feat(helm)!: Update Chart traefik (36.3.0 → 39.0.0)

[pipelines-github-app]

This PR contains the following updates:

Package	Update	Change
traefik (source)	major	36.3.0 -> 39.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

traefik/traefik-helm-chart (traefik)

v39.0.0

Compare Source

Upgrade Notes

There are 3 breaking changes in this release:

1. Traefik Hub: This release support only Traefik Hub v3.19.0+ versions.
   • CRDs has to be upgraded before the Chart. See UPGRADING instructions.
   • It's possible to use previous versions of the Chart for previous versions of Traefik Hub.
2. Encoded Characters: Allowed by default in Traefik v3.6.7+ (opt-in security options, documentation)
3. Ports Configuration: HTTP options now require explicit http nesting level with PR #​1603.
   • There is a before / after example in the PR description.

ℹ️ Schema validation has been enforced in this release. When it fails, it means that the parameter is not implemented.

💥 BREAKING CHANGES

• feat(deps)!: update traefik docker tag to v3.6.7 #​1624 by @​renovate[bot]
• fix(ports)!: 🐛 entrypoints http options #​1603 by @​mloiseleur
• fix(security)!: add support for request path options of Traefik 3.6.7+ #​1626 by @​mloiseleur
• feat(CRDs)!: support Traefik Hub v3.19.0 #​1598 by @​traefiker

🚀 Features

• feat(gateway-api): add support for defaultScope experimental feature #​1589 by @​shubhamch71
• feat(chart): enforce schema #​1627 by @​mloiseleur

📦 Others

• docs(CRDs): improve note on deprecation #​1623 by @​jnoordsij
• chore: pin GitHub Actions to SHA hashes #​1628 by @​darkweaver87
• docs(values): avoid unbreakable lines in table output of VALUES.md #​1630 by @​mloiseleur
• refactor(chart): clean output on Deployment & Daemonset #​1629 by @​mloiseleur
• chore(release): 🚀 publish traefik 39.0.0 and crds 1.14.0 #​1631 by @​darkweaver87

v38.0.2

Compare Source

Upgrades Notes

There is a breaking change on CRDs between Traefik Hub v3.18.0 and inferior and the CRDs of Traefik Hub v3.19.0+ preview versions (ea & rc).
With this release, we remove the CRDs of Traefik Hub v3.19.0 preview versions.

When Traefik Hub v3.19.0 is GA, we will release a new major version of this Chart that will only accept Traefik Hub v3.19.0+ versions.

🚀 Features

• feat(deps): update traefik docker tag to v3.6.6 #​1610 by @​renovate[bot]

🐛 Bug fixes

• fix(CRDs): enforce the fact that this Chart does not support Traefik Hub v3.19.0 #​1616 by @​mloiseleur
• fix(security): set the seccomp profile to RuntimeDefault #​1618 by @​kkrypt0nn

📦 Others

• docs(CRDs): add deprecation notice #​1617 by @​mloiseleur
• chore(release): publish traefik 38.0.2 and crds 1.13.1 #​1619 by @​mloiseleur

New Contributors

• @​kkrypt0nn made their first contribution in #​1618

Full Changelog: traefik/traefik-helm-chart@v38.0.1...v38.0.2

v38.0.1

Compare Source

🐛 Bug fixes

• fix(ports): 🐛 http.encodedCharacters on custom entrypoints #​1606 by @​mloiseleur
• fix(ports): 🐛 add missing http.maxHeaderBytes option #​1604 by @​mloiseleur

📦 Others

• chore(release): 🚀 publish traefik 38.0.1 #​1608 by @​mloiseleur

v38.0.0

Compare Source

Upgrades Notes

[!IMPORTANT]
CRDs has to be upgraded before the Chart. See UPGRADING instructions.

There are two breaking changes in this release:

1. Traefik Proxy v3.6.4+ contains a security fix that is also a breaking change. See upstream documentation for more details.
2. PR #​1596 align kubernetesIngressNginx provider setting with upstream. There is a before / after example in the PR description and PR #​1587 align labelSelector syntax between providers

[!NOTE]
If you need to restore Traefik behavior of v3.6.3 or inferior, it can be set with values.

Here is an example on websecure entrypoint:

ports:
  websecure:
    http:
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedBackSlash: true
        allowEncodedNullCharacter: true
        allowEncodedSemicolon: true
        allowEncodedPercent: true
        allowEncodedQuestionMark: true
        allowEncodedHash: true
      sanitizePath: false

This is not recommended, it may expose you to GHSA-gm3x-23wp-hc2c.

💥 BREAKING CHANGES

• fix(providers)!: align labelSelector for kubernetesGateway and knative #​1587 by @​shubhamch71
• fix(nginx)!: 🐛 align provider settings and provide required rbac #​1596 by @​mloiseleur

🚀 Features

• feat(CRDs): update Traefik Hub to v1.24.1, with required RBACs #​1571 by @​jspdown
• feat(ports): enforce schema #​1586 by @​remyj38
• feat(CRDs): update Traefik Hub to v1.24.2 #​1585 by @​traefiker
• feat(providers): ✨ enforce schema #​1595 by @​mloiseleur
• feat(security): ✨ 🔒️ add support for request path options of traefik 3.6.4+ #​1594 by @​mloiseleur
• feat(deps): update traefik docker tag to v3.6.4 #​1590 by @​renovate[bot]
• feat(deps): update traefik docker tag to v3.6.5 #​1599 by @​renovate[bot]

🐛 Bug fixes

• fix: update error message for maxUnavailable validation #​1591 by @​lucasra1
• fix(notes): minor typo #​1593 by @​rndmh3ro
• fix(pvc): allow empty storageClassName #​1579 by @​fopina
• fix(providers): ✨ enforce schema for all providers #​1601 by @​mloiseleur

📦 Others

• chore(deps): update actions/checkout action to v6 #​1573 by @​renovate[bot]
• docs: Update EXAMPLES.md with REGIONAL load balancer note for Digital Ocean #​1574 by @​kamikazechaser
• chore(release): 🚀 publish traefik 38.0.0 and crds 1.13.0 #​1600 by @​mloiseleur

New Contributors

• @​shubhamch71 made their first contribution in #​1587
• @​kamikazechaser made their first contribution in #​1574
• @​lucasra1 made their first contribution in #​1591
• @​remyj38 made their first contribution in #​1586
• @​rndmh3ro made their first contribution in #​1593
• @​fopina made their first contribution in #​1579

Full Changelog: traefik/traefik-helm-chart@v37.4.0...v38.0.0

v37.4.0

Compare Source

🚀 Features

• feat(deps): update traefik docker tag to v3.6.1 #​1564 by @​renovate[bot]
• feat(deps): update traefik docker tag to v3.6.2 #​1570 by @​renovate[bot]
• feat(plugins): support ConfigMap inline local plugins alongside hostPath #​1492 by @​cilasbeltrame
• feat: allow publishedService to be set without service being enabled #​1565 by @​Wieneo
• feat: 🚀 add support of Nginx provider #​1569 by @​darkweaver87

📦 Others

• docs(example): multiple gateways example #​1539 by @​moonlight8978
• chore(release): 🚀 publish traefik 37.4.0 #​1572 by @​darkweaver87

v37.3.0

Compare Source

[!IMPORTANT]
CRDs has to be upgraded before the Chart. See UPGRADING instructions.

🚀 Features

• feat(deps): update traefik docker tag to v3.5.4 #​1544 by @​renovate[bot]
• feat(CRDs): update for Traefik Proxy v3.6 and Gateway API v1.4.0 #​1551 by @​bpsoraggi
• feat: knative provider #​1552 by @​bpsoraggi
• feat(CRDs): update Traefik Hub to v1.23.1 #​1546 by @​traefiker
• feat(deps): update traefik docker tag to v3.6.0 #​1558 by @​renovate[bot]

🐛 Bug fixes

• fix: add missing flag arg #​1545 by @​msaah-cleric

📦 Others

• chore(deps): update helm/kind-action action to v1.13.0 #​1549 by @​renovate[bot]
• chore(deps): update mikepenz/release-changelog-builder-action action to v6 #​1547 by @​renovate[bot]
• docs: 📚 fix comment grammar in values #​1556 & #​1554 by @​ehpc
• chore(release): 🚀 publish traefik 37.3.0 and 1.12.0 #​1559 by @​mloiseleur

New Contributors

• @​msaah-cleric made their first contribution in #​1545
• @​ehpc made their first contribution in #​1554

Full Changelog: traefik/traefik-helm-chart@v37.2.0...v37.3.0

v37.2.0

Compare Source

🚀 Features

• feat(traefik-hub): add mcpgateway option #​1526 by @​mmatur
• feat(metrics): 📈 add OTLP resourceAttributes support #​1530 by @​darkweaver87
• feat(logs): 📝 add missing support of OTLP logs #​1531 by @​darkweaver87
• feat(observability): 🔍 add per entrypoint observability #​1532 by @​darkweaver87
• feat: make dashboard toggleable #​1540 by @​bpsoraggi
• feat: support API basePath #​1541 by @​darkweaver87
• feat: 📦 support Traefik Hub v3.18 pluginRegistry feature #​1534 by @​darkweaver87

📦 Others

• chore(deps): update quay.io/helmpack/chart-testing docker tag to v3.14.0 #​1527 by @​renovate[bot]
• chore(hub): 🔀 update hub and proxy mapping for v3.18 #​1535 by @​darkweaver87
• chore(release): 🚀 publish traefik 37.2.0 #​1542 by @​darkweaver87

v37.1.2

Compare Source

🚀 Features

• feat(CRDs): update for Traefik to v3.5.3 #​1523 by @​darkweaver87
• feat(deps): update traefik docker tag to v3.5.3 + add plugin hash option #​1521 by @​renovate[bot]

🐛 Bug fixes

• fix(CRDs): ✨ update for Traefik Proxy v3.5.2 #​1518 by @​mloiseleur
• fix(observability): tracer creation warning with default security context #​1517 by @​weijiany

📦 Others

• chore(release): 🚀 publish traefik 37.1.2 and crds 1.11.1 #​1524 by @​darkweaver87

v37.1.1

Compare Source

🚀 Features

• feat(hub): allow to specify admission controller certificate from existing secret #​1506 by @​NEwa-05
• feat(deps): update traefik docker tag to v3.5.2 #​1512 by @​renovate[bot]
• feat(accesslog): ✨ add genericCLF format #​1513 by @​mloiseleur

📦 Others

• chore(deps): update actions/setup-go action to v6 #​1511 by @​renovate[bot]
• chore(release): 🚀 publish v37.1.1 #​1514 by @​mloiseleur

New Contributors

• @​NEwa-05 made their first contribution in #​1506

Full Changelog: traefik/traefik-helm-chart@v37.1.0...v37.1.1

v37.1.0

Compare Source

🚀 Features

• feat(deps): update traefik docker tag to v3.5.1 #​1504 by @​renovate[bot]
• feat(deployment): add chart value timezone that automatically configures access logs timezone #​1503 by @​KyriosGN0
• feat(hooks): use now stable prestop command syntax #​1505 by @​jnoordsij
• feat(hub): add annotations for webhook admission #​1508 by @​bpsoraggi
• feat: support custom monitoring api #​1498 by @​zalbiraw
• feat(CRDs): update Traefik Hub to v1.21.1 #​1507 by @​traefiker
• feat: support Traefik v3.5 features #​1509 by @​bpsoraggi

🐛 Bug fixes

• fix(deployment): allow to disable checkNewVersion via values.yaml #​1489 by @​KyriosGN0
• fix: prevent blank lines in args #​1497 by @​florianspk

📦 Others

• docs(readme): linguistic inconsistencies and verification section #​1491 by @​bpsoraggi
• refactor: only render --global.checkNewVersion when it differs from default #​1493 by @​ChristianCiach
• chore(deps): update actions/checkout action to v5 #​1494 by @​renovate[bot]
• refactor: remove $root hacks in favor of using `- #​1495 by @​jnoordsij
• docs(plugins): Sync VALUES.md #​1499 by @​Frankst2
• chore(release): 🚀 Publish 37.1.0 and 1.11.0 #​1510 by @​bpsoraggi

New Contributors

• @​KyriosGN0 made their first contribution in #​1489
• @​ChristianCiach made their first contribution in #​1493
• @​florianspk made their first contribution in #​1497
• @​Frankst2 made their first contribution in #​1499

Full Changelog: traefik/traefik-helm-chart@v37.0.0...v37.1.0

v37.0.0

Compare Source

💥 BREAKING CHANGES

• feat(gateway-api)!: support selector for namespace policy #​1465 by @​ajago

🚀 Features

• feat(podtemplate): add capacity to set GOMEMLIMIT with default at 90% of user-set memory limit #​1418 by @​shlomitubul
• feat(podtemplate): add support for localPlugins #​1473 by @​bpsoraggi
• feat(CRDs): update Traefik Hub to v1.21.0 #​1480 by @​traefiker
• feat(hub): offline mode #​1477 by @​jspdown
• feat(CRDs): update for Traefik Proxy v3.5 and Gateway API v1.3.0 #​1486 by @​bpsoraggi
• feat(deps): update traefik docker tag to v3.5.0 #​1478 by @​renovate[bot]

🐛 Bug fixes

• fix(Deployment): revision history should be disableable #​1470 by @​bpsoraggi
• fix(entryPoint): allow scheme to be unset on redirect #​1471 by @​bpsoraggi
• fix(observability): allow tracing.sampleRate to be set to zero #​1483 by @​yogeek
• fix(CI): helm signing #​1490 by @​bpsoraggi

📦 Others

• chore(ci): add linter for CRDs and kustomization consistency #​1472 by @​bpsoraggi
• docs(plugins): improve wording and sync with VALUES.md #​1481 by @​jnoordsij
• chore(ci): check docs on all PRs #​1484 by @​jnoordsij
• docs: 📚️ add markdown linter #​1469 by @​mloiseleur
• chore(deps): update appany/helm-oci-chart-releaser action to v0.5.0 #​1479 by @​renovate[bot]
• chore(ci): add signing to release #​1474 by @​bpsoraggi
• chore(release): 🚀 Publish 37.0.0 and 1.10.0 #​1488 by @​bpsoraggi

New Contributors

• @​shlomitubul made their first contribution in #​1418
• @​bpsoraggi made their first contribution in #​1470
• @​yogeek made their first contribution in #​1483
• @​ajago made their first contribution in #​1465

Full Changelog: traefik/traefik-helm-chart@v36.3.0...v37.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[pipelines-github-app]

--- main/traefik_gitops_manifests_traefik_k0s_manifest_main.yaml	2026-02-12 04:55:05.885495733 +0000
+++ pr/traefik_gitops_manifests_traefik_k0s_manifest_pr.yaml	2026-02-12 04:55:05.227496599 +0000
@@ -1,442 +0,0 @@
----
-# Source: traefik/charts/traefik/templates/poddisruptionbudget.yaml
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
-  name: traefik
-  namespace: default
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: traefik
-      app.kubernetes.io/instance: traefik-default
-  maxUnavailable: 1
----
-# Source: traefik/charts/traefik/templates/rbac/serviceaccount.yaml
-kind: ServiceAccount
-apiVersion: v1
-metadata:
-  name: traefik
-  namespace: default
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-automountServiceAccountToken: false
----
-# Source: traefik/charts/traefik/templates/rbac/clusterrole.yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-default
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - nodes
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.io
-    resources:
-      - ingressroutes
-      - ingressroutetcps
-      - ingressrouteudps
-      - middlewares
-      - middlewaretcps
-      - serverstransports
-      - serverstransporttcps
-      - tlsoptions
-      - tlsstores
-      - traefikservices
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: traefik/charts/traefik/templates/rbac/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-default
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: traefik-default
-subjects:
-  - kind: ServiceAccount
-    name: traefik
-    namespace: default
----
-# Source: traefik/charts/traefik/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik
-  namespace: default
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-spec:
-  type: LoadBalancer
-  selector:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-  ipFamilyPolicy: PreferDualStack
-  ports:
-  - port: 80
-    name: web
-    targetPort: web
-    protocol: TCP
-  - port: 443
-    name: websecure
-    targetPort: websecure
-    protocol: TCP
----
-# Source: traefik/charts/traefik/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: traefik
-  namespace: default
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: traefik
-      app.kubernetes.io/instance: traefik-default
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 0
-      maxSurge: 1
-  minReadySeconds: 0
-  template: 
-    metadata:
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/path: "/metrics"
-        prometheus.io/port: "9100"
-      labels:
-        app.kubernetes.io/name: traefik
-        app.kubernetes.io/instance: traefik-default
-        helm.sh/chart: traefik-36.3.0
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: traefik
-      automountServiceAccountToken: true
-      terminationGracePeriodSeconds: 60
-      hostNetwork: false
-      containers:
-      - image: docker.io/traefik:v3.6.8
-        imagePullPolicy: IfNotPresent
-        name: traefik
-        resources:
-        readinessProbe:
-          httpGet:
-            path: /ping
-            port: 8080
-            scheme: HTTP
-          failureThreshold: 1
-          initialDelaySeconds: 2
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 2
-        livenessProbe:
-          httpGet:
-            path: /ping
-            port: 8080
-            scheme: HTTP
-          failureThreshold: 3
-          initialDelaySeconds: 2
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 2
-        lifecycle:
-        ports:
-        - name: metrics
-          containerPort: 9100
-          protocol: TCP
-        - name: traefik
-          containerPort: 8080
-          protocol: TCP
-        - name: web
-          containerPort: 8000
-          protocol: TCP
-        - name: websecure
-          containerPort: 8443
-          protocol: TCP
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-        volumeMounts:
-          - name: data
-            mountPath: /data
-          - name: tmp
-            mountPath: /tmp
-        args:
-          - "--global.checkNewVersion"
-          - "--entryPoints.metrics.address=:9100/tcp"
-          - "--entryPoints.traefik.address=:8080/tcp"
-          - "--entryPoints.web.address=:8000/tcp"
-          - "--entryPoints.websecure.address=:8443/tcp"
-          - "--api.dashboard=true"
-          - "--ping=true"
-          - "--metrics.prometheus=true"
-          - "--metrics.prometheus.entrypoint=metrics"
-          - "--providers.kubernetescrd"
-          - "--providers.kubernetescrd.allowCrossNamespace=true"
-          - "--providers.kubernetescrd.allowExternalNameServices=true"
-          - "--providers.kubernetescrd.allowEmptyServices=true"
-          - "--providers.kubernetesingress"
-          - "--providers.kubernetesingress.allowExternalNameServices=true"
-          - "--providers.kubernetesingress.allowEmptyServices=true"
-          - "--providers.kubernetesingress.ingressendpoint.publishedservice=default/traefik"
-          - "--entryPoints.web.http.redirections.entryPoint.to=:443"
-          - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
-          - "--entryPoints.websecure.http.tls=true"
-          - "--log.level=TRACE"
-          
-        env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-      volumes:
-        - name: data
-          emptyDir: {}
-        - name: tmp
-          emptyDir: {}
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - effect: NoSchedule
-          key: node-role.kubernetes.io/control-plane
-          operator: Exists
-        - effect: NoSchedule
-          key: node-role.kubernetes.io/master
-          operator: Exists
-      priorityClassName: system-cluster-critical
-      securityContext:
-        runAsGroup: 65532
-        runAsNonRoot: true
-        runAsUser: 65532
----
-# Source: traefik/charts/traefik/templates/ingressclass.yaml
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  annotations:
-    ingressclass.kubernetes.io/is-default-class: "true"
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-  name: traefik
-spec:
-  controller: traefik.io/ingress-controller
----
-# Source: traefik/templates/extsecret-wildcard-cert.yaml
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: fredcorp-wildcard
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: admin
-    kind: ClusterSecretStore
-  target:
-    name: fredcorp-wildcard
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/tls
-      data:
-        tls.crt: '{{ .p12 | pkcs12cert  }}'
-        tls.key: '{{ .p12 | pkcs12key }}'
-  data:
-    - secretKey: p12
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: Base64
-        metadataPolicy: None
-        key: wildcard/fredcorp
-        property: p12
----
-# Source: traefik/templates/extsecret-wildcard-cert.yaml
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: k0s-fullstack-wildcard
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: admin
-    kind: ClusterSecretStore
-  target:
-    name: k0s-fullstack-wildcard
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/tls
-      data:
-        tls.crt: '{{ .p12 | pkcs12cert  }}'
-        tls.key: '{{ .p12 | pkcs12key }}'
-  data:
-    - secretKey: p12
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: Base64
-        metadataPolicy: None
-        key: wildcard/k0s-fullstack
-        property: p12
----
-# Source: traefik/templates/ingressRoute-dashboard.yaml
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-k0s-dashboard
-spec:
-  entryPoints:
-    - web
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`traefik.k0s-fullstack.fredcorp.com`)
-      middlewares:
-        - name: authentik
-          namespace: traefik
-      priority: 10
-      services:
-        - kind: TraefikService
-          name: api@internal
-          namespace: traefik
-    - kind: Rule
-      match: Host(`traefik.k0s-fullstack.fredcorp.com`) && PathPrefix(`/outpost.goauthentik.io/`)
-      priority: 15
-      services:
-        - kind: Service
-          name: ak-outpost-authentik-embedded-outpost
-          namespace: authentik
-          port: 9000
----
-# Source: traefik/templates/auth-middleware.yaml
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: authentik
-spec:
-  forwardAuth:
-    # This address should point to the cluster endpoint provided by the kubernetes service, not the Ingress.
-    address: http://ak-outpost-authentik-embedded-outpost.authentik:9000/outpost.goauthentik.io/auth/traefik
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-authentik-username
-      - X-authentik-groups
-      - X-authentik-entitlements
-      - X-authentik-email
-      - X-authentik-name
-      - X-authentik-uid
-      - X-authentik-jwt
-      - X-authentik-meta-jwks
-      - X-authentik-meta-outpost
-      - X-authentik-meta-provider
-      - X-authentik-meta-app
-      - X-authentik-meta-version
-      - authorization
----
-# Source: traefik/templates/hsts-middleware.yaml
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: hsts
-spec:
-  headers:
-    stsSeconds: 31536000
-    stsIncludeSubdomains: true
-    stsPreload: true
-    forceSTSHeader: true
----
-# Source: traefik/charts/traefik/templates/tlsstore.yaml
-apiVersion: traefik.io/v1alpha1
-kind: TLSStore
-metadata:
-  name: default
-  namespace: default
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/instance: traefik-default
-    helm.sh/chart: traefik-36.3.0
-    app.kubernetes.io/managed-by: Helm
-spec:
-  defaultCertificate:
-    secretName: k0s-fullstack-wildcard