTPOnly defines whether the cookie can be
+                              accessed by client-side APIs, such as JavaScript.
+                            type: boolean
+                          name:
+                            description: Name defines the Cookie name.
+                            type: string
+                          sameSite:
+                            description: 'SameSite defines the same site policy. More
+                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                            type: string
+                          secure:
+                            description: Secure defines whether the cookie can only
+                              be transmitted over an encrypted connection (i.e. HTTPS).
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_ingressroutes.yaml

@@ -0,0 +1,275 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: ingressroutes.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: IngressRoute
+    listKind: IngressRouteList
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteSpec defines the desired state of IngressRoute.
+            properties:
+              entryPoints:
+                description: 'EntryPoints defines the list of entry point names to
+                  bind to. Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/
+                  Default: all.'
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: Route holds the HTTP route configuration.
+                  properties:
+                    kind:
+                      description: Kind defines the kind of the route. Rule is the
+                        only supported kind.
+                      enum:
+                      - Rule
+                      type: string
+                    match:
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#rule'
+                      type: string
+                    middlewares:
+                      description: 'Middlewares defines the list of references to
+                        Middleware resources. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-middleware'
+                      items:
+                        description: MiddlewareRef is a reference to a Middleware
+                          resource.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Middleware
+                              resource.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Middleware resource.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    priority:
+                      description: 'Priority defines the router''s priority. More
+                        info: https://doc.traefik.io/traefik/v2.10/routing/routers/#priority'
+                      type: integer
+                    services:
+                      description: Services defines the list of Service. It can contain
+                        any combination of TraefikService and/or reference to a Kubernetes
+                        Service.
+                      items:
+                        description: Service defines an upstream HTTP service to proxy
+                          traffic to.
+                        properties:
+                          kind:
+                            description: Kind defines the kind of the Service.
+                            enum:
+                            - Service
+                            - TraefikService
+                            type: string
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service or TraefikService. The differentiation between
+                              the two is specified in the Kind field.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service or TraefikService.
+                            type: string
+                          nativeLB:
+                            description: NativeLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the pods IPs
+                              or if the only child is the Kubernetes Service clusterIP.
+                              The Kubernetes Service itself does load-balance to the
+                              pods. By default, NativeLB is false.
+                            type: boolean
+                          passHostHeader:
+                            description: PassHostHeader defines whether the client
+                              Host header is forwarded to the upstream Kubernetes
+                              Service. By default, passHostHeader is true.
+                            type: boolean
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          responseForwarding:
+                            description: ResponseForwarding defines how Traefik forwards
+                              the response from the upstream Kubernetes Service to
+                              the client.
+                            properties:
+                              flushInterval:
+                                description: 'FlushInterval defines the interval,
+                                  in milliseconds, in between flushes to the client
+                                  while copying the response body. A negative value
+                                  means to flush immediately after each write to the
+                                  client. This configuration is ignored when ReverseProxy
+                                  recognizes a response as a streaming response; for
+                                  such responses, writes are flushed to the client
+                                  immediately. Default: 100ms'
+                                type: string
+                            type: object
+                          scheme:
+                            description: Scheme defines the scheme to use for the
+                              request to the upstream Kubernetes Service. It defaults
+                              to https when Kubernetes Service port is 443, http otherwise.
+                            type: string
+                          serversTransport:
+                            description: ServersTransport defines the name of ServersTransport
+                              resource to use. It allows to configure the transport
+                              between Traefik and your servers. Can only be used on
+                              a Kubernetes Service.
+                            type: string
+                          sticky:
+                            description: 'Sticky defines the sticky sessions configuration.
+                              More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions'
+                            properties:
+                              cookie:
+                                description: Cookie defines the sticky cookie configuration.
+                                properties:
+                                  httpOnly:
+                                    description: HTTPOnly defines whether the cookie
+                                      can be accessed by client-side APIs, such as
+                                      JavaScript.
+                                    type: boolean
+                                  name:
+                                    description: Name defines the Cookie name.
+                                    type: string
+                                  sameSite:
+                                    description: 'SameSite defines the same site policy.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                    type: string
+                                  secure:
+                                    description: Secure defines whether the cookie
+                                      can only be transmitted over an encrypted connection
+                                      (i.e. HTTPS).
+                                    type: boolean
+                                type: object
+                            type: object
+                          strategy:
+                            description: Strategy defines the load balancing strategy
+                              between the servers. RoundRobin is the only supported
+                              value at the moment.
+                            type: string
+                          weight:
+                            description: Weight defines the weight and should only
+                              be specified when Name references a TraefikService object
+                              (and to be precise, one that embeds a Weighted Round
+                              Robin).
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      type: array
+                  required:
+                  - kind
+                  - match
+                  type: object
+                type: array
+              tls:
+                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#tls'
+                properties:
+                  certResolver:
+                    description: 'CertResolver defines the name of the certificate
+                      resolver to use. Cert resolvers have to be configured in the
+                      static configuration. More info: https://doc.traefik.io/traefik/v2.10/https/acme/#certificate-resolvers'
+                    type: string
+                  domains:
+                    description: 'Domains defines the list of domains that will be
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#domains'
+                    items:
+                      description: Domain holds a domain name with SANs.
+                      properties:
+                        main:
+                          description: Main defines the main domain name.
+                          type: string
+                        sans:
+                          description: SANs defines the subject alternative domain
+                            names.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  options:
+                    description: 'Options defines the reference to a TLSOption, that
+                      specifies the parameters of the TLS connection. If not defined,
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options'
+                    properties:
+                      name:
+                        description: 'Name defines the name of the referenced TLSOption.
+                          More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption'
+                        type: string
+                      namespace:
+                        description: 'Namespace defines the namespace of the referenced
+                          TLSOption. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                  store:
+                    description: Store defines the reference to the TLSStore, that
+                      will be used to store certificates. Please note that only `default`
+                      TLSStore can be used.
+                    properties:
+                      name:
+                        description: 'Name defines the name of the referenced TLSStore.
+                          More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore'
+                        type: string
+                      namespace:
+                        description: 'Namespace defines the namespace of the referenced
+                          TLSStore. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_ingressroutetcps.yaml

@@ -0,0 +1,218 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: ingressroutetcps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: IngressRouteTCP
+    listKind: IngressRouteTCPList
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
+            properties:
+              entryPoints:
+                description: 'EntryPoints defines the list of entry point names to
+                  bind to. Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/
+                  Default: all.'
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: RouteTCP holds the TCP route configuration.
+                  properties:
+                    match:
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#rule_1'
+                      type: string
+                    middlewares:
+                      description: Middlewares defines the list of references to MiddlewareTCP
+                        resources.
+                      items:
+                        description: ObjectReference is a generic reference to a Traefik
+                          resource.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Traefik
+                              resource.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Traefik resource.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    priority:
+                      description: 'Priority defines the router''s priority. More
+                        info: https://doc.traefik.io/traefik/v2.10/routing/routers/#priority_1'
+                      type: integer
+                    services:
+                      description: Services defines the list of TCP services.
+                      items:
+                        description: ServiceTCP defines an upstream TCP service to
+                          proxy traffic to.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service.
+                            type: string
+                          nativeLB:
+                            description: NativeLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the pods IPs
+                              or if the only child is the Kubernetes Service clusterIP.
+                              The Kubernetes Service itself does load-balance to the
+                              pods. By default, NativeLB is false.
+                            type: boolean
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          proxyProtocol:
+                            description: 'ProxyProtocol defines the PROXY protocol
+                              configuration. More info: https://doc.traefik.io/traefik/v2.10/routing/services/#proxy-protocol'
+                            properties:
+                              version:
+                                description: Version defines the PROXY Protocol version
+                                  to use.
+                                type: integer
+                            type: object
+                          terminationDelay:
+                            description: TerminationDelay defines the deadline that
+                              the proxy sets, after one of its connected peers indicates
+                              it has closed the writing capability of its connection,
+                              to close the reading capability as well, hence fully
+                              terminating the connection. It is a duration in milliseconds,
+                              defaulting to 100. A negative value means an infinite
+                              deadline (i.e. the reading capability is never closed).
+                            type: integer
+                          weight:
+                            description: Weight defines the weight used when balancing
+                              requests between multiple Kubernetes Service.
+                            type: integer
+                        required:
+                        - name
+                        - port
+                        type: object
+                      type: array
+                  required:
+                  - match
+                  type: object
+                type: array
+              tls:
+                description: 'TLS defines the TLS configuration on a layer 4 / TCP
+                  Route. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#tls_1'
+                properties:
+                  certResolver:
+                    description: 'CertResolver defines the name of the certificate
+                      resolver to use. Cert resolvers have to be configured in the
+                      static configuration. More info: https://doc.traefik.io/traefik/v2.10/https/acme/#certificate-resolvers'
+                    type: string
+                  domains:
+                    description: 'Domains defines the list of domains that will be
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#domains'
+                    items:
+                      description: Domain holds a domain name with SANs.
+                      properties:
+                        main:
+                          description: Main defines the main domain name.
+                          type: string
+                        sans:
+                          description: SANs defines the subject alternative domain
+                            names.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  options:
+                    description: 'Options defines the reference to a TLSOption, that
+                      specifies the parameters of the TLS connection. If not defined,
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options'
+                    properties:
+                      name:
+                        description: Name defines the name of the referenced Traefik
+                          resource.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Traefik resource.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  passthrough:
+                    description: Passthrough defines whether a TLS router will terminate
+                      the TLS connection.
+                    type: boolean
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                  store:
+                    description: Store defines the reference to the TLSStore, that
+                      will be used to store certificates. Please note that only `default`
+                      TLSStore can be used.
+                    properties:
+                      name:
+                        description: Name defines the name of the referenced Traefik
+                          resource.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Traefik resource.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_ingressrouteudps.yaml

@@ -0,0 +1,105 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: ingressrouteudps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: IngressRouteUDP
+    listKind: IngressRouteUDPList
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
+            properties:
+              entryPoints:
+                description: 'EntryPoints defines the list of entry point names to
+                  bind to. Entry points have to be configured in the static configuration.
+                  More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/
+                  Default: all.'
+                items:
+                  type: string
+                type: array
+              routes:
+                description: Routes defines the list of routes.
+                items:
+                  description: RouteUDP holds the UDP route configuration.
+                  properties:
+                    services:
+                      description: Services defines the list of UDP services.
+                      items:
+                        description: ServiceUDP defines an upstream UDP service to
+                          proxy traffic to.
+                        properties:
+                          name:
+                            description: Name defines the name of the referenced Kubernetes
+                              Service.
+                            type: string
+                          namespace:
+                            description: Namespace defines the namespace of the referenced
+                              Kubernetes Service.
+                            type: string
+                          nativeLB:
+                            description: NativeLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the pods IPs
+                              or if the only child is the Kubernetes Service clusterIP.
+                              The Kubernetes Service itself does load-balance to the
+                              pods. By default, NativeLB is false.
+                            type: boolean
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: Port defines the port of a Kubernetes Service.
+                              This can be a reference to a named port.
+                            x-kubernetes-int-or-string: true
+                          weight:
+                            description: Weight defines the weight used when balancing
+                              requests between multiple Kubernetes Service.
+                            type: integer
+                        required:
+                        - name
+                        - port
+                        type: object
+                      type: array
+                  type: object
+                type: array
+            required:
+            - routes
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_middlewares.yaml

@@ -0,0 +1,924 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: middlewares.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: Middleware
+    listKind: MiddlewareList
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'Middleware is the CRD implementation of a Traefik Middleware.
+          More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/overview/'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MiddlewareSpec defines the desired state of a Middleware.
+            properties:
+              addPrefix:
+                description: 'AddPrefix holds the add prefix middleware configuration.
+                  This middleware updates the path of a request before forwarding
+                  it. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/addprefix/'
+                properties:
+                  prefix:
+                    description: Prefix is the string to add before the current path
+                      in the requested URL. It should include a leading slash (/).
+                    type: string
+                type: object
+              basicAuth:
+                description: 'BasicAuth holds the basic auth middleware configuration.
+                  This middleware restricts access to your services to known users.
+                  More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/'
+                properties:
+                  headerField:
+                    description: 'HeaderField defines a header field to store the
+                      authenticated user. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/#headerfield'
+                    type: string
+                  realm:
+                    description: 'Realm allows the protected resources on a server
+                      to be partitioned into a set of protection spaces, each with
+                      its own authentication scheme. Default: traefik.'
+                    type: string
+                  removeHeader:
+                    description: 'RemoveHeader sets the removeHeader option to true
+                      to remove the authorization header before forwarding the request
+                      to your service. Default: false.'
+                    type: boolean
+                  secret:
+                    description: Secret is the name of the referenced Kubernetes Secret
+                      containing user credentials.
+                    type: string
+                type: object
+              buffering:
+                description: 'Buffering holds the buffering middleware configuration.
+                  This middleware retries or limits the size of requests that can
+                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/buffering/#maxrequestbodybytes'
+                properties:
+                  maxRequestBodyBytes:
+                    description: 'MaxRequestBodyBytes defines the maximum allowed
+                      body size for the request (in bytes). If the request exceeds
+                      the allowed size, it is not forwarded to the service, and the
+                      client gets a 413 (Request Entity Too Large) response. Default:
+                      0 (no maximum).'
+                    format: int64
+                    type: integer
+                  maxResponseBodyBytes:
+                    description: 'MaxResponseBodyBytes defines the maximum allowed
+                      response size from the service (in bytes). If the response exceeds
+                      the allowed size, it is not forwarded to the client. The client
+                      gets a 500 (Internal Server Error) response instead. Default:
+                      0 (no maximum).'
+                    format: int64
+                    type: integer
+                  memRequestBodyBytes:
+                    description: 'MemRequestBodyBytes defines the threshold (in bytes)
+                      from which the request will be buffered on disk instead of in
+                      memory. Default: 1048576 (1Mi).'
+                    format: int64
+                    type: integer
+                  memResponseBodyBytes:
+                    description: 'MemResponseBodyBytes defines the threshold (in bytes)
+                      from which the response will be buffered on disk instead of
+                      in memory. Default: 1048576 (1Mi).'
+                    format: int64
+                    type: integer
+                  retryExpression:
+                    description: 'RetryExpression defines the retry conditions. It
+                      is a logical combination of functions with operators AND (&&)
+                      and OR (||). More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/buffering/#retryexpression'
+                    type: string
+                type: object
+              chain:
+                description: 'Chain holds the configuration of the chain middleware.
+                  This middleware enables to define reusable combinations of other
+                  pieces of middleware. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/chain/'
+                properties:
+                  middlewares:
+                    description: Middlewares is the list of MiddlewareRef which composes
+                      the chain.
+                    items:
+                      description: MiddlewareRef is a reference to a Middleware resource.
+                      properties:
+                        name:
+                          description: Name defines the name of the referenced Middleware
+                            resource.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Middleware resource.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              circuitBreaker:
+                description: CircuitBreaker holds the circuit breaker configuration.
+                properties:
+                  checkPeriod:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: CheckPeriod is the interval between successive checks
+                      of the circuit breaker condition (when in standby state).
+                    x-kubernetes-int-or-string: true
+                  expression:
+                    description: Expression is the condition that triggers the tripped
+                      state.
+                    type: string
+                  fallbackDuration:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: FallbackDuration is the duration for which the circuit
+                      breaker will wait before trying to recover (from a tripped state).
+                    x-kubernetes-int-or-string: true
+                  recoveryDuration:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: RecoveryDuration is the duration for which the circuit
+                      breaker will try to recover (as soon as it is in recovering
+                      state).
+                    x-kubernetes-int-or-string: true
+                type: object
+              compress:
+                description: 'Compress holds the compress middleware configuration.
+                  This middleware compresses responses before sending them to the
+                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/compress/'
+                properties:
+                  excludedContentTypes:
+                    description: ExcludedContentTypes defines the list of content
+                      types to compare the Content-Type header of the incoming requests
+                      and responses before compressing.
+                    items:
+                      type: string
+                    type: array
+                  minResponseBodyBytes:
+                    description: 'MinResponseBodyBytes defines the minimum amount
+                      of bytes a response body must have to be compressed. Default:
+                      1024.'
+                    type: integer
+                type: object
+              contentType:
+                description: ContentType holds the content-type middleware configuration.
+                  This middleware exists to enable the correct behavior until at least
+                  the default one can be changed in a future version.
+                properties:
+                  autoDetect:
+                    description: AutoDetect specifies whether to let the `Content-Type`
+                      header, if it has not been set by the backend, be automatically
+                      set to a value derived from the contents of the response. As
+                      a proxy, the default behavior should be to leave the header
+                      alone, regardless of what the backend did with it. However,
+                      the historic default was to always auto-detect and set the header
+                      if it was nil, and it is going to be kept that way in order
+                      to support users currently relying on it.
+                    type: boolean
+                type: object
+              digestAuth:
+                description: 'DigestAuth holds the digest auth middleware configuration.
+                  This middleware restricts access to your services to known users.
+                  More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/digestauth/'
+                properties:
+                  headerField:
+                    description: 'HeaderField defines a header field to store the
+                      authenticated user. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/#headerfield'
+                    type: string
+                  realm:
+                    description: 'Realm allows the protected resources on a server
+                      to be partitioned into a set of protection spaces, each with
+                      its own authentication scheme. Default: traefik.'
+                    type: string
+                  removeHeader:
+                    description: RemoveHeader defines whether to remove the authorization
+                      header before forwarding the request to the backend.
+                    type: boolean
+                  secret:
+                    description: Secret is the name of the referenced Kubernetes Secret
+                      containing user credentials.
+                    type: string
+                type: object
+              errors:
+                description: 'ErrorPage holds the custom error middleware configuration.
+                  This middleware returns a custom page in lieu of the default, according
+                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/errorpages/'
+                properties:
+                  query:
+                    description: Query defines the URL for the error page (hosted
+                      by service). The {status} variable can be used in order to insert
+                      the status code in the URL.
+                    type: string
+                  service:
+                    description: 'Service defines the reference to a Kubernetes Service
+                      that will serve the error page. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/errorpages/#service'
+                    properties:
+                      kind:
+                        description: Kind defines the kind of the Service.
+                        enum:
+                        - Service
+                        - TraefikService
+                        type: string
+                      name:
+                        description: Name defines the name of the referenced Kubernetes
+                          Service or TraefikService. The differentiation between the
+                          two is specified in the Kind field.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Kubernetes Service or TraefikService.
+                        type: string
+                      nativeLB:
+                        description: NativeLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the pods IPs or if
+                          the only child is the Kubernetes Service clusterIP. The
+                          Kubernetes Service itself does load-balance to the pods.
+                          By default, NativeLB is false.
+                        type: boolean
+                      passHostHeader:
+                        description: PassHostHeader defines whether the client Host
+                          header is forwarded to the upstream Kubernetes Service.
+                          By default, passHostHeader is true.
+                        type: boolean
+                      port:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: Port defines the port of a Kubernetes Service.
+                          This can be a reference to a named port.
+                        x-kubernetes-int-or-string: true
+                      responseForwarding:
+                        description: ResponseForwarding defines how Traefik forwards
+                          the response from the upstream Kubernetes Service to the
+                          client.
+                        properties:
+                          flushInterval:
+                            description: 'FlushInterval defines the interval, in milliseconds,
+                              in between flushes to the client while copying the response
+                              body. A negative value means to flush immediately after
+                              each write to the client. This configuration is ignored
+                              when ReverseProxy recognizes a response as a streaming
+                              response; for such responses, writes are flushed to
+                              the client immediately. Default: 100ms'
+                            type: string
+                        type: object
+                      scheme:
+                        description: Scheme defines the scheme to use for the request
+                          to the upstream Kubernetes Service. It defaults to https
+                          when Kubernetes Service port is 443, http otherwise.
+                        type: string
+                      serversTransport:
+                        description: ServersTransport defines the name of ServersTransport
+                          resource to use. It allows to configure the transport between
+                          Traefik and your servers. Can only be used on a Kubernetes
+                          Service.
+                        type: string
+                      sticky:
+                        description: 'Sticky defines the sticky sessions configuration.
+                          More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions'
+                        properties:
+                          cookie:
+                            description: Cookie defines the sticky cookie configuration.
+                            properties:
+                              httpOnly:
+                                description: HTTPOnly defines whether the cookie can
+                                  be accessed by client-side APIs, such as JavaScript.
+                                type: boolean
+                              name:
+                                description: Name defines the Cookie name.
+                                type: string
+                              sameSite:
+                                description: 'SameSite defines the same site policy.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                type: string
+                              secure:
+                                description: Secure defines whether the cookie can
+                                  only be transmitted over an encrypted connection
+                                  (i.e. HTTPS).
+                                type: boolean
+                            type: object
+                        type: object
+                      strategy:
+                        description: Strategy defines the load balancing strategy
+                          between the servers. RoundRobin is the only supported value
+                          at the moment.
+                        type: string
+                      weight:
+                        description: Weight defines the weight and should only be
+                          specified when Name references a TraefikService object (and
+                          to be precise, one that embeds a Weighted Round Robin).
+                        type: integer
+                    required:
+                    - name
+                    type: object
+                  status:
+                    description: Status defines which status or range of statuses
+                      should result in an error page. It can be either a status code
+                      as a number (500), as multiple comma-separated numbers (500,502),
+                      as ranges by separating two codes with a dash (500-599), or
+                      a combination of the two (404,418,500-599).
+                    items:
+                      type: string
+                    type: array
+                type: object
+              forwardAuth:
+                description: 'ForwardAuth holds the forward auth middleware configuration.
+                  This middleware delegates the request authentication to a Service.
+                  More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/forwardauth/'
+                properties:
+                  address:
+                    description: Address defines the authentication server address.
+                    type: string
+                  authRequestHeaders:
+                    description: AuthRequestHeaders defines the list of the headers
+                      to copy from the request to the authentication server. If not
+                      set or empty then all request headers are passed.
+                    items:
+                      type: string
+                    type: array
+                  authResponseHeaders:
+                    description: AuthResponseHeaders defines the list of headers to
+                      copy from the authentication server response and set on forwarded
+                      request, replacing any existing conflicting headers.
+                    items:
+                      type: string
+                    type: array
+                  authResponseHeadersRegex:
+                    description: 'AuthResponseHeadersRegex defines the regex to match
+                      headers to copy from the authentication server response and
+                      set on forwarded request, after stripping all headers that match
+                      the regex. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/forwardauth/#authresponseheadersregex'
+                    type: string
+                  tls:
+                    description: TLS defines the configuration used to secure the
+                      connection to the authentication server.
+                    properties:
+                      caOptional:
+                        type: boolean
+                      caSecret:
+                        description: CASecret is the name of the referenced Kubernetes
+                          Secret containing the CA to validate the server certificate.
+                          The CA certificate is extracted from key `tls.ca` or `ca.crt`.
+                        type: string
+                      certSecret:
+                        description: CertSecret is the name of the referenced Kubernetes
+                          Secret containing the client certificate. The client certificate
+                          is extracted from the keys `tls.crt` and `tls.key`.
+                        type: string
+                      insecureSkipVerify:
+                        description: InsecureSkipVerify defines whether the server
+                          certificates should be validated.
+                        type: boolean
+                    type: object
+                  trustForwardHeader:
+                    description: 'TrustForwardHeader defines whether to trust (ie:
+                      forward) all X-Forwarded-* headers.'
+                    type: boolean
+                type: object
+              headers:
+                description: 'Headers holds the headers middleware configuration.
+                  This middleware manages the requests and responses headers. More
+                  info: https://doc.traefik.io/traefik/v2.10/middlewares/http/headers/#customrequestheaders'
+                properties:
+                  accessControlAllowCredentials:
+                    description: AccessControlAllowCredentials defines whether the
+                      request can include user credentials.
+                    type: boolean
+                  accessControlAllowHeaders:
+                    description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
+                      values sent in preflight response.
+                    items:
+                      type: string
+                    type: array
+                  accessControlAllowMethods:
+                    description: AccessControlAllowMethods defines the Access-Control-Request-Method
+                      values sent in preflight response.
+                    items:
+                      type: string
+                    type: array
+                  accessControlAllowOriginList:
+                    description: AccessControlAllowOriginList is a list of allowable
+                      origins. Can also be a wildcard origin "*".
+                    items:
+                      type: string
+                    type: array
+                  accessControlAllowOriginListRegex:
+                    description: AccessControlAllowOriginListRegex is a list of allowable
+                      origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
+                    items:
+                      type: string
+                    type: array
+                  accessControlExposeHeaders:
+                    description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
+                      values sent in preflight response.
+                    items:
+                      type: string
+                    type: array
+                  accessControlMaxAge:
+                    description: AccessControlMaxAge defines the time that a preflight
+                      request may be cached.
+                    format: int64
+                    type: integer
+                  addVaryHeader:
+                    description: AddVaryHeader defines whether the Vary header is
+                      automatically added/updated when the AccessControlAllowOriginList
+                      is set.
+                    type: boolean
+                  allowedHosts:
+                    description: AllowedHosts defines the fully qualified list of
+                      allowed domain names.
+                    items:
+                      type: string
+                    type: array
+                  browserXssFilter:
+                    description: BrowserXSSFilter defines whether to add the X-XSS-Protection
+                      header with the value 1; mode=block.
+                    type: boolean
+                  contentSecurityPolicy:
+                    description: ContentSecurityPolicy defines the Content-Security-Policy
+                      header value.
+                    type: string
+                  contentTypeNosniff:
+                    description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
+                      header with the nosniff value.
+                    type: boolean
+                  customBrowserXSSValue:
+                    description: CustomBrowserXSSValue defines the X-XSS-Protection
+                      header value. This overrides the BrowserXssFilter option.
+                    type: string
+                  customFrameOptionsValue:
+                    description: CustomFrameOptionsValue defines the X-Frame-Options
+                      header value. This overrides the FrameDeny option.
+                    type: string
+                  customRequestHeaders:
+                    additionalProperties:
+                      type: string
+                    description: CustomRequestHeaders defines the header names and
+                      values to apply to the request.
+                    type: object
+                  customResponseHeaders:
+                    additionalProperties:
+                      type: string
+                    description: CustomResponseHeaders defines the header names and
+                      values to apply to the response.
+                    type: object
+                  featurePolicy:
+                    description: 'Deprecated: use PermissionsPolicy instead.'
+                    type: string
+                  forceSTSHeader:
+                    description: ForceSTSHeader defines whether to add the STS header
+                      even when the connection is HTTP.
+                    type: boolean
+                  frameDeny:
+                    description: FrameDeny defines whether to add the X-Frame-Options
+                      header with the DENY value.
+                    type: boolean
+                  hostsProxyHeaders:
+                    description: HostsProxyHeaders defines the header keys that may
+                      hold a proxied hostname value for the request.
+                    items:
+                      type: string
+                    type: array
+                  isDevelopment:
+                    description: IsDevelopment defines whether to mitigate the unwanted
+                      effects of the AllowedHosts, SSL, and STS options when developing.
+                      Usually testing takes place using HTTP, not HTTPS, and on localhost,
+                      not your production domain. If you would like your development
+                      environment to mimic production with complete Host blocking,
+                      SSL redirects, and STS headers, leave this as false.
+                    type: boolean
+                  permissionsPolicy:
+                    description: PermissionsPolicy defines the Permissions-Policy
+                      header value. This allows sites to control browser features.
+                    type: string
+                  publicKey:
+                    description: PublicKey is the public key that implements HPKP
+                      to prevent MITM attacks with forged certificates.
+                    type: string
+                  referrerPolicy:
+                    description: ReferrerPolicy defines the Referrer-Policy header
+                      value. This allows sites to control whether browsers forward
+                      the Referer header to other sites.
+                    type: string
+                  sslForceHost:
+                    description: 'Deprecated: use RedirectRegex instead.'
+                    type: boolean
+                  sslHost:
+                    description: 'Deprecated: use RedirectRegex instead.'
+                    type: string
+                  sslProxyHeaders:
+                    additionalProperties:
+                      type: string
+                    description: 'SSLProxyHeaders defines the header keys with associated
+                      values that would indicate a valid HTTPS request. It can be
+                      useful when using other proxies (example: "X-Forwarded-Proto":
+                      "https").'
+                    type: object
+                  sslRedirect:
+                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
+                      instead.'
+                    type: boolean
+                  sslTemporaryRedirect:
+                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
+                      instead.'
+                    type: boolean
+                  stsIncludeSubdomains:
+                    description: STSIncludeSubdomains defines whether the includeSubDomains
+                      directive is appended to the Strict-Transport-Security header.
+                    type: boolean
+                  stsPreload:
+                    description: STSPreload defines whether the preload flag is appended
+                      to the Strict-Transport-Security header.
+                    type: boolean
+                  stsSeconds:
+                    description: STSSeconds defines the max-age of the Strict-Transport-Security
+                      header. If set to 0, the header is not set.
+                    format: int64
+                    type: integer
+                type: object
+              inFlightReq:
+                description: 'InFlightReq holds the in-flight request middleware configuration.
+                  This middleware limits the number of requests being processed and
+                  served concurrently. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/inflightreq/'
+                properties:
+                  amount:
+                    description: Amount defines the maximum amount of allowed simultaneous
+                      in-flight request. The middleware responds with HTTP 429 Too
+                      Many Requests if there are already amount requests in progress
+                      (based on the same sourceCriterion strategy).
+                    format: int64
+                    type: integer
+                  sourceCriterion:
+                    description: 'SourceCriterion defines what criterion is used to
+                      group requests as originating from a common source. If several
+                      strategies are defined at the same time, an error will be raised.
+                      If none are set, the default is to use the requestHost. More
+                      info: https://doc.traefik.io/traefik/v2.10/middlewares/http/inflightreq/#sourcecriterion'
+                    properties:
+                      ipStrategy:
+                        description: 'IPStrategy holds the IP strategy configuration
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
+                        properties:
+                          depth:
+                            description: Depth tells Traefik to use the X-Forwarded-For
+                              header and take the IP located at the depth position
+                              (starting from the right).
+                            type: integer
+                          excludedIPs:
+                            description: ExcludedIPs configures Traefik to scan the
+                              X-Forwarded-For header and select the first IP not in
+                              the list.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      requestHeaderName:
+                        description: RequestHeaderName defines the name of the header
+                          used to group incoming requests.
+                        type: string
+                      requestHost:
+                        description: RequestHost defines whether to consider the request
+                          Host as the source.
+                        type: boolean
+                    type: object
+                type: object
+              ipWhiteList:
+                description: 'IPWhiteList holds the IP whitelist middleware configuration.
+                  This middleware accepts / refuses requests based on the client IP.
+                  More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/'
+                properties:
+                  ipStrategy:
+                    description: 'IPStrategy holds the IP strategy configuration used
+                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
+                    properties:
+                      depth:
+                        description: Depth tells Traefik to use the X-Forwarded-For
+                          header and take the IP located at the depth position (starting
+                          from the right).
+                        type: integer
+                      excludedIPs:
+                        description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
+                          header and select the first IP not in the list.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  sourceRange:
+                    description: SourceRange defines the set of allowed IPs (or ranges
+                      of allowed IPs by using CIDR notation).
+                    items:
+                      type: string
+                    type: array
+                type: object
+              passTLSClientCert:
+                description: 'PassTLSClientCert holds the pass TLS client cert middleware
+                  configuration. This middleware adds the selected data from the passed
+                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/passtlsclientcert/'
+                properties:
+                  info:
+                    description: Info selects the specific client certificate details
+                      you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
+                    properties:
+                      issuer:
+                        description: Issuer defines the client certificate issuer
+                          details to add to the X-Forwarded-Tls-Client-Cert-Info header.
+                        properties:
+                          commonName:
+                            description: CommonName defines whether to add the organizationalUnit
+                              information into the issuer.
+                            type: boolean
+                          country:
+                            description: Country defines whether to add the country
+                              information into the issuer.
+                            type: boolean
+                          domainComponent:
+                            description: DomainComponent defines whether to add the
+                              domainComponent information into the issuer.
+                            type: boolean
+                          locality:
+                            description: Locality defines whether to add the locality
+                              information into the issuer.
+                            type: boolean
+                          organization:
+                            description: Organization defines whether to add the organization
+                              information into the issuer.
+                            type: boolean
+                          province:
+                            description: Province defines whether to add the province
+                              information into the issuer.
+                            type: boolean
+                          serialNumber:
+                            description: SerialNumber defines whether to add the serialNumber
+                              information into the issuer.
+                            type: boolean
+                        type: object
+                      notAfter:
+                        description: NotAfter defines whether to add the Not After
+                          information from the Validity part.
+                        type: boolean
+                      notBefore:
+                        description: NotBefore defines whether to add the Not Before
+                          information from the Validity part.
+                        type: boolean
+                      sans:
+                        description: Sans defines whether to add the Subject Alternative
+                          Name information from the Subject Alternative Name part.
+                        type: boolean
+                      serialNumber:
+                        description: SerialNumber defines whether to add the client
+                          serialNumber information.
+                        type: boolean
+                      subject:
+                        description: Subject defines the client certificate subject
+                          details to add to the X-Forwarded-Tls-Client-Cert-Info header.
+                        properties:
+                          commonName:
+                            description: CommonName defines whether to add the organizationalUnit
+                              information into the subject.
+                            type: boolean
+                          country:
+                            description: Country defines whether to add the country
+                              information into the subject.
+                            type: boolean
+                          domainComponent:
+                            description: DomainComponent defines whether to add the
+                              domainComponent information into the subject.
+                            type: boolean
+                          locality:
+                            description: Locality defines whether to add the locality
+                              information into the subject.
+                            type: boolean
+                          organization:
+                            description: Organization defines whether to add the organization
+                              information into the subject.
+                            type: boolean
+                          organizationalUnit:
+                            description: OrganizationalUnit defines whether to add
+                              the organizationalUnit information into the subject.
+                            type: boolean
+                          province:
+                            description: Province defines whether to add the province
+                              information into the subject.
+                            type: boolean
+                          serialNumber:
+                            description: SerialNumber defines whether to add the serialNumber
+                              information into the subject.
+                            type: boolean
+                        type: object
+                    type: object
+                  pem:
+                    description: PEM sets the X-Forwarded-Tls-Client-Cert header with
+                      the certificate.
+                    type: boolean
+                type: object
+              plugin:
+                additionalProperties:
+                  x-kubernetes-preserve-unknown-fields: true
+                description: 'Plugin defines the middleware plugin configuration.
+                  More info: https://doc.traefik.io/traefik/plugins/'
+                type: object
+              rateLimit:
+                description: 'RateLimit holds the rate limit configuration. This middleware
+                  ensures that services will receive a fair amount of requests, and
+                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ratelimit/'
+                properties:
+                  average:
+                    description: Average is the maximum rate, by default in requests/s,
+                      allowed for the given source. It defaults to 0, which means
+                      no rate limiting. The rate is actually defined by dividing Average
+                      by Period. So for a rate below 1req/s, one needs to define a
+                      Period larger than a second.
+                    format: int64
+                    type: integer
+                  burst:
+                    description: Burst is the maximum number of requests allowed to
+                      arrive in the same arbitrarily small period of time. It defaults
+                      to 1.
+                    format: int64
+                    type: integer
+                  period:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: 'Period, in combination with Average, defines the
+                      actual maximum rate, such as: r = Average / Period. It defaults
+                      to a second.'
+                    x-kubernetes-int-or-string: true
+                  sourceCriterion:
+                    description: SourceCriterion defines what criterion is used to
+                      group requests as originating from a common source. If several
+                      strategies are defined at the same time, an error will be raised.
+                      If none are set, the default is to use the request's remote
+                      address field (as an ipStrategy).
+                    properties:
+                      ipStrategy:
+                        description: 'IPStrategy holds the IP strategy configuration
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
+                        properties:
+                          depth:
+                            description: Depth tells Traefik to use the X-Forwarded-For
+                              header and take the IP located at the depth position
+                              (starting from the right).
+                            type: integer
+                          excludedIPs:
+                            description: ExcludedIPs configures Traefik to scan the
+                              X-Forwarded-For header and select the first IP not in
+                              the list.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      requestHeaderName:
+                        description: RequestHeaderName defines the name of the header
+                          used to group incoming requests.
+                        type: string
+                      requestHost:
+                        description: RequestHost defines whether to consider the request
+                          Host as the source.
+                        type: boolean
+                    type: object
+                type: object
+              redirectRegex:
+                description: 'RedirectRegex holds the redirect regex middleware configuration.
+                  This middleware redirects a request using regex matching and replacement.
+                  More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/redirectregex/#regex'
+                properties:
+                  permanent:
+                    description: Permanent defines whether the redirection is permanent
+                      (301).
+                    type: boolean
+                  regex:
+                    description: Regex defines the regex used to match and capture
+                      elements from the request URL.
+                    type: string
+                  replacement:
+                    description: Replacement defines how to modify the URL to have
+                      the new target URL.
+                    type: string
+                type: object
+              redirectScheme:
+                description: 'RedirectScheme holds the redirect scheme middleware
+                  configuration. This middleware redirects requests from a scheme/port
+                  to another. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/redirectscheme/'
+                properties:
+                  permanent:
+                    description: Permanent defines whether the redirection is permanent
+                      (301).
+                    type: boolean
+                  port:
+                    description: Port defines the port of the new URL.
+                    type: string
+                  scheme:
+                    description: Scheme defines the scheme of the new URL.
+                    type: string
+                type: object
+              replacePath:
+                description: 'ReplacePath holds the replace path middleware configuration.
+                  This middleware replaces the path of the request URL and store the
+                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/replacepath/'
+                properties:
+                  path:
+                    description: Path defines the path to use as replacement in the
+                      request URL.
+                    type: string
+                type: object
+              replacePathRegex:
+                description: 'ReplacePathRegex holds the replace path regex middleware
+                  configuration. This middleware replaces the path of a URL using
+                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/replacepathregex/'
+                properties:
+                  regex:
+                    description: Regex defines the regular expression used to match
+                      and capture the path from the request URL.
+                    type: string
+                  replacement:
+                    description: Replacement defines the replacement path format,
+                      which can include captured variables.
+                    type: string
+                type: object
+              retry:
+                description: 'Retry holds the retry middleware configuration. This
+                  middleware reissues requests a given number of times to a backend
+                  server if that server does not reply. As soon as the server answers,
+                  the middleware stops retrying, regardless of the response status.
+                  More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/retry/'
+                properties:
+                  attempts:
+                    description: Attempts defines how many times the request should
+                      be retried.
+                    type: integer
+                  initialInterval:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: InitialInterval defines the first wait time in the
+                      exponential backoff series. The maximum interval is calculated
+                      as twice the initialInterval. If unspecified, requests will
+                      be retried immediately. The value of initialInterval should
+                      be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
+                    x-kubernetes-int-or-string: true
+                type: object
+              stripPrefix:
+                description: 'StripPrefix holds the strip prefix middleware configuration.
+                  This middleware removes the specified prefixes from the URL path.
+                  More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/stripprefix/'
+                properties:
+                  forceSlash:
+                    description: 'ForceSlash ensures that the resulting stripped path
+                      is not the empty string, by replacing it with / when necessary.
+                      Default: true.'
+                    type: boolean
+                  prefixes:
+                    description: Prefixes defines the prefixes to strip from the request
+                      URL.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              stripPrefixRegex:
+                description: 'StripPrefixRegex holds the strip prefix regex middleware
+                  configuration. This middleware removes the matching prefixes from
+                  the URL path. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/stripprefixregex/'
+                properties:
+                  regex:
+                    description: Regex defines the regular expression to match the
+                      path prefix from the request URL.
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_middlewaretcps.yaml

@@ -0,0 +1,72 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: middlewaretcps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: MiddlewareTCP
+    listKind: MiddlewareTCPList
+    plural: middlewaretcps
+    singular: middlewaretcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+          More info: https://doc.traefik.io/traefik/v2.10/middlewares/overview/'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
+            properties:
+              inFlightConn:
+                description: InFlightConn defines the InFlightConn middleware configuration.
+                properties:
+                  amount:
+                    description: Amount defines the maximum amount of allowed simultaneous
+                      connections. The middleware closes the connection if there are
+                      already amount connections opened.
+                    format: int64
+                    type: integer
+                type: object
+              ipWhiteList:
+                description: IPWhiteList defines the IPWhiteList middleware configuration.
+                properties:
+                  sourceRange:
+                    description: SourceRange defines the allowed IPs (or ranges of
+                      allowed IPs by using CIDR notation).
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_serverstransports.yaml

@@ -0,0 +1,128 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: serverstransports.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: ServersTransport
+    listKind: ServersTransportList
+    plural: serverstransports
+    singular: serverstransport
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'ServersTransport is the CRD implementation of a ServersTransport.
+          If no serversTransport is specified, the default@internal will be used.
+          The default@internal serversTransport is created from the static configuration.
+          More info: https://doc.traefik.io/traefik/v2.10/routing/services/#serverstransport_1'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ServersTransportSpec defines the desired state of a ServersTransport.
+            properties:
+              certificatesSecrets:
+                description: CertificatesSecrets defines a list of secret storing
+                  client certificates for mTLS.
+                items:
+                  type: string
+                type: array
+              disableHTTP2:
+                description: DisableHTTP2 disables HTTP/2 for connections with backend
+                  servers.
+                type: boolean
+              forwardingTimeouts:
+                description: ForwardingTimeouts defines the timeouts for requests
+                  forwarded to the backend servers.
+                properties:
+                  dialTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: DialTimeout is the amount of time to wait until a
+                      connection to a backend server can be established.
+                    x-kubernetes-int-or-string: true
+                  idleConnTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: IdleConnTimeout is the maximum period for which an
+                      idle HTTP keep-alive connection will remain open before closing
+                      itself.
+                    x-kubernetes-int-or-string: true
+                  pingTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: PingTimeout is the timeout after which the HTTP/2
+                      connection will be closed if a response to ping is not received.
+                    x-kubernetes-int-or-string: true
+                  readIdleTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: ReadIdleTimeout is the timeout after which a health
+                      check using ping frame will be carried out if no frame is received
+                      on the HTTP/2 connection.
+                    x-kubernetes-int-or-string: true
+                  responseHeaderTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: ResponseHeaderTimeout is the amount of time to wait
+                      for a server's response headers after fully writing the request
+                      (including its body, if any).
+                    x-kubernetes-int-or-string: true
+                type: object
+              insecureSkipVerify:
+                description: InsecureSkipVerify disables SSL certificate verification.
+                type: boolean
+              maxIdleConnsPerHost:
+                description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
+                  to keep per-host.
+                type: integer
+              peerCertURI:
+                description: PeerCertURI defines the peer cert URI used to match against
+                  SAN URI during the peer certificate verification.
+                type: string
+              rootCAsSecrets:
+                description: RootCAsSecrets defines a list of CA secret used to validate
+                  self-signed certificate.
+                items:
+                  type: string
+                type: array
+              serverName:
+                description: ServerName defines the server name used to contact the
+                  server.
+                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_tlsoptions.yaml

@@ -0,0 +1,113 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: tlsoptions.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: TLSOption
+    listKind: TLSOptionList
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
+          allowing to configure some parameters of the TLS connection. More info:
+          https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSOptionSpec defines the desired state of a TLSOption.
+            properties:
+              alpnProtocols:
+                description: 'ALPNProtocols defines the list of supported application
+                  level protocols for the TLS handshake, in order of preference. More
+                  info: https://doc.traefik.io/traefik/v2.10/https/tls/#alpn-protocols'
+                items:
+                  type: string
+                type: array
+              cipherSuites:
+                description: 'CipherSuites defines the list of supported cipher suites
+                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#cipher-suites'
+                items:
+                  type: string
+                type: array
+              clientAuth:
+                description: ClientAuth defines the server's policy for TLS Client
+                  Authentication.
+                properties:
+                  clientAuthType:
+                    description: ClientAuthType defines the client authentication
+                      type to apply.
+                    enum:
+                    - NoClientCert
+                    - RequestClientCert
+                    - RequireAnyClientCert
+                    - VerifyClientCertIfGiven
+                    - RequireAndVerifyClientCert
+                    type: string
+                  secretNames:
+                    description: SecretNames defines the names of the referenced Kubernetes
+                      Secret storing certificate details.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              curvePreferences:
+                description: 'CurvePreferences defines the preferred elliptic curves
+                  in a specific order. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#curve-preferences'
+                items:
+                  type: string
+                type: array
+              maxVersion:
+                description: 'MaxVersion defines the maximum TLS version that Traefik
+                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
+                  VersionTLS13. Default: None.'
+                type: string
+              minVersion:
+                description: 'MinVersion defines the minimum TLS version that Traefik
+                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
+                  VersionTLS13. Default: VersionTLS10.'
+                type: string
+              preferServerCipherSuites:
+                description: 'PreferServerCipherSuites defines whether the server
+                  chooses a cipher suite among his own instead of among the client''s.
+                  It is enabled automatically when minVersion or maxVersion is set.
+                  Deprecated: https://github.com/golang/go/issues/45430'
+                type: boolean
+              sniStrict:
+                description: SniStrict defines whether Traefik allows connections
+                  from clients connections that do not specify a server_name extension.
+                type: boolean
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_tlsstores.yaml

@@ -0,0 +1,99 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: tlsstores.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: TLSStore
+    listKind: TLSStoreList
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
+          the time being, only the TLSStore named default is supported. This means
+          that you cannot have two stores that are named default in different Kubernetes
+          namespaces. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#certificates-stores'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSStoreSpec defines the desired state of a TLSStore.
+            properties:
+              certificates:
+                description: Certificates is a list of secret names, each secret holding
+                  a key/certificate pair to add to the store.
+                items:
+                  description: Certificate holds a secret name for the TLSStore resource.
+                  properties:
+                    secretName:
+                      description: SecretName is the name of the referenced Kubernetes
+                        Secret to specify the certificate details.
+                      type: string
+                  required:
+                  - secretName
+                  type: object
+                type: array
+              defaultCertificate:
+                description: DefaultCertificate defines the default certificate configuration.
+                properties:
+                  secretName:
+                    description: SecretName is the name of the referenced Kubernetes
+                      Secret to specify the certificate details.
+                    type: string
+                required:
+                - secretName
+                type: object
+              defaultGeneratedCert:
+                description: DefaultGeneratedCert defines the default generated certificate
+                  configuration.
+                properties:
+                  domain:
+                    description: Domain is the domain definition for the DefaultCertificate.
+                    properties:
+                      main:
+                        description: Main defines the main domain name.
+                        type: string
+                      sans:
+                        description: SANs defines the subject alternative domain names.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  resolver:
+                    description: Resolver is the name of the resolver that will be
+                      used to issue the DefaultCertificate.
+                    type: string
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/crds/traefik.io_traefikservices.yaml

@@ -0,0 +1,402 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: traefikservices.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: TraefikService
+    listKind: TraefikServiceList
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'TraefikService is the CRD implementation of a Traefik Service.
+          TraefikService object allows to: - Apply weight to Services on load-balancing
+          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-traefikservice'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TraefikServiceSpec defines the desired state of a TraefikService.
+            properties:
+              mirroring:
+                description: Mirroring defines the Mirroring service configuration.
+                properties:
+                  kind:
+                    description: Kind defines the kind of the Service.
+                    enum:
+                    - Service
+                    - TraefikService
+                    type: string
+                  maxBodySize:
+                    description: MaxBodySize defines the maximum size allowed for
+                      the body of the request. If the body is larger, the request
+                      is not mirrored. Default value is -1, which means unlimited
+                      size.
+                    format: int64
+                    type: integer
+                  mirrors:
+                    description: Mirrors defines the list of mirrors where Traefik
+                      will duplicate the traffic.
+                    items:
+                      description: MirrorService holds the mirror configuration.
+                      properties:
+                        kind:
+                          description: Kind defines the kind of the Service.
+                          enum:
+                          - Service
+                          - TraefikService
+                          type: string
+                        name:
+                          description: Name defines the name of the referenced Kubernetes
+                            Service or TraefikService. The differentiation between
+                            the two is specified in the Kind field.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Kubernetes Service or TraefikService.
+                          type: string
+                        nativeLB:
+                          description: NativeLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the pods IPs or
+                            if the only child is the Kubernetes Service clusterIP.
+                            The Kubernetes Service itself does load-balance to the
+                            pods. By default, NativeLB is false.
+                          type: boolean
+                        passHostHeader:
+                          description: PassHostHeader defines whether the client Host
+                            header is forwarded to the upstream Kubernetes Service.
+                            By default, passHostHeader is true.
+                          type: boolean
+                        percent:
+                          description: 'Percent defines the part of the traffic to
+                            mirror. Supported values: 0 to 100.'
+                          type: integer
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: Port defines the port of a Kubernetes Service.
+                            This can be a reference to a named port.
+                          x-kubernetes-int-or-string: true
+                        responseForwarding:
+                          description: ResponseForwarding defines how Traefik forwards
+                            the response from the upstream Kubernetes Service to the
+                            client.
+                          properties:
+                            flushInterval:
+                              description: 'FlushInterval defines the interval, in
+                                milliseconds, in between flushes to the client while
+                                copying the response body. A negative value means
+                                to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes
+                                a response as a streaming response; for such responses,
+                                writes are flushed to the client immediately. Default:
+                                100ms'
+                              type: string
+                          type: object
+                        scheme:
+                          description: Scheme defines the scheme to use for the request
+                            to the upstream Kubernetes Service. It defaults to https
+                            when Kubernetes Service port is 443, http otherwise.
+                          type: string
+                        serversTransport:
+                          description: ServersTransport defines the name of ServersTransport
+                            resource to use. It allows to configure the transport
+                            between Traefik and your servers. Can only be used on
+                            a Kubernetes Service.
+                          type: string
+                        sticky:
+                          description: 'Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions'
+                          properties:
+                            cookie:
+                              description: Cookie defines the sticky cookie configuration.
+                              properties:
+                                httpOnly:
+                                  description: HTTPOnly defines whether the cookie
+                                    can be accessed by client-side APIs, such as JavaScript.
+                                  type: boolean
+                                name:
+                                  description: Name defines the Cookie name.
+                                  type: string
+                                sameSite:
+                                  description: 'SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                  type: string
+                                secure:
+                                  description: Secure defines whether the cookie can
+                                    only be transmitted over an encrypted connection
+                                    (i.e. HTTPS).
+                                  type: boolean
+                              type: object
+                          type: object
+                        strategy:
+                          description: Strategy defines the load balancing strategy
+                            between the servers. RoundRobin is the only supported
+                            value at the moment.
+                          type: string
+                        weight:
+                          description: Weight defines the weight and should only be
+                            specified when Name references a TraefikService object
+                            (and to be precise, one that embeds a Weighted Round Robin).
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  name:
+                    description: Name defines the name of the referenced Kubernetes
+                      Service or TraefikService. The differentiation between the two
+                      is specified in the Kind field.
+                    type: string
+                  namespace:
+                    description: Namespace defines the namespace of the referenced
+                      Kubernetes Service or TraefikService.
+                    type: string
+                  nativeLB:
+                    description: NativeLB controls, when creating the load-balancer,
+                      whether the LB's children are directly the pods IPs or if the
+                      only child is the Kubernetes Service clusterIP. The Kubernetes
+                      Service itself does load-balance to the pods. By default, NativeLB
+                      is false.
+                    type: boolean
+                  passHostHeader:
+                    description: PassHostHeader defines whether the client Host header
+                      is forwarded to the upstream Kubernetes Service. By default,
+                      passHostHeader is true.
+                    type: boolean
+                  port:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: Port defines the port of a Kubernetes Service. This
+                      can be a reference to a named port.
+                    x-kubernetes-int-or-string: true
+                  responseForwarding:
+                    description: ResponseForwarding defines how Traefik forwards the
+                      response from the upstream Kubernetes Service to the client.
+                    properties:
+                      flushInterval:
+                        description: 'FlushInterval defines the interval, in milliseconds,
+                          in between flushes to the client while copying the response
+                          body. A negative value means to flush immediately after
+                          each write to the client. This configuration is ignored
+                          when ReverseProxy recognizes a response as a streaming response;
+                          for such responses, writes are flushed to the client immediately.
+                          Default: 100ms'
+                        type: string
+                    type: object
+                  scheme:
+                    description: Scheme defines the scheme to use for the request
+                      to the upstream Kubernetes Service. It defaults to https when
+                      Kubernetes Service port is 443, http otherwise.
+                    type: string
+                  serversTransport:
+                    description: ServersTransport defines the name of ServersTransport
+                      resource to use. It allows to configure the transport between
+                      Traefik and your servers. Can only be used on a Kubernetes Service.
+                    type: string
+                  sticky:
+                    description: 'Sticky defines the sticky sessions configuration.
+                      More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions'
+                    properties:
+                      cookie:
+                        description: Cookie defines the sticky cookie configuration.
+                        properties:
+                          httpOnly:
+                            description: HTTPOnly defines whether the cookie can be
+                              accessed by client-side APIs, such as JavaScript.
+                            type: boolean
+                          name:
+                            description: Name defines the Cookie name.
+                            type: string
+                          sameSite:
+                            description: 'SameSite defines the same site policy. More
+                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                            type: string
+                          secure:
+                            description: Secure defines whether the cookie can only
+                              be transmitted over an encrypted connection (i.e. HTTPS).
+                            type: boolean
+                        type: object
+                    type: object
+                  strategy:
+                    description: Strategy defines the load balancing strategy between
+                      the servers. RoundRobin is the only supported value at the moment.
+                    type: string
+                  weight:
+                    description: Weight defines the weight and should only be specified
+                      when Name references a TraefikService object (and to be precise,
+                      one that embeds a Weighted Round Robin).
+                    type: integer
+                required:
+                - name
+                type: object
+              weighted:
+                description: Weighted defines the Weighted Round Robin configuration.
+                properties:
+                  services:
+                    description: Services defines the list of Kubernetes Service and/or
+                      TraefikService to load-balance, with weight.
+                    items:
+                      description: Service defines an upstream HTTP service to proxy
+                        traffic to.
+                      properties:
+                        kind:
+                          description: Kind defines the kind of the Service.
+                          enum:
+                          - Service
+                          - TraefikService
+                          type: string
+                        name:
+                          description: Name defines the name of the referenced Kubernetes
+                            Service or TraefikService. The differentiation between
+                            the two is specified in the Kind field.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Kubernetes Service or TraefikService.
+                          type: string
+                        nativeLB:
+                          description: NativeLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the pods IPs or
+                            if the only child is the Kubernetes Service clusterIP.
+                            The Kubernetes Service itself does load-balance to the
+                            pods. By default, NativeLB is false.
+                          type: boolean
+                        passHostHeader:
+                          description: PassHostHeader defines whether the client Host
+                            header is forwarded to the upstream Kubernetes Service.
+                            By default, passHostHeader is true.
+                          type: boolean
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: Port defines the port of a Kubernetes Service.
+                            This can be a reference to a named port.
+                          x-kubernetes-int-or-string: true
+                        responseForwarding:
+                          description: ResponseForwarding defines how Traefik forwards
+                            the response from the upstream Kubernetes Service to the
+                            client.
+                          properties:
+                            flushInterval:
+                              description: 'FlushInterval defines the interval, in
+                                milliseconds, in between flushes to the client while
+                                copying the response body. A negative value means
+                                to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes
+                                a response as a streaming response; for such responses,
+                                writes are flushed to the client immediately. Default:
+                                100ms'
+                              type: string
+                          type: object
+                        scheme:
+                          description: Scheme defines the scheme to use for the request
+                            to the upstream Kubernetes Service. It defaults to https
+                            when Kubernetes Service port is 443, http otherwise.
+                          type: string
+                        serversTransport:
+                          description: ServersTransport defines the name of ServersTransport
+                            resource to use. It allows to configure the transport
+                            between Traefik and your servers. Can only be used on
+                            a Kubernetes Service.
+                          type: string
+                        sticky:
+                          description: 'Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions'
+                          properties:
+                            cookie:
+                              description: Cookie defines the sticky cookie configuration.
+                              properties:
+                                httpOnly:
+                                  description: HTTPOnly defines whether the cookie
+                                    can be accessed by client-side APIs, such as JavaScript.
+                                  type: boolean
+                                name:
+                                  description: Name defines the Cookie name.
+                                  type: string
+                                sameSite:
+                                  description: 'SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                  type: string
+                                secure:
+                                  description: Secure defines whether the cookie can
+                                    only be transmitted over an encrypted connection
+                                    (i.e. HTTPS).
+                                  type: boolean
+                              type: object
+                          type: object
+                        strategy:
+                          description: Strategy defines the load balancing strategy
+                            between the servers. RoundRobin is the only supported
+                            value at the moment.
+                          type: string
+                        weight:
+                          description: Weight defines the weight and should only be
+                            specified when Name references a TraefikService object
+                            (and to be precise, one that embeds a Weighted Round Robin).
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  sticky:
+                    description: 'Sticky defines whether sticky sessions are enabled.
+                      More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
+                    properties:
+                      cookie:
+                        description: Cookie defines the sticky cookie configuration.
+                        properties:
+                          httpOnly:
+                            description: HTTPOnly defines whether the cookie can be
+                              accessed by client-side APIs, such as JavaScript.
+                            type: boolean
+                          name:
+                            description: Name defines the Cookie name.
+                            type: string
+                          sameSite:
+                            description: 'SameSite defines the same site policy. More
+                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                            type: string
+                          secure:
+                            description: Secure defines whether the cookie can only
+                              be transmitted over an encrypted connection (i.e. HTTPS).
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/enterprise/traefik/docs/Authelia-LLDAP-forwardauth.md

@@ -0,0 +1,3 @@
+# Authelia + LLDAP + Traefik ForwardAuth Setup guide
+
+Please refer to the full [Authelia + LLDAP + Traefik ForwardAuth Setup guide](https://truecharts.org/charts/enterprise/authelia/Setup-Guide) for a quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. 

charts/enterprise/traefik/templates/_ingressroute.tpl

@@ -6,7 +6,7 @@
 {{- $ingressRouteAnnotations := .Values.ingressRoute.dashboard.annotations -}}
 
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}-dashboard

charts/enterprise/vaultwarden/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "1.28.1"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 deprecated: false
 description: Unofficial Bitwarden compatible server written in Rust
 home: https://truecharts.org/charts/enterprise/vaultwarden
@@ -25,7 +25,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/enterprise/vaultwarden
   - https://github.com/dani-garcia/vaultwarden
 type: application
-version: 20.0.31
+version: 20.0.33
 annotations:
   truecharts.org/catagories: |
     - security

charts/incubator/authentik/Chart.yaml

@@ -3,15 +3,11 @@ appVersion: "2023.4.1"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 11.1.2
-  - condition: postgresql.enabled
-    name: postgresql
-    repository: https://deps.truecharts.org/
-    version: 11.0.31
+    version: 12.14.2
   - condition: redis.enabled
     name: redis
     repository: https://deps.truecharts.org
-    version: 5.0.33
+    version: 6.0.58
 description: authentik is an open-source Identity Provider focused on flexibility and versatility.
 home: https://truecharts.org/charts/incubator/authentik
 icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
@@ -27,7 +23,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
   - https://github.com/goauthentik/authentik
   - https://goauthentik.io/docs/
-version: 11.0.0
+version: 12.0.2
 annotations:
   truecharts.org/catagories: |
     - authentication

charts/incubator/authentik/templates/_config.tpl

@@ -1,11 +1,12 @@
-{{/* Define the configmap */}}
-{{- define "authentik.config" -}}
+{{/* Define the configmaps */}}
+{{- define "authentik.configmaps" -}}
+
+{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
 
-{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
-{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }}
-{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
-{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
-{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }}
 {{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
 {{- if .Values.ingress.main.enabled }}
   {{ $first := (first .Values.ingress.main.hosts) }}
@@ -14,130 +15,104 @@
   {{- end }}
 {{- end }}
 
----
+{{/* This configmap is loaded in both the main authentik container and worker */}}
+{{ $authServerWorkerConfigName }}:
+  enabled: true
+  data:
+    {{/* Dependencies */}}
+    AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }}
+    {{- with $redis := .Values.redisProvider }}
+    AUTHENTIK_REDIS__PORT: {{ default 6379 $redis.port | quote }}
+    {{- end }}
+    AUTHENTIK_POSTGRESQL__NAME: {{ .Values.cnpg.main.database }}
+    AUTHENTIK_POSTGRESQL__USER: {{ .Values.cnpg.main.user }}
+    AUTHENTIK_POSTGRESQL__HOST: {{ .Values.cnpg.main.creds.host }}
+    {{- with $cnpg := .Values.cnpgProvider }}
+    AUTHENTIK_POSTGRESQL__PORT: {{ default 5432 $cnpg.port | quote }}
+    {{- end }}
+    {{/* Mail */}}
+    {{- with .Values.authentik.mail.port }}
+    AUTHENTIK_EMAIL__PORT: {{ . | quote }}
+    {{- end }}
+    AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
+    AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
+    {{- with .Values.authentik.mail.timeout }}
+    AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
+    {{- end }}
+    {{/* Logging */}}
+    {{- with .Values.authentik.logging.log_level }}
+    AUTHENTIK_LOG_LEVEL: {{ . }}
+    {{- end }}
+    {{/* General */}}
+    AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
+    AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
+    {{- with .Values.authentik.general.avatars }}
+    AUTHENTIK_AVATARS: {{ . }}
+    {{- end }}
+    AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
+    AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
+    AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
+    AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
+    AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
+    AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
+    {{- with .Values.authentik.general.footer_links }}
+    AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
+    {{- end }}
+    {{/* Error Reporting */}}
+    AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
+    AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
+    {{- with .Values.authentik.error_reporting.environment }}
+    AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
+    {{- end }}
+    {{/* LDAP */}}
+    {{- with .Values.authentik.ldap.tls_ciphers }}
+    AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
+    {{- end }}
+    {{/* Outposts */}}
+    AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
 
-{{/* This configmap are loaded on both main authentik container and worker */}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ $authServerWorkerConfigName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  {{/* Dependencies */}}
-  AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
-  AUTHENTIK_REDIS__PORT: "6379"
-  AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
-  AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
-  AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
-  AUTHENTIK_POSTGRESQL__PORT: "5432"
-  {{/* Mail */}}
-  {{- with .Values.authentik.mail.port }}
-  AUTHENTIK_EMAIL__PORT: {{ . | quote }}
-  {{- end }}
-  AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
-  AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
-  {{- with .Values.authentik.mail.timeout }}
-  AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
-  {{- end }}
-  {{/* Logging */}}
-  {{- with .Values.authentik.logging.log_level }}
-  AUTHENTIK_LOG_LEVEL: {{ . }}
-  {{- end }}
-  {{/* General */}}
-  AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
-  AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
-  {{- with .Values.authentik.general.avatars }}
-  AUTHENTIK_AVATARS: {{ . }}
-  {{- end }}
-  AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
-  AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
-  AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
-  AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
-  AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
-  AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
-  {{- with .Values.authentik.general.footer_links }}
-  AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
-  {{- end }}
-  {{/* Error Reporting */}}
-  AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
-  AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
-  {{- with .Values.authentik.error_reporting.environment }}
-  AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
-  {{- end }}
-  {{/* LDAP */}}
-  {{- with .Values.authentik.ldap.tls_ciphers }}
-  AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
-  {{- end }}
-  {{/* Outposts */}}
-  AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
+{{/* This configmap is loaded in both the main authentik container and worker */}}
+{{ $authServerConfigName }}:
+  enabled: true
+  data:
+    {{/* Listen */}}
+    AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
+    AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
+    AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
 
----
+{{/* This configmap is loaded in the geoip container */}}
+{{ $geoipConfigName }}:
+  enabled: {{ .Values.geoip.enabled }}
+  data:
+    {{- with .Values.geoip.edition_ids }}
+    GEOIPUPDATE_EDITION_IDS: {{ . }}
+    {{- end }}
+    GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
+    {{- with .Values.geoip.host_server }}
+    GEOIPUPDATE_HOST: {{ . }}
+    {{- end }}
+    GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
+    GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
 
-{{/* This configmap are loaded on both main authentik container and worker */}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ $authServerConfigName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  {{/* Listen */}}
-  AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
-  AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
-  AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
+{{/* This configmap is loaded in the ldap container */}}
+{{ $ldapConfigName }}:
+  enabled: {{ .Values.outposts.ldap.enabled }}
+  data:
+    AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
+    AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
+    AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
+    AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
+    AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
+    AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
 
----
-
-{{/* This configmap is loaded on ldap container */}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ $ldapConfigName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
-  AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
-  AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
-  AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
-  AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
-  AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
-
----
-
-{{/* This configmap is loaded on ldap container */}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ $proxyConfigName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
-  AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
-  AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
-  AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
-  AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
-  AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
-
----
-
-{{/* This configmap is loaded on geoip container */}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ $geoipConfigName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  {{- with .Values.geoip.edition_ids }}
-  GEOIPUPDATE_EDITION_IDS: {{ . }}
-  {{- end }}
-  GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
-  {{- with .Values.geoip.host_server }}
-  GEOIPUPDATE_HOST: {{ . }}
-  {{- end }}
-  GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
-  GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
+{{/* This configmap is loaded in the proxy container */}}
+{{ $proxyConfigName }}:
+  enabled: {{ .Values.outposts.proxy.enabled }}
+  data:
+    AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
+    AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
+    AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
+    AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
+    AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
+    AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
 {{- end -}}

charts/incubator/authentik/templates/_geoip.tpl

@@ -1,20 +1,23 @@
 {{/* Define the geoip container */}}
-{{- define "authentik.geoip" -}}
-image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
-imagePullPolicy: {{ .Values.geoipImage.pullPolicy }}
+{{- define "authentik.geoip.container" -}}
+enabled: true
+primary: false
+imageSelector: geoipImage
 securityContext:
   runAsUser: 0
   runAsGroup: 0
-  readOnlyRootFilesystem: false
-  runAsNonRoot: false
-volumeMounts:
-  - name: geoip
-    mountPath: "/usr/share/GeoIP"
 envFrom:
   - secretRef:
-      name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-secret'
   - configMapRef:
-      name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-config'
 {{/* TODO: Add healthchecks */}}
 {{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
+probes:
+  readiness:
+    enabled: false
+  liveness:
+    enabled: false
+  startup:
+    enabled: false
 {{- end -}}

charts/incubator/authentik/templates/_ldap.tpl

@@ -1,17 +1,16 @@
 {{/* Define the ldap container */}}
-{{- define "authentik.ldap" -}}
-image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
-imagePullPolicy: {{ .Values.ldapImage.pullPolicy }}
+{{- define "authentik.ldap.container" -}}
+enabled: true
+primary: false
+imageSelector: ldapImage
 securityContext:
-  runAsUser: {{ .Values.podSecurityContext.runAsUser }}
-  runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
   readOnlyRootFilesystem: true
   runAsNonRoot: true
 envFrom:
   - secretRef:
-      name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-secret'
   - configMapRef:
-      name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-config'
 ports:
   - containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
     name: ldapldaps
@@ -21,28 +20,20 @@ ports:
   - containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
     name: ldapmetrics
 {{- end }}
-readinessProbe:
-  httpGet:
+probes:
+  readiness:
+    enabled: true
+    type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
     path: /outpost.goauthentik.io/ping
     port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
-  initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
-livenessProbe:
-  httpGet:
+  liveness:
+    enabled: true
+    type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
     path: /outpost.goauthentik.io/ping
     port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
-  initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
-startupProbe:
-  httpGet:
+  startup:
+    enabled: true
+    type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
     path: /outpost.goauthentik.io/ping
     port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
-  initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
 {{- end -}}

charts/incubator/authentik/templates/_proxy.tpl

@@ -1,17 +1,16 @@
 {{/* Define the proxy container */}}
-{{- define "authentik.proxy" -}}
-image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }}
-imagePullPolicy: {{ .Values.proxyImage.pullPolicy }}
+{{- define "authentik.proxy.container" -}}
+enabled: true
+primary: false
+imageSelector: proxyImage
 securityContext:
-  runAsUser: {{ .Values.podSecurityContext.runAsUser }}
-  runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
   readOnlyRootFilesystem: true
   runAsNonRoot: true
 envFrom:
   - secretRef:
-      name: '{{ include "tc.common.names.fullname" . }}-proxy-secret'
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-secret'
   - configMapRef:
-      name: '{{ include "tc.common.names.fullname" . }}-proxy-config'
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-config'
 ports:
   - containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
     name: proxyhttps
@@ -21,28 +20,20 @@ ports:
   - containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
     name: proxymetrics
 {{- end }}
-readinessProbe:
-  httpGet:
+probes:
+  readiness:
+    enabled: true
+    type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
     path: /outpost.goauthentik.io/ping
     port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
-  initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
-livenessProbe:
-  httpGet:
+  liveness:
+    enabled: true
+    type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
     path: /outpost.goauthentik.io/ping
     port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
-  initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
-startupProbe:
-  httpGet:
+  startup:
+    enabled: true
+    type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
     path: /outpost.goauthentik.io/ping
     port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
-  initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
 {{- end -}}

charts/incubator/authentik/templates/_secret.tpl

@@ -1,106 +1,81 @@
-{{/* Define the secret */}}
-{{- define "authentik.secret" -}}
+{{/* Define the secrets */}}
+{{- define "authentik.secrets" -}}
 
-{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
-{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
-{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
-{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }}
-{{- $token := randAlphaNum 128 | b64enc }}
+{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+{{- $token := randAlphaNum 128 }}
 
----
-{{/* This secrets are loaded on both main authentik container and worker */}}
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: {{ $authentikSecretName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  {{/* Secret Key */}}
-  {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
-  AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
-  {{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
-  {{- else }}
-  AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
-  {{- end }}
-  AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
-  {{/* Dependencies */}}
-  AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
-  AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
-  {{/* Credentials */}}
-  {{- with .Values.authentik.credentials.password }}
-  AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
-  {{- end }}
-  {{/* Mail */}}
-  {{- with .Values.authentik.mail.host }}
-  AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
-  {{- end }}
-  {{- with .Values.authentik.mail.user }}
-  AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
-  {{- end }}
-  {{- with .Values.authentik.mail.pass }}
-  AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
-  {{- end }}
-  {{- with .Values.authentik.mail.from }}
-  AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
-  {{- end }}
+{{/* This secret is loaded in both the main authentik container and worker */}}
+{{ $authentikSecretName }}:
+  enabled: true
+  data:
+    {{/* Secret Key */}}
+    {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
+    AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
+    {{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
+    {{- else }}
+    AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 }}
+    {{- end }}
+    AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
+    {{/* Dependencies */}}
+    AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
+    AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
+    {{/* Credentials */}}
+    {{- with .Values.authentik.credentials.password }}
+    AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . }}
+    {{- end }}
+    {{/* Mail */}}
+    {{- with .Values.authentik.mail.host }}
+    AUTHENTIK_EMAIL__HOST: {{ . }}
+    {{- end }}
+    {{- with .Values.authentik.mail.user }}
+    AUTHENTIK_EMAIL__USERNAME: {{ . }}
+    {{- end }}
+    {{- with .Values.authentik.mail.pass }}
+    AUTHENTIK_EMAIL__PASSWORD: {{ . }}
+    {{- end }}
+    {{- with .Values.authentik.mail.from }}
+    AUTHENTIK_EMAIL__FROM: {{ . }}
+    {{- end }}
 
-{{- if .Values.geoip.enabled }}
----
-{{/* This secrets are loaded on geoip container */}}
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: {{ $geoipSecretName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  {{/* Credentials */}}
-  {{- with .Values.geoip.account_id }}
-  GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
-  {{- end }}
-  {{- with .Values.geoip.license_key }}
-  GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
-  {{- end }}
-  {{/* Proxy */}}
-  {{- with .Values.geoip.proxy }}
-  GEOIPUPDATE_PROXY: {{ . | b64enc }}
-  {{- end }}
-  {{- with .Values.geoip.proxy_user_pass }}
-  GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
-  {{- end }}
-{{- end }}
----
-{{/* This secrets are loaded on ldap container */}}
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: {{ $ldapSecretName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  {{- with .Values.outposts.ldap.token }}
-  AUTHENTIK_TOKEN: {{ . | b64enc }}
-  {{- else }}
-  AUTHENTIK_TOKEN: {{ $token }}
-  {{- end }}
-
----
-{{/* This secrets are loaded on ldap container */}}
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: {{ $proxySecretName }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-data:
-  {{- with .Values.outposts.proxy.token }}
-  AUTHENTIK_TOKEN: {{ . | b64enc }}
-  {{- else }}
-  AUTHENTIK_TOKEN: {{ $token }}
-  {{- end }}
+{{/* This secret is loaded in the geoip container */}}
+{{ $geoipSecretName }}:
+  enabled: {{ .Values.geoip.enabled }}
+  data:
+    {{/* Credentials */}}
+    {{- with .Values.geoip.account_id }}
+    GEOIPUPDATE_ACCOUNT_ID: {{ . }}
+    {{- end }}
+    {{- with .Values.geoip.license_key }}
+    GEOIPUPDATE_LICENSE_KEY: {{ . }}
+    {{- end }}
+    {{/* Proxy */}}
+    {{- with .Values.geoip.proxy }}
+    GEOIPUPDATE_PROXY: {{ . }}
+    {{- end }}
+    {{- with .Values.geoip.proxy_user_pass }}
+    GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . }}
+    {{- end }}
+
+{{/* This secret is loaded in the ldap container */}}
+{{ $ldapSecretName }}:
+  enabled: {{ .Values.outposts.ldap.enabled }}
+  data:
+    {{- with .Values.outposts.ldap.token }}
+    AUTHENTIK_TOKEN: {{ . }}
+    {{- else }}
+    AUTHENTIK_TOKEN: {{ $token }}
+    {{- end }}
+
+{{/* This secret is loaded in the proxy container */}}
+{{ $proxySecretName }}:
+  enabled: {{ .Values.outposts.proxy.enabled }}
+  data:
+    {{- with .Values.outposts.proxy.token }}
+    AUTHENTIK_TOKEN: {{ . }}
+    {{- else }}
+    AUTHENTIK_TOKEN: {{ $token }}
+    {{- end }}
 {{- end }}

charts/incubator/authentik/templates/_worker.tpl

@@ -1,52 +1,31 @@
 {{/* Define the worker container */}}
-{{- define "authentik.worker" -}}
-image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-imagePullPolicy: {{ .Values.image.pullPolicy }}
-securityContext:
-  runAsUser: {{ .Values.podSecurityContext.runAsUser }}
-  runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
-  readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
-  runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
+{{- define "authentik.worker.container" -}}
+enabled: true
+primary: false
+imageSelector: image
 args: ["worker"]
 envFrom:
   - secretRef:
-      name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
   - configMapRef:
-      name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
-volumeMounts:
-  - name: media
-    mountPath: "/media"
-  - name: templates
-    mountPath: "/templates"
-  - name: certs
-    mountPath: "/certs"
-  - name: geoip
-    mountPath: "/geoip"
-readinessProbe:
-  exec:
+      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
+probes:
+  readiness:
+    enabled: true
+    type: exec
     command:
-      - /lifecycle/ak
-      - healthcheck
-  initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
-livenessProbe:
-  exec:
+        - /lifecycle/ak
+        - healthcheck
+  liveness:
+    enabled: true
+    type: exec
     command:
-      - /lifecycle/ak
-      - healthcheck
-  initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
-  timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
-  periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
-startupProbe:
-  exec:
+        - /lifecycle/ak
+        - healthcheck
+  startup:
+    enabled: true
+    type: exec
     command:
-      - /lifecycle/ak
-      - healthcheck
-  initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
-  timeoutSeconds: 10
-  periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
-  failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
+        - /lifecycle/ak
+        - healthcheck
 {{- end -}}

charts/incubator/authentik/templates/common.yaml

@@ -1,30 +1,31 @@
 {{/* Make sure all variables are set properly */}}
-{{- include "tc.common.loader.init" . }}
+{{- include "tc.v1.common.loader.init" . }}
 
-{{/* Render secret */}}
-{{- include "authentik.secret" . }}
-
-{{/* Render config */}}
-{{- include "authentik.config" . }}
-
-{{- if hasKey .Values "metrics" -}}
-{{- if .Values.metrics.enabled -}}
-{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
-{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
-{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}}
+{{/* Render secrets for authentik and friends */}}
+{{- $authentikSecrets := include "authentik.secrets" . | fromYaml -}}
+{{- if $authentikSecrets -}}
+  {{ $secrets := (mustMerge $.Values.secret $authentikSecrets) }}
+  {{- $_ := set .Values "secret" $secrets -}}
 {{- end -}}
+
+{{/* Render configmaps for authentik and friends */}}
+{{- $authentikConfigmaps := include "authentik.configmaps" . | fromYaml -}}
+{{- if $authentikConfigmaps -}}
+  {{ $configmaps := (mustMerge $.Values.configmap $authentikConfigmaps) }}
+  {{- $_ := set .Values "configmap" $configmaps -}}
 {{- end -}}
 
+
 {{- if .Values.workerContainer.enabled -}}
-{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
+{{- $_ := set .Values.workload.main.podSpec.containers "worker" (include "authentik.worker.container" . | fromYaml) -}}
 {{- end -}}
 
 {{- if .Values.geoip.enabled -}}
-{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
+{{- $_ := set .Values.workload.main.podSpec.containers "geoip" (include "authentik.geoip.container" . | fromYaml) -}}
 {{- end -}}
 
 {{- if .Values.outposts.ldap.enabled -}}
-{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}}
+{{- $_ := set .Values.workload.main.podSpec.containers "ldap-outpost" (include "authentik.ldap.container" . | fromYaml) -}}
 {{/* - if .Values.metrics.enabled - */}}
 {{/* https://github.com/prometheus/prometheus/issues/3756 */}}
 {{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
@@ -33,7 +34,7 @@
 {{- end -}}
 
 {{- if .Values.outposts.proxy.enabled -}}
-{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}}
+{{- $_ := set .Values.workload.main.podSpec.containers "proxy-outpost" (include "authentik.proxy.container" . | fromYaml) -}}
 {{/* - if .Values.metrics.enabled - */}}
 {{/* https://github.com/prometheus/prometheus/issues/3756 */}}
 {{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
@@ -42,4 +43,4 @@
 {{- end -}}
 
 {{/* Render the templates */}}
-{{ include "tc.common.loader.apply" . }}
+{{ include "tc.v1.common.loader.apply" . }}

charts/incubator/authentik/templates/prometheusrules.yaml

@@ -3,7 +3,7 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
-  name: {{ include "tc.common.names.fullname" . }}
+  name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
   labels:
     {{- include "tc.common.labels" . | nindent 4 }}
     {{- with .Values.metrics.prometheusRule.labels }}
@@ -11,7 +11,7 @@ metadata:
     {{- end }}
 spec:
   groups:
-    - name: {{ include "tc.common.names.fullname" . }}
+    - name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
       rules:
         {{- with .Values.metrics.prometheusRule.rules }}
         {{- toYaml . | nindent 8 }}

charts/incubator/authentik/templates/servicemonitor.yaml

@@ -3,7 +3,7 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ include "tc.common.names.fullname" . }}
+  name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
   labels:
     {{- include "tc.common.labels" . | nindent 4 }}
     {{- with .Values.metrics.serviceMonitor.labels }}

charts/incubator/authentik/values.yaml

@@ -18,14 +18,200 @@ proxyImage:
   tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4
   pullPolicy: IfNotPresent
 
-args: ["server"]
-
-podSecurityContext:
-  runAsUser: 1000
-  runAsGroup: 1000
-
 securityContext:
-  readOnlyRootFilesystem: false
+  container:
+    runAsUser: 1000
+    runAsGroup: 1000
+    readOnlyRootFilesystem: false
+
+workload:
+  main:
+    replicas: 1
+    strategy: RollingUpdate
+    podSpec:
+      containers:
+        main:
+          args: ["server"]
+          envFrom:
+            - secretRef:
+                name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
+            - configMapRef:
+                name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
+            - configMapRef:
+                name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config'
+          probes:
+            liveness:
+              type: https
+              path: /-/health/live/
+              port: "{{ .Values.service.main.ports.main.targetPort }}"
+            readiness:
+              type: https
+              path: /-/health/ready/
+              port: "{{ .Values.service.main.ports.main.targetPort }}"
+            startup:
+              type: https
+              path: /-/health/ready/
+              port: "{{ .Values.service.main.ports.main.targetPort }}"
+
+service:
+  main:
+    ports:
+      main:
+        protocol: https
+        port: 10229
+        targetPort: 9443
+  http:
+    enabled: true
+    type: ClusterIP
+    ports:
+      http:
+        enabled: true
+        protocol: http
+        port: 10230
+        targetPort: 9000
+  # LDAP Outpost Services
+  ldapldaps:
+    enabled: true
+    ports:
+      ldapldaps:
+        enabled: true
+        port: 636
+        targetPort: 6636
+  ldapldap:
+    enabled: true
+    ports:
+      ldapldap:
+        enabled: true
+        port: 389
+        targetPort: 3389
+  # Proxy Outpost Services
+  proxyhttps:
+    enabled: true
+    ports:
+      proxyhttps:
+        enabled: true
+        port: 10233
+        protocol: https
+        targetPort: 9444
+  proxyhttp:
+    enabled: true
+    type: ClusterIP
+    ports:
+      proxyhttp:
+        enabled: true
+        port: 10234
+        protocol: http
+        targetPort: 9001
+  # Metrics Services
+  metrics:
+    enabled: true
+    type: ClusterIP
+    ports:
+      metrics:
+        enabled: true
+        protocol: http
+        port: 10231
+        targetPort: 9301
+  ldapmetrics:
+    enabled: true
+    type: ClusterIP
+    ports:
+      ldapmetrics:
+        enabled: true
+        port: 10232
+        protocol: http
+        targetPort: 9302
+  proxymetrics:
+    enabled: true
+    type: ClusterIP
+    ports:
+      proxymetrics:
+        enabled: true
+        port: 10235
+        protocol: http
+        targetPort: 9303
+
+metrics:
+  # TODO
+  main:
+    # -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
+    # @default -- See values.yaml
+    enabled: false
+    type: "servicemonitor"
+    endpoints:
+      - port: main
+        path: /metrics
+        interval: 1m
+        scrapeTimeout: 30s
+    # -- Enable and configure Prometheus Rules for the chart under this key.
+    # @default -- See values.yaml
+    prometheusRule:
+      enabled: false
+      labels: {}
+      # -- Configure additionial rules for the chart under this key.
+      # @default -- See prometheusrules.yaml
+      rules:
+        []
+        # - alert: UnifiPollerAbsent
+        #   annotations:
+        #     description: Unifi Poller has disappeared from Prometheus service discovery.
+        #     summary: Unifi Poller is down.
+        #   expr: |
+        #     absent(up{job=~".*unifi-poller.*"} == 1)
+        #   for: 5m
+        #   labels:
+        #     severity: critical
+
+ingress:
+  proxyhttps:
+    autoLink: true
+
+# Target selectors taken from authentik's compose file:
+# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml
+persistence:
+  media:
+    enabled: true
+    mountPath: "/media"
+    targetSelector:
+      main:
+        main: {}
+        worker: {}
+  templates:
+    enabled: true
+    mountPath: "/templates"
+    targetSelector:
+      main:
+        main: {}
+        worker: {}
+  certs:
+    enabled: true
+    mountPath: "/certs"
+    targetSelector:
+      main:
+        worker: {}
+  geoip:
+    enabled: true
+    mountPath: "/usr/share/GeoIP"
+    targetSelector:
+      main:
+        geoip: {}
+
+cnpg:
+  main:
+    enabled: true
+    user: authentik
+    database: authentik
+
+cnpgProvider:
+  port: 5432
+
+# Enabled redis
+# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
+redis:
+  enabled: true
+
+redisProvider:
+  port: 6379
 
 workerContainer:
   enabled: true
@@ -62,6 +248,7 @@ authentik:
     log_level: "info"
   ldap:
     tls_ciphers: "null"
+
 geoip:
   enabled: false
   account_id: ""
@@ -98,161 +285,6 @@ outposts:
     # -- Token is only needed if you accidentally deleted the token within the UI
     # token: ""
 
-metrics:
-  # -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
-  # @default -- See values.yaml
-  enabled: false
-  serviceMonitor:
-    interval: 1m
-    scrapeTimeout: 30s
-    labels: {}
-  # -- Enable and configure Prometheus Rules for the chart under this key.
-  # @default -- See values.yaml
-  prometheusRule:
-    enabled: false
-    useDefault: true
-    labels: {}
-    # -- Configure additional rules for the chart under this key.
-    # @default -- See prometheusrules.yaml
-    rules:
-      []
-      # - alert: UnifiPollerAbsent
-      #   annotations:
-      #     description: Unifi Poller has disappeared from Prometheus service discovery.
-      #     summary: Unifi Poller is down.
-      #   expr: |
-      #     absent(up{job=~".*unifi-poller.*"} == 1)
-      #   for: 5m
-      #   labels:
-      #     severity: critical
-
-envFrom:
-  - secretRef:
-      name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
-  - configMapRef:
-      name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
-  - configMapRef:
-      name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config'
-
-probes:
-  liveness:
-    type: HTTPS
-    path: /-/health/live/
-    port: "{{ .Values.service.main.ports.main.targetPort }}"
-  readiness:
-    type: HTTPS
-    path: /-/health/ready/
-    port: "{{ .Values.service.main.ports.main.targetPort }}"
-  startup:
-    type: HTTPS
-    path: /-/health/ready/
-    port: "{{ .Values.service.main.ports.main.targetPort }}"
-
-service:
-  main:
-    ports:
-      main:
-        protocol: HTTPS
-        port: 10229
-        targetPort: 9443
-  http:
-    enabled: true
-    type: ClusterIP
-    ports:
-      http:
-        enabled: true
-        protocol: HTTP
-        port: 10230
-        targetPort: 9000
-  # LDAP Outpost Services
-  ldapldaps:
-    enabled: true
-    ports:
-      ldapldaps:
-        enabled: true
-        port: 636
-        targetPort: 6636
-  ldapldap:
-    enabled: true
-    ports:
-      ldapldap:
-        enabled: true
-        port: 389
-        targetPort: 3389
-  # Proxy Outpost Services
-  proxyhttps:
-    enabled: true
-    ports:
-      proxyhttps:
-        enabled: true
-        port: 10233
-        protocol: HTTPS
-        targetPort: 9444
-  proxyhttp:
-    enabled: true
-    type: ClusterIP
-    ports:
-      proxyhttp:
-        enabled: true
-        port: 10234
-        protocol: HTTP
-        targetPort: 9001
-  # Metrics Services
-  metrics:
-    enabled: true
-    type: ClusterIP
-    ports:
-      metrics:
-        enabled: true
-        protocol: HTTP
-        port: 10231
-        targetPort: 9301
-  ldapmetrics:
-    enabled: true
-    type: ClusterIP
-    ports:
-      ldapmetrics:
-        enabled: true
-        port: 10232
-        protocol: HTTP
-        targetPort: 9302
-  proxymetrics:
-    enabled: true
-    type: ClusterIP
-    ports:
-      proxymetrics:
-        enabled: true
-        port: 10235
-        protocol: HTTP
-        targetPort: 9303
-
-ingress:
-  proxyhttps:
-    autoLink: true
-
-persistence:
-  media:
-    enabled: true
-    mountPath: "/media"
-  templates:
-    enabled: true
-    mountPath: "/templates"
-  certs:
-    enabled: true
-    mountPath: "/certs"
-  geoip:
-    enabled: true
-    mountPath: "/geoip"
-
-postgresql:
-  enabled: true
-  existingSecret: "dbcreds"
-  postgresqlUsername: authentik
-  postgresqlDatabase: authentik
-
-redis:
-  enabled: true
-  existingSecret: "rediscreds"
-
 portal:
-  enabled: true
+  open:
+    enabled: true

charts/incubator/cryptpad/Chart.yaml

@@ -8,7 +8,7 @@ appVersion: "latest"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 deprecated: false
 description: CryptPad is the Zero Knowledge realtime collaborative editor.
 home: https://truecharts.org/charts/incubator/cryptpad
@@ -27,4 +27,4 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/incubator/cryptpad
   - https://cryptpad.fr/
 type: application
-version: 3.0.3
+version: 3.0.5

charts/incubator/dashy/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "2.1.1"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 description: Dashy helps you organize your self-hosted services by making them accessible from a single place
 home: https://truecharts.org/charts/incubator/dashy
 icon: https://truecharts.org/img/hotlink-ok/chart-icons/dashy.png
@@ -18,7 +18,7 @@ name: dashy
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/incubator/dashy
   - https://github.com/airsonic/airsonic
-version: 3.0.8
+version: 3.0.10
 annotations:
   truecharts.org/catagories: |
     - dashboard

charts/incubator/etesync/Chart.yaml

@@ -3,11 +3,11 @@ appVersion: "0.11.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
   - condition: redis.enabled
     name: redis
     repository: https://deps.truecharts.org
-    version: 6.0.53
+    version: 6.0.58
 deprecated: false
 description: Secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes.
 home: https://truecharts.org/charts/incubator/etesync
@@ -31,7 +31,7 @@ sources:
   - https://github.com/etesync
   - https://github.com/victor-rds/docker-etebase
 type: application
-version: 4.0.5
+version: 4.0.8
 annotations:
   truecharts.org/catagories: |
     - productivity

charts/incubator/factorio/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 kubeVersion: ">=1.16.0-0"
 name: factorio
-version: 4.0.3
+version: 4.0.5
 appVersion: "stable"
 description: "This Chart Chart will download the latest stable release of the game, generate the map and you're ready to play."
 type: application
@@ -17,7 +17,7 @@ sources:
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 maintainers:
   - email: info@truecharts.org
     name: TrueCharts

charts/incubator/frigate/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "0.12.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.13.0
+    version: 12.14.2
 deprecated: false
 description: NVR With Realtime Object Detection for IP Cameras
 home: https://truecharts.org/charts/incubator/frigate
@@ -23,7 +23,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/incubator/frigate
   - https://github.com/blakeblackshear/frigate
 type: application
-version: 8.0.4
+version: 9.0.2
 annotations:
   truecharts.org/catagories: |
     - nvr

charts/incubator/frigate/ci/figrate-configfile-values.yaml

@@ -0,0 +1 @@
+frigateConfig: {}

charts/incubator/frigate/ci/figrateConfig-values.yaml

@@ -0,0 +1,11 @@
+frigateConfig:
+  mqtt:
+    enabled: false
+  cameras:
+    dummy:
+      enabled: false
+      ffmpeg:
+        inputs:
+          - path: rtsp://127.0.0.1:554/rtsp
+            roles:
+              - detect

charts/incubator/frigate/templates/NOTES.txt

@@ -1 +1 @@
-{{- include "tc.v1.common.lib.chart.notes" $ -}}
+{{- include "tc.v1.common.lib.chart.notes" $ -}}

charts/incubator/frigate/templates/_configmap.tpl

@@ -2,495 +2,41 @@
 {{- define "frigate.configmap" -}}
 enabled: true
 data:
+  {{- if .Values.frigateConfig }}
   config.yml: |
-    database:
-      path: /db/frigate.db
-
+    {{- .Values.frigateConfig | toYaml | nindent 4 }}
+  {{- else }}
+  config.yml.dummy: |
     mqtt:
-      {{- include "frigate.mqtt" .Values.frigate.mqtt | indent 6 }}
-
-    {{- if and .Values.frigate.detectors.render_config .Values.frigate.detectors.config }}
-    detectors:
-      {{- include "frigate.detectors" .Values.frigate.detectors | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.model.render_config }}
-    model:
-      {{- include "frigate.model" .Values.frigate.model | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.logger.render_config }}
-    logger:
-      {{- include "frigate.logger" .Values.frigate.logger | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.birdseye.render_config }}
-    birdseye:
-      {{- include "frigate.birdseye" .Values.frigate.birdseye | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.ffmpeg.render_config }}
-    ffmpeg:
-      {{- include "frigate.ffmpeg" .Values.frigate.ffmpeg | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.detect.render_config }}
-    detect:
-      {{- include "frigate.detect" .Values.frigate.detect | indent 6 }}
-    {{- end -}}
-
-    {{- if .Values.frigate.objects.render_config }}
-    objects:
-      {{- include "frigate.objects" .Values.frigate.objects | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.motion.render_config }}
-    motion:
-      {{- include "frigate.motion" .Values.frigate.motion | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.record.render_config }}
-    record:
-      {{- include "frigate.record" .Values.frigate.record | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.snapshots.render_config }}
-    snapshots:
-      {{- include "frigate.snapshots" .Values.frigate.snapshots | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.rtmp.render_config }}
-    rtmp:
-      {{- include "frigate.rtmp" .Values.frigate.rtmp | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.live.render_config }}
-    live:
-      {{- include "frigate.live" .Values.frigate.live | indent 6 }}
-    {{- end }}
-
-    {{- if .Values.frigate.timestamp_style.render_config }}
-    timestamp_style:
-      {{- include "frigate.timestamp_style" .Values.frigate.timestamp_style | indent 6 }}
-    {{- end }}
-
-    {{- $cameras := .Values.frigate.cameras }}
+      enabled: false
     cameras:
-    {{- range $cam := $cameras }}
-      {{ $cam.camera_name | required "You need to provide a camera name" }}:
+      dummy:
+        enabled: false
         ffmpeg:
           inputs:
-            {{- range $input := $cam.ffmpeg.inputs }}
-            - path: {{ $input.path | required "You need to provide a path" }}
+            - path: rtsp://127.0.0.1:554/rtsp
               roles:
-              {{- range $role := $input.roles }}
-                - {{ $role }}
-              {{- else -}}
-                {{- fail "You need to provide roles" -}}
-              {{- end -}}
-              {{- include "frigate.ffmpeg" $input | indent 14 }}
-            {{- end -}} {{/* End range $cam.ffmpeg.inputs */}}
-          {{- include "frigate.ffmpeg" $cam.ffmpeg | indent 10 }}
-        {{- with $cam.best_image_timeout }}
-        best_image_timeout: {{ . }}
-        {{- end -}}
-        {{- with $cam.zones }}
-        zones:
-          {{- range $zone := . }}
-          {{ $zone.name | required "You have to specify a zone name" }}:
-            coordinates: {{ required "You have to specify coordinates" .coordinates }}
-            {{- with $zone.objects }}
-            objects:
-              {{- range $obj := . }}
-              - {{ $obj }}
-              {{- end -}}
-            {{- end -}}
-            {{- with $zone.filters }}
-            filters:
-              {{- range $filter := . }}
-              {{ $filter.object | required "You have to specify an object" }}:
-                {{- with $filter.min_area }}
-                min_area: {{ . }}
-                {{- end -}}
-                {{- with $filter.max_area }}
-                max_area: {{ . }}
-                {{- end -}}
-                {{- with $filter.threshold }}
-                threshold: {{ . }}
-                {{- end -}}
-              {{- end -}} {{/* end range filters */}}
-            {{- end -}} {{/* end with filter */}}
-          {{- end -}} {{/* end range zones */}}
-        {{- end -}} {{/* end with zones */}}
-        {{- if $cam.mqtt.render_config -}}
-        {{- with $cam.mqtt }}
-        mqtt:
-          enabled: {{ ternary "True" "False" .enabled }}
-          timestamp: {{ ternary "True" "False" .timestamp }}
-          bounding_box: {{ ternary "True" "False" .bounding_box }}
-          crop: {{ ternary "True" "False" .crop }}
-          {{- with .height }}
-          height: {{ . }}
-          {{- end -}}
-          {{- with .quality }}
-          quality: {{ . }}
-          {{- end -}}
-          {{- with .required_zones }}
-          required_zones:
-            {{- range $zone := . }}
-            - {{ $zone }}
-            {{- end -}}
-          {{- end -}}
-        {{- end -}} {{/* end with mqtt */}}
-        {{- end -}} {{/* end if mqtt.render_config */}}
-        {{- if $cam.ui.render_config -}}
-        {{- with $cam.ui }}
-        ui:
-          {{- if not (kindIs "invalid" .order) }}
-          order: {{ .order }}
-          {{- end }}
-          dashboard: {{ ternary "True" "False" .dashboard }}
-        {{- end -}} {{/* end with ui */}}
-        {{- end -}} {{/* end if ui.render_config */}}
-    {{- end -}} {{/* end range cameras */}}
-{{- end }}
-
-{{- define "frigate.ffmpeg" -}}
-{{- $ffmpeg := . -}}
-
-{{- with $ffmpeg.global_args }}
-global_args: {{ . }}
-{{- end -}}
-{{- with $ffmpeg.input_args }}
-input_args: {{ . }}
-{{- end -}}
-{{- with $ffmpeg.hwaccel_args }}
-hwaccel_args: {{ . }}
-{{- end -}}
-{{- if $ffmpeg.output_args -}}
-{{- if or $ffmpeg.output_args.detect $ffmpeg.output_args.record $ffmpeg.output_args.rtmp }}
-output_args:
-  {{- with $ffmpeg.output_args.detect }}
-  detect: {{ . }}
-  {{- end -}}
-  {{- with $ffmpeg.output_args.record }}
-  record: {{ . }}
-  {{- end -}}
-  {{- with $ffmpeg.output_args.rtmp }}
-  rtmp: {{ . }}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
+                - detect
+  {{- end }}
 {{- end -}}
 
-{{- define "frigate.detect" -}}
-{{- $detect := . }}
-enabled: {{ ternary "True" "False" $detect.enabled }}
-{{- with $detect.width }}
-width: {{ . }}
-{{- end -}}
-{{- with $detect.height }}
-height: {{ . }}
-{{- end -}}
-{{- with $detect.fps }}
-fps: {{ . }}
-{{- end -}}
-{{- with $detect.max_disappeared }}
-max_disappeared: {{ . }}
-{{- end -}}
-{{- if or (not (kindIs "invalid" $detect.stationary.interval)) $detect.stationary.threshold $detect.stationary.set_max_frames }}
-stationary:
-  {{- if not (kindIs "invalid" $detect.stationary.interval) }} {{/* invalid kind means its empty (0 is not empty) */}}
-  interval: {{ $detect.stationary.interval }}
-  {{- end -}}
-  {{- with $detect.stationary.threshold }}
-  threshold: {{ . }}
-  {{- end -}}
-  {{- if (hasKey $detect.stationary "max_frames") }}
-  {{- if or $detect.stationary.max_frames.default $detect.stationary.max_frames.objects }}
-  max_frames:
-    {{- with $detect.stationary.max_frames.default }}
-    default: {{ . }}
-    {{- end -}}
-    {{- with $detect.stationary.max_frames.objects }}
-    objects:
-      {{- range $obj := . }}
-      {{ $obj.object | required "You need to provide an object" }}: {{ $obj.frames | required "You need to provide frames" }}
-      {{- end -}}
-    {{- end -}}
-  {{- end -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.motion" -}}
-{{- $motion := . -}}
-
-{{- with $motion.threshold }}
-threshold: {{ . }}
-{{- end -}}
-{{- with $motion.contour_area }}
-contour_area: {{ . }}
-{{- end -}}
-{{- with $motion.delta_alpha }}
-delta_alpha: {{ . }}
-{{- end -}}
-{{- with $motion.frame_alpha }}
-frame_alpha: {{ . }}
-{{- end -}}
-{{- with $motion.frame_height }}
-frame_height: {{ . }}
-{{- end -}}
-{{- with $motion.mask }}
-mask: {{ . }}
-{{- end }}
-improve_contrast: {{ ternary "True" "False" $motion.improve_contrast }}
-{{- with $motion.mqtt_off_delay }}
-mqtt_off_delay: {{ . }}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.record" -}}
-{{- $record := . }}
-enabled: {{ ternary "True" "False" $record.enabled }}
-{{- with $record.expire_interval }}
-expire_interval: {{ . }}
-{{- end -}}
-{{- if $record.retain.render_config }}
-retain:
-  {{- if not (kindIs "invalid" $record.retain.days) }}
-  days: {{ $record.retain.days }}
-  {{- end -}}
-  {{- with $record.retain.mode }}
-  mode: {{ . }}
-  {{- end -}}
-{{- end -}}
-{{- if $record.events.render_config }}
-events:
-  {{- if not (kindIs "invalid" $record.events.pre_capture) }}
-  pre_capture: {{ $record.events.pre_capture }}
-  {{- end -}}
-  {{- if not (kindIs "invalid" $record.events.post_capture) }}
-  post_capture: {{ $record.events.post_capture }}
-  {{- end -}}
-  {{- with $record.events.objects }}
-  objects:
-    {{- range $obj := . }}
-    - {{ $obj }}
-    {{- end -}}
-  {{- end -}}
-  {{- with $record.events.required_zones }}
-  required_zones:
-    {{- range $zone := . }}
-    - {{ $zone }}
-    {{- end -}}
-  {{- end -}}
-  {{- if $record.events.retain.render_config }}
-  retain:
-    default: {{ $record.events.retain.default | required "You need to provide default retain days" }}
-    {{- with $record.events.retain.mode }}
-    mode: {{ . }}
-    {{- end -}}
-    {{- with $record.events.retain.objects }}
-    objects:
-    {{- range $obj := . }}
-      {{ $obj.object | required "You need to provide an object" }}: {{ $obj.days | required "You need to provide default retain days" }}
-    {{- end -}}
-    {{- end -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.objects" -}}
-{{- $objects := . -}}
-
-{{- with $objects.track }}
-track:
-  {{- range $track := . }}
-  - {{ $track }}
-  {{- end -}}
-{{- end -}}
-{{- with $objects.mask }}
-mask: {{ . }}
-{{- end -}}
-{{- with $objects.filters }}
-filters:
-  {{- range $filter := . }}
-  {{ $filter.object | required "You need to provide an object" }}:
-    {{- with $filter.min_area }}
-    min_area: {{ . }}
-    {{- end -}}
-    {{- with $filter.max_area }}
-    max_area: {{ . }}
-    {{- end -}}
-    {{- with $filter.min_ratio }}
-    min_ratio: {{ . }}
-    {{- end -}}
-    {{- with $filter.max_ratio }}
-    max_ratio: {{ . }}
-    {{- end -}}
-    {{- with $filter.min_score }}
-    min_score: {{ . }}
-    {{- end -}}
-    {{- with $filter.threshold }}
-    threshold: {{ . }}
-    {{- end -}}
-    {{- with $filter.mask }}
-    mask: {{ . }}
-    {{- end -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.birdseye" -}}
-{{- $birdseye := . }}
-enabled: {{ ternary "True" "False" $birdseye.enabled }}
-{{- with $birdseye.width }}
-width: {{ . }}
-{{- end -}}
-{{- with $birdseye.height }}
-height: {{ . }}
-{{- end -}}
-{{- with $birdseye.quality }}
-quality: {{ . }}
-{{- end -}}
-{{- with $birdseye.mode }}
-mode: {{ . }}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.timestamp_style" -}}
-{{- $timestamp_style := . -}}
-
-{{- with $timestamp_style.position }}
-position: {{ . }}
-{{- end -}}
-{{- with $timestamp_style.format }}
-format: {{ . }}
-{{- end -}}
-{{- if $timestamp_style.color.render_config }}
-color:
-  red: {{ $timestamp_style.color.red }}
-  green: {{ $timestamp_style.color.green }}
-  blue: {{ $timestamp_style.color.blue }}
-{{- end -}}
-{{- with $timestamp_style.thickness }}
-thickness: {{ . }}
-{{- end -}}
-{{- with $timestamp_style.effect }}
-effect: {{ $timestamp_style.effect }}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.live" -}}
-{{- $live := . -}}
-{{- with $live.height }}
-height: {{ . }}
-{{- end -}}
-{{- with $live.quality }}
-quality: {{ . }}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.rtmp" -}}
-{{- $rtmp := . }}
-enabled: {{ ternary "True" "False" $rtmp.enabled }}
-{{- end -}}
-
-{{- define "frigate.snapshots" -}}
-{{- $snapshots := . }}
-enabled: {{ ternary "True" "False" $snapshots.enabled }}
-clean_copy: {{ ternary "True" "False" $snapshots.clean_copy }}
-timestamp: {{ ternary "True" "False" $snapshots.timestamp }}
-bounding_box: {{ ternary "True" "False" $snapshots.bounding_box }}
-crop: {{ ternary "True" "False" $snapshots.crop }}
-{{- with $snapshots.height }}
-height: {{ . }}
-{{- end -}}
-{{- with $snapshots.required_zones }}
-required_zones:
-  {{- range $zone := . }}
-  - {{ $zone }}
-  {{- end -}}
-{{- end -}}
-{{- if $snapshots.retain.render_config }}
-retain:
-  default: {{ $snapshots.retain.default | required "You need to provide default retain days" }}
-  {{- with $snapshots.retain.objects }}
-  objects:
-  {{- range $obj := . }}
-    {{ $obj.object | required "You need to provide an object" }}: {{ $obj.days | required "You need to provide default retain days" }}
-  {{- end -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.detectors" -}}
-{{- $detectors := . -}}
-
-{{- range $detector := $detectors.config }}
-{{ $detector.name | required "You need to provide a detector name" }}:
-  type: {{ $detector.type | required "You need to provide a detector type" }}
-  {{- with $detector.device }}
-  device: {{ . }}
-  {{- end -}}
-  {{- with $detector.num_threads }}
-  num_threads: {{ . }}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.model" -}}
-{{ $model := . }}
-width: {{ $model.width | required "You need to provide a model width" }}
-height: {{ $model.height | required "You need to provide a model height" }}
-{{- with $model.path }}
-path: {{ . }}
-{{- end -}}
-{{- with $model.labelmap_path }}
-labelmap_path: {{ . }}
-{{- end -}}
-{{- with $model.labelmap }}
-labelmap:
-  {{- range $lmap := . }}
-  {{ $lmap.model | required "You need to provide a labelmap model" }}: {{ $lmap.name | required "You need to provide a labelmap name" }}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.logger" -}}
-{{- $logger := . }}
-default: {{ $logger.default }}
-{{- with $logger.logs }}
-logs:
-  {{- range $log := . }}
-  {{ $log.component | required "You need to provide a logger cmponent" }}: {{ $log.verbosity | required "You need to provide logger verbosity" }}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "frigate.mqtt" -}}
-{{- $mqtt := . }}
-{{- if $mqtt.render_config }}
-enabled: {{ ternary "True" "False" $mqtt.enabled }}
-host: {{ required "You need to provide an MQTT host" $mqtt.host }}
-{{- with $mqtt.port }}
-port: {{ . }}
-{{- end -}}
-{{- with $mqtt.topic_prefix }}
-topic_prefix: {{ . }}
-{{- end -}}
-{{- with $mqtt.client_id }}
-client_id: {{ . }}
-{{- end -}}
-{{- if not (kindIs "invalid" $mqtt.stats_interval) }}
-stats_interval: {{ $mqtt.stats_interval }}
-{{- end -}}
-{{- with $mqtt.user }}
-user: {{ . }}
-{{- end -}}
-{{- with $mqtt.password }}
-password: {{ . }}
-{{- end -}}
+{{- define "frigate.configVolume" -}}
+enabled: true
+type: configmap
+objectName: frigate-config
+targetSelector:
+  main:
+    main: {}
+    init-config: {}
+{{- if .Values.frigateConfig }}
+mountPath: /config
+items:
+  - key: config.yml
+    path: config.yml
+{{- else  }}
+mountPath: /dummy-config
+items:
+  - key: config.yml.dummy
+    path: config.yml.dummy
 {{- end -}}
 {{- end -}}

charts/incubator/frigate/templates/common.yaml

@@ -7,5 +7,14 @@
   {{- $_ := set .Values.configmap "frigate-config" $config -}}
 {{- end -}}
 
+{{- if not .Values.frigateConfig -}}
+  {{- $_ := set .Values.persistence.config "enabled" true -}}
+{{- end -}}
+
+{{- $vol := include "frigate.configVolume" . | fromYaml -}}
+{{- if $vol -}}
+  {{- $_ := set .Values.persistence "frigate-config" $vol -}}
+{{- end -}}
+
 {{/* Render the templates */}}
 {{ include "tc.v1.common.loader.apply" . }}

charts/incubator/frigate/values.yaml

@@ -3,433 +3,46 @@ image:
   pullPolicy: IfNotPresent
   tag: v0.12.0@sha256:6fac983662fc6095ffdc8dd494f0c918192ddab80602f01d50a3569dab868148
 
+# When this is defined, the contents will be mounted
+# as configmap into the container at /config/config.yml.
+frigateConfig: {}
+  # -- https://docs.frigate.video/configuration/
+  # mqtt:
+  #   enabled: False
+  # cameras:
+  #   dummy:
+  #     enabled: False
+  #     ffmpeg:
+  #       inputs:
+  #         - path: rtsp://127.0.0.1:554/rtsp
+  #           roles:
+  #             - detect
+
+workload:
+  main:
+    podSpec:
+      initContainers:
+        init-config:
+          enabled: "{{ not .Values.frigateConfig }}"
+          type: init
+          imageSelector: alpineImage
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /config
+              if [ ! -f /config/config.yml ]; then
+                echo "Config file not found, copying dummy..."
+                cp /dummy-config/config.yml.dummy /config/config.yml
+                echo "Config file copied, you can now edit it at /config/config.yml"
+              fi
+
 securityContext:
   container:
     readOnlyRootFilesystem: false
     runAsNonRoot: false
     runAsUser: 0
     runAsGroup: 0
-# -- The "render_config" key is only used internally to "render" or not the configuration
-# - Some parts of the config bellow are slightly modified so they can be added on SCALE UI. Mainly lists.
-# - Do not blindly copy paste configuration from upstream. As this won't work on all cases
-# - Where you see "null" set as default is ignored by the configmap. (Not all keys are supported).
-# - Those "nulls" should be replaced with integers (if you want to set a value)
-frigate:
-  mqtt:
-    # -- Enable it to add the configuration in the config file
-    render_config: true
-    # -- Enables MQTT
-    enabled: false
-    host: mqtt.server.com
-    port: 1883
-    # -- NOTE: Must be unique if you are running multiple instances
-    topic_prefix: ""
-    # -- NOTE: Must be unique if you are running multiple instances
-    client_id: ""
-    user: ""
-    password: ""
-    stats_interval: 60
-
-  detectors:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    config: []
-    # -- Required: Name of the detector
-    # - name: coral
-    #   # -- Valid values are 'edgetpu' (requires device property below) and 'cpu'.
-    #   type: edgetpu
-    #   # -- Device name as defined here: https://coral.ai/docs/edgetpu/multiple-edgetpu/#using-the-tensorflow-lite-python-api
-    #   device: usb
-    #   # -- This value is only used for CPU types
-    #   num_threads: 3
-
-  model:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Required: Object detection model input width
-    width: 320
-    # -- Required: Object detection model input height
-    height: 320
-    # -- Optional: Path to the model
-    path: ""
-    # -- Optional: Path to the labelmap
-    labelmap_path: ""
-    # -- Optional: Label name modifications.
-    labelmap: []
-    # - model: "2"
-    #   name: vehicle
-    # - model: 3
-    #   name: vehicle
-
-  logger:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: Default log verbosity (default: shown below)
-    default: info
-    # -- Optional: Component specific logger overrides
-    logs: []
-    # - component: frigate.event
-    #   verbosity: debug
-
-  birdseye:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Enables birdseye
-    enabled: true
-    # -- Optional: Width of the output resolution
-    width: null
-    # -- Optional: Height of the output resolution
-    height: null
-    # -- Optional: Encoding quality of the mpeg1 feed
-    # - 1 is the highest quality, and 31 is the lowest. Lower quality feeds utilize less CPU resources.
-    quality: null
-    # -- Optional: Mode of the view. Available options are: objects, motion, and continuous
-    # - objects - cameras are included if they have had a tracked object within the last 30 seconds
-    # - motion - cameras are included if motion was detected in the last 30 seconds
-    # - continuous - all cameras are included always
-    mode: ""
-
-  ffmpeg:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: global ffmpeg args
-    global_args: ""
-    # -- Optional: global input args
-    input_args: ""
-    # -- Optional: global hwaccel args
-    # - NOTE: See hardware acceleration docs for your specific device
-    hwaccel_args: ""
-    # -- Optional: global output args
-    output_args:
-      # -- Optional: output args for detect streams
-      detect: ""
-      # -- Optional: output args for record streams
-      record: ""
-      # -- Optional: output args for rtmp streams
-      rtmp: ""
-
-  detect:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Enables detection for the camera.
-    # - This value can be set via MQTT and will be updated in startup based on retained value
-    enabled: true
-    # -- Optional: width of the frame for the input with the detect role
-    width: null
-    # -- Optional: height of the frame for the input with the detect role
-    height: null
-    # -- Optional: desired fps for your camera for the input with the detect role
-    # - NOTE: Recommended value of 5. Ideally, try and reduce your FPS on the camera.
-    fps: null
-    # -- Optional: Number of frames without a detection before frigate considers an object to be gone. (default: 5x the frame rate)
-    max_disappeared: null
-    # -- Optional: Configuration for stationary object tracking
-    stationary:
-      # -- Optional: Frequency for confirming stationary objects
-      # - When set to 0, object detection will not confirm stationary objects until movement is detected.
-      # - If set to 10, object detection will run to confirm the object still exists on every 10th frame.
-      interval: null
-      # -- Optional: Number of frames without a position change for an object to be considered stationary (default: 10x the frame rate or 10s)
-      threshold: null
-      # -- Optional: Define a maximum number of frames for tracking a stationary object (default: not set, track forever)
-      # - This can help with false positives for objects that should only be stationary for a limited amount of time.
-      # - It can also be used to disable stationary object tracking. For example, you may want to set a value for person, but leave
-      # - car at the default.
-      # - WARNING: Setting these values overrides default behavior and disables stationary object tracking.
-      # - There are very few situations where you would want it disabled. It is NOT recommended to
-      # - copy these values from the example config into your config unless you know they are needed.
-      # max_frames:
-      #   # -- Optional: Default for all object types (default: not set, track forever)
-      #   default:
-      #   # -- Optional: Object specific values
-      #   objects:
-      #     - object: person
-      #       frames: 1000
-
-  objects:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: list of objects to track from labelmap.txt
-    track: []
-    # - person
-    # - car
-    # -- Optional: mask to prevent all object types from being detected in certain areas (default: no mask)
-    # - Checks based on the bottom center of the bounding box of the object.
-    # - NOTE: This mask is COMBINED with the object type specific mask below
-    mask: ""
-    # - Optional: filters to reduce false positives for specific object types
-    filters: []
-    # - object: person
-    #   # -- Optional: Minimum width*height of the bounding box for the detected object
-    #   min_area: 5000
-    #   # -- Optional: Maximum width*height of the bounding box for the detected object
-    #   max_area: 100000
-    #   # -- Optional: Minimum width/height of the bounding box for the detected object
-    #   min_ratio: "0.5"
-    #   # -- Optional: Maximum width/height of the bounding box for the detected object
-    #   max_ratio: "2.0"
-    #   # -- Optional: Minimum score for the object to initiate tracking
-    #   min_score: "0.5"
-    #   # -- Optional: Minimum decimal percentage for tracked object's computed score to be considered a true positive
-    #   threshold: "0.7"
-    #   # -- Optional: Mask to prevent this object type from being detected in certain areas
-    #   # - Checks based on the bottom center of the bounding box of the object
-    #   mask: 0,0,1000,0,1000,200,0,200
-
-  motion:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: The threshold passed to cv2.threshold to determine if a pixel is different enough to be counted as motion.
-    # - Increasing this value will make motion detection less sensitive and decreasing it will make motion detection more sensitive.
-    # - The value should be between 1 and 255.
-    threshold: null
-    # -- Optional: Minimum size in pixels in the resized motion image that counts as motion
-    # - Increasing this value will prevent smaller areas of motion from being detected. Decreasing will
-    # - make motion detection more sensitive to smaller moving objects.
-    # - As a rule of thumb:
-    # - 15 - high sensitivity
-    # - 30 - medium sensitivity
-    # - 50 - low sensitivity
-    contour_area: null
-    # -- Optional: Alpha value passed to cv2.accumulateWeighted when averaging the motion delta across multiple frames
-    # - Higher values mean the current frame impacts the delta a lot, and a single raindrop may register as motion.
-    # - Too low and a fast moving person wont be detected as motion.
-    delta_alpha: ""
-    # -- Optional: Alpha value passed to cv2.accumulateWeighted when averaging frames to determine the background
-    # - Higher values mean the current frame impacts the average a lot, and a new object will be averaged into the background faster.
-    # - Low values will cause things like moving shadows to be detected as motion for longer.
-    # - https://www.geeksforgeeks.org/background-subtraction-in-an-image-using-concept-of-running-average/
-    frame_alpha: ""
-    # -- Optional: Height of the resized motion frame  (default: 50)
-    # - This operates as an efficient blur alternative. Higher values will result in more granular motion detection at the expense
-    # - of higher CPU usage. Lower values result in less CPU, but small changes may not register as motion.
-    frame_height: null
-    # -- Optional: motion mask
-    # - NOTE: see docs for more detailed info on creating masks
-    mask: ""
-    # -- Optional: improve contrast
-    # - Enables dynamic contrast improvement. This should help improve night detections at the cost of making motion detection more sensitive
-    # - for daytime.
-    improve_contrast: false
-    # -- Optional: Delay when updating camera motion through MQTT from ON -> OFF
-    mqtt_off_delay: null
-
-  record:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: Enable recording
-    # - WARNING: If recording is disabled in the config, turning it on via
-    # - the UI or MQTT later will have no effect.
-    # - WARNING: Frigate does not currently support limiting recordings based
-    # - on available disk space automatically. If using recordings,
-    # - you must specify retention settings for a number of days that
-    # - will fit within the available disk space of your drive or Frigate will crash.
-    enabled: false
-    # -- Optional: Number of minutes to wait between cleanup runs
-    # - This can be used to reduce the frequency of deleting recording segments from disk if you want to minimize i/o
-    expire_interval:
-    # -- Optional: Retention settings for recording
-    retain:
-      # -- Render retain config
-      render_config: false
-      # -- Optional: Number of days to retain recordings regardless of events
-      # - NOTE: This should be set to 0 and retention should be defined in events section below
-      # - if you only want to retain recordings of events.
-      days:
-      # -- Optional: Mode for retention. Available options are: all, motion, and active_objects
-      # - all - save all recording segments regardless of activity
-      # - motion - save all recordings segments with any detected motion
-      # - active_objects - save all recording segments with active/moving objects
-      # - NOTE: this mode only applies when the days setting above is greater than 0
-      mode: ""
-    # -- Optional: Event recording settings
-    events:
-      # -- Enable it to add the configuration in the config file
-      render_config: false
-      # -- Optional: Number of seconds before the event to include
-      pre_capture: null
-      # -- Optional: Number of seconds after the event to include
-      post_capture: null
-      # -- Optional: Objects to save recordings for. Defaults to all
-      objects: []
-      # - person
-      # -- Optional: Restrict recordings to objects that entered any of the listed zones
-      required_zones: []
-      # -- Optional: Retention settings for recordings of events
-      retain:
-        # -- Render retain config
-        render_config: false
-        # -- Required: Default retention days
-        default: 10
-        # -- Optional: Mode for retention.
-        # - all - save all recording segments for events regardless of activity
-        # - motion - save all recordings segments for events with any detected motion
-        # - active_objects - save all recording segments for event with active/moving objects
-        mode: ""
-        # -- Optional: Per object retention days
-        objects: []
-        # - object: person
-        #   days: 15
-
-  snapshots:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: Enable writing jpg snapshot to /media/frigate/clips
-    # - This value can be set via MQTT and will be updated in startup based on retained value
-    enabled: false
-    # -- Optional: Save a clean PNG copy of the snapshot image
-    clean_copy: true
-    # -- Optional: print a timestamp on the snapshots
-    timestamp: false
-    # -- Optional: draw bounding box on the snapshots
-    bounding_box: false
-    # -- Optional: crop the snapshot
-    crop: false
-    # -- Optional: height to resize the snapshot to (default: original size)
-    height:
-    # -- Optional: Restrict snapshots to objects that entered any of the listed zones (default: no required zones)
-    required_zones: []
-    # -- Optional: Camera override for retention settings (default: global values)
-    retain:
-      # -- Render retain config
-      render_config: false
-      # -- Required: Default retention days (default: shown below)
-      default: 10
-      # -- Optional: Per object retention days
-      objects: []
-      # - object: person
-      #   days: 15
-
-  rtmp:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # - Optional: Enable the RTMP stream
-    enabled: true
-
-  live:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: Set the height of the live stream. (default: 720)
-    # - This must be less than or equal to the height of the detect stream. Lower resolutions
-    # - reduce bandwidth required for viewing the live stream. Width is computed to match known aspect ratio.
-    height: null
-    # -- Optional: Set the encode quality of the live stream (default: shown below)
-    # - 1 is the highest quality, and 31 is the lowest. Lower quality feeds utilize less CPU resources.
-    quality: null
-
-  timestamp_style:
-    # -- Enable it to add the configuration in the config file
-    render_config: false
-    # -- Optional: Position of the timestamp
-    # - "tl" (top left), "tr" (top right), "bl" (bottom left), "br" (bottom right)
-    position: ""
-    # -- Optional: Format specifier conform to the Python package "datetime"
-    # - Additional Examples:
-    # - german: "%d.%m.%Y %H:%M:%S"
-    format: ""
-    # -- Optional: Color of font
-    color:
-      # -- Enable it to add the configuration in the config file
-      render_config: false
-      # -- All Required when color is specified (default: shown below)
-      red: 255
-      green: 255
-      blue: 255
-    # -- Optional: Line thickness of font (default: shown below)
-    thickness: null
-    # -- Optional: Effect of lettering (default: shown below)
-    # - None (No effect),
-    # - "solid" (solid background in inverse color of font)
-    # - "shadow" (shadow for font)
-    effect: ""
-
-  cameras:
-    # -- Required: name of the camera
-    - camera_name: back
-      # -- Required: ffmpeg settings for the camera
-      ffmpeg:
-        # -- Required: A list of input streams for the camera. See documentation for more information.
-        inputs:
-          # -- Required: the path to the stream
-          - path: rtsp://viewer:password@10.0.10.10:554/cam/realmonitor?channel=1&subtype=2
-            # -- Required: list of roles for this stream. valid values are: detect,record,rtmp
-            # - NOTICE: In addition to assigning the record, and rtmp roles,
-            # - they must also be enabled in the camera config.
-            roles:
-              - detect
-              - rtmp
-            # -- Optional: stream specific global args
-            global_args: ""
-            # - Optional: stream specific hwaccel args
-            hwaccel_args: ""
-            # - Optional: stream specific input args
-            input_args: ""
-            # - Optional: stream specific output args
-            output_args:
-              detect: ""
-              record: ""
-              rtmp: ""
-        # -- Optional: camera specific global args
-        global_args: ""
-        # -- Optional: camera specific hwaccel args
-        hwaccel_args: ""
-        # -- Optional: camera specific input args
-        input_args: ""
-        # -- Optional: camera specific output args
-        output_args:
-          detect: ""
-          record: ""
-          rtmp: ""
-      # -- Optional: timeout for highest scoring image before allowing it
-      # - to be replaced by a newer image.
-      best_image_timeout: 60
-      # -- Optional: zones for this camera
-      zones:
-        # -- Required: name of the zone
-        # - NOTE: This must be different than any camera names, but can match with another zone on another camera
-        - name: front_steps
-          # -- Required: List of x,y coordinates to define the polygon of the zone.
-          # - NOTE: Presence in a zone is evaluated only based on the bottom center of the objects bounding box.
-          coordinates: 545,1077,747,939,788,805
-          # -- Optional: List of objects that can trigger this zone (default: all tracked objects)
-          objects: []
-          # - person
-          # -- Optional: Zone level object filters.
-          # -NOTE: The global and camera filters are applied upstream.
-          filters: []
-          # - object: person
-          #   min_area: null
-          #   max_area: null
-          #   threshold: ""
-      # -- Optional: Configuration for the jpg snapshots published via MQTT
-      mqtt:
-        # -- Enable it to add the configuration in the config file
-        render_config: false
-        # -- Optional: Enable publishing snapshot via mqtt for camera
-        # - NOTE: Only applies to publishing image data to MQTT via 'frigate/<camera_name>/<object_name>/snapshot'.
-        # - All other messages will still be published.
-        enabled: true
-        # -- Optional: print a timestamp on the snapshots
-        timestamp: true
-        # -- Optional: draw bounding box on the snapshots
-        bounding_box: true
-        # -- Optional: crop the snapshot
-        crop: true
-        # -- Optional: height to resize the snapshot to
-        height: null
-        # -- Optional: jpeg encode quality
-        quality: null
-        # -- Optional: Restrict mqtt messages to objects that entered any of the listed zones
-        required_zones: []
-      # -- Optional: Configuration for how camera is handled in the GUI.
-      ui:
-        # -- Enable it to add the configuration in the config file
-        render_config: false
-        # -- Optional: Adjust sort order of cameras in the UI. Larger numbers come later
-        # - By default the cameras are sorted alphabetically.
-        order: null
-        # -- Optional: Whether or not to show the camera in the Frigate UI
-        dashboard: true
 
 ingress:
   rtmp:
@@ -454,17 +67,14 @@ persistence:
   media:
     enabled: true
     mountPath: /media
-  db:
-    enabled: true
-    mountPath: /db
-  frigate-config:
-    enabled: true
+  config:
+    # Only enable when not using frigateConfig
+    enabled: false
     mountPath: /config
-    type: configmap
-    objectName: frigate-config
-    items:
-      - key: config.yml
-        path: config.yml
+    targetSelector:
+      main:
+        main: {}
+        init-config: {}
 
 portal:
   open:

charts/incubator/kopia/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: "0.12.1"
+appVersion: "0.13.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 11.1.2
+    version: 12.14.2
 description: Kopia is a simple, cross-platform tool for managing encrypted backups in the cloud. It provides fast, incremental backups, secure, client-side end-to-end encryption, compression and data deduplication.
 home: https://truecharts.org/charts/incubator/kopia
 icon: https://truecharts.org/img/hotlink-ok/chart-icons/kopia.png
@@ -19,7 +19,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/incubator/kopia
   - https://kopia.io/docs/installation/#docker-images
   - https://github.com/kopia/kopia
-version: 5.0.0
+version: 6.0.2
 annotations:
   truecharts.org/catagories: |
     - utility

charts/incubator/kopia/ci/test-values.yaml

@@ -0,0 +1,10 @@
+workload:
+  main:
+    podSpec:
+      containers:
+        main:
+          args:
+            - server
+            - start
+            - --address=http://0.0.0.0:10238
+            - --insecure

charts/incubator/kopia/questions.yaml

@@ -11,19 +11,26 @@ questions:
 # Include{podSpec}
 # Include{containerMain}
 
-                                - variable: env
+                                - variable: kopia
                                   group: "App Configuration"
                                   label: "Image Environment"
                                   schema:
                                     additional_attrs: true
                                     type: dict
                                     attrs:
+                                      - variable: USER
+                                        label: "Kopia User"
+                                        description: "Repository user"
+                                        schema:
+                                          type: string
+                                          default: "secret"
+                                          required: true
                                       - variable: KOPIA_PASSWORD
                                         label: "KOPIA_PASSWORD"
                                         description: "Repository password"
                                         schema:
                                           type: string
-                                          default: ""
+                                          default: "secret"
                                           required: true
                                           private: true
                                       - variable: KOPIA_SERVER_USERNAME
@@ -31,14 +38,14 @@ questions:
                                         description: "Username for WebUI"
                                         schema:
                                           type: string
-                                          default: ""
+                                          default: "server_user"
                                           required: true
                                       - variable: KOPIA_SERVER_PASSWORD
                                         label: "KOPIA_SERVER_PASSWORD"
                                         description: "Password for WebUI"
                                         schema:
                                           type: string
-                                          default: ""
+                                          default: "server_password"
                                           required: true
                                           private: true
 # Include{containerBasic}