1  resource "helm_release" "traefik" {
 2    name       = "traefik"
 3    namespace  = "kube-system"
 4    repository = "https://helm.traefik.io/traefik"
 5    chart      = "traefik"
 6    version    = "26.0.0"
 7  
 8    # todo: increase UDP buffer size for QUIC on Talos https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
 9    values = [<<YAML
10      priorityClassName: system-cluster-critical
11  
12      # Listen on port 80 and 443 since we don't have load balancing
13      hostNetwork: true
14      deployment:
15        kind: DaemonSet
16      updateStrategy:
17        rollingUpdate:
18          maxUnavailable: 1
19          maxSurge: null
20      service:
21        enabled: false
22  
23      logs:
24        general:
25          level: INFO
26        access:
27          enabled: true
28  
29      # Enable Prometheus metrics
30      metrics:
31        prometheus:
32          # Create a dedicated metrics service for use with ServiceMonitor
33          service:
34            enabled: true
35          serviceMonitor:
36            enabled: true
37            interval: 5s
38  
39      # todo: expose this safely or use grafana
40      ingressRoute:
41        dashboard:
42          enabled: false
43  
44      # Allow Traefik to run as root so it can bind to port 80 and 443
45      securityContext:
46        capabilities:
47          drop:
48            - ALL
49          add:
50            - NET_BIND_SERVICE
51        runAsUser: 0
52        runAsGroup: 0
53        runAsNonRoot: false
54      ports:
55        # HTTPS
56        websecure:
57          port: 443
58          forwardedHeaders:
59            trustedIPs: [${join(", ", [for ip in var.node_ips : "'${ip}/32'"])}]
60            insecure: false
61          http3:
62            enabled: true
63        # Redirect all HTTP traffic to HTTPS
64        web:
65          port: 80
66          redirectTo:
67            port: websecure
68    YAML
69    ]
70  
71    depends_on = [helm_release.cilium, kubectl_manifest.coreos_crds]
72  }