From eda78120c57d2f248675526050b747d1f218119d Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Tue, 18 Mar 2025 10:09:36 +0100
Subject: [PATCH] feat(base-cluster/ingress)!: add option traefik for ingress
 controller and make it default

---
 charts/base-cluster/README.md.gotmpl          |  63 ++++++-
 .../base-cluster/ci/artifacthub-values-2.yaml |   6 +
 .../base-cluster/ci/artifacthub-values.yaml   |   2 +-
 .../ci/disabled-ingress-values.yaml           |   2 +-
 .../ci/traefik-ingress-values.yaml            |   2 +
 charts/base-cluster/templates/NOTES.txt       |   2 +-
 .../base-cluster/templates/backup/velero.yaml |   4 +-
 .../templates/cert-manager/cert-manager.yaml  |   8 +-
 .../templates/cert-manager/clusterissuer.yaml |   3 +-
 .../rules/certificate-expiration.yaml         |   2 +-
 .../templates/descheduler/descheduler.yaml    |   2 +-
 .../templates/dns/external-dns.yaml           |  11 +-
 .../templates/flux/podMonitor.yaml            |   2 +-
 .../templates/flux/rules/flux-status.yaml     |   2 +-
 .../templates/global/cluster-ingress.yaml     |   2 +-
 .../templates/ingress/gateway-api.yaml        |  33 ++++
 .../base-cluster/templates/ingress/nginx.yaml |   6 +-
 .../templates/ingress/traefik.yaml            |  89 ++++++++++
 .../templates/ingress/validation.tpl          |  22 ++-
 .../templates/kyverno/kyverno.yaml            |   2 +-
 .../templates/monitoring/alloy.yaml           | 154 +++++++++---------
 .../templates/monitoring/kdave/kdave.yaml     |   2 +-
 .../rules/releases-with-deprecation.yaml      |   2 +-
 .../_alertmanager-config.yaml                 |   2 +-
 .../_grafana-config.yaml                      |  13 +-
 .../kube-prometheus-stack/_helpers.yaml       |   2 +-
 .../_kube-state-metrics-config.yaml           |   2 +-
 .../_node-exporter-config.yaml                |   2 +-
 .../_prometheus-stack-config.yaml             |   2 +-
 .../_prometheus_config.yaml                   |   8 +-
 .../templates/monitoring/logs/loki.yaml       |   2 +-
 .../templates/monitoring/security/trivy.yaml  |   2 +-
 .../monitoring/tracing/grafana-tempo.yaml     |   2 +-
 .../rules/storage-size.yaml                   |   2 +-
 .../templates/tetragon/tetragon.yaml          |   2 +-
 charts/base-cluster/values.schema.json        |  63 +++++--
 charts/base-cluster/values.yaml               |  17 +-
 37 files changed, 400 insertions(+), 144 deletions(-)
 create mode 100644 charts/base-cluster/ci/artifacthub-values-2.yaml
 create mode 100644 charts/base-cluster/ci/traefik-ingress-values.yaml
 create mode 100644 charts/base-cluster/templates/ingress/gateway-api.yaml
 create mode 100644 charts/base-cluster/templates/ingress/traefik.yaml

diff --git a/charts/base-cluster/README.md.gotmpl b/charts/base-cluster/README.md.gotmpl
index db0c0c4cd2..1194534dbb 100644
--- a/charts/base-cluster/README.md.gotmpl
+++ b/charts/base-cluster/README.md.gotmpl
@@ -107,8 +107,16 @@ which is also supported by [cert-manager](https://cert-manager.io/docs/configura
 
 ### Component [ingress](#ingress)
 
-The included [`nginx` ingress-controller](https://docs.nginx.com/nginx-ingress-controller)
-only works for the `IngressClassName: nginx`.
+The chart supports two ingress controllers:
+
+1. [`nginx` ingress-controller](https://docs.nginx.com/nginx-ingress-controller) (default)
+   - Works with `IngressClassName: nginx` or if none is defined
+   - Provides built-in metrics and tracing support
+
+2. [`traefik`](https://traefik.io) (recommended)
+   - Works with `IngressClassName: ingress-controller` or if none is defined
+   - Provides built-in metrics and tracing support
+   - Also supports [Gateway API](https://gateway-api.sigs.k8s.io)
 
 #### TLS
 
@@ -122,7 +130,7 @@ only works for the `IngressClassName: nginx`.
 
 If you want to make sure that, in the event of a catastrophic failure, you keep the
 same IP address, you should roll this out, get the assigned IP
-(`kubectl -n ingress-nginx get svc ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress}'`)
+(`kubectl -n ingress-nginx get svc ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress}'` for nginx or `kubectl -n ingress get svc ingress-controller -o jsonpath='{.status.loadBalancer.ingress}'` for traefik)
 and set `.ingress.IP=<ip>` in the values. This makes sure the IP is kept in your
 project (may incur cost!), which means you can reuse it later or after recovery.
 
@@ -336,4 +344,53 @@ This also replaces `promtail` and the `otel-collector` with `alloy`, using
 <https://github.com/teutonet/teutonet-helm-charts/blob/main/charts/common/templates/_telemetry.tpl>
 makes this a drop-in change.
 
+### 8.x.x -> 9.0.0
+
+This release adds another option for ingress, [traefik](https://traefik.io)! 🎉
+
+If you have disabled ingress in your configuration, you need to update your
+values from:
+
+```yaml
+ingress:
+  enabled: false
+```
+
+to:
+
+```yaml
+ingress:
+  provider: none
+```
+
+If you are using ingress (the default), you need to either switch over to traefik
+or adjust your config to use nginx.
+But we do recommend using traefik, especially in light of <https://github.com/kubernetes/ingress-nginx/issues/13002>.
+
+To switch to traefik you don't need to do anything.
+
+This will delete the old service which in turn will get you a new IP.
+The `ingress-nginx` namespace will be deleted, so make sure you don't have any other
+stuff deployed there or adjust its [condition](https://github.com/teutonet/teutonet-helm-charts/tree/main/charts/base-cluster/#11412--property-base-cluster-configuration--global--namespaces--additionalproperties--condition)
+
+Using a [DNS Provider](#component-dns) will automatically update your DNS records.
+
+If you want to keep the same IP, do
+<https://github.com/teutonet/teutonet-helm-charts/tree/main/charts/base-cluster/#ip-address>
+beforehand.
+
+The switch will still create downtime, so be aware of that.
+
+In nginx it was possible to enable `allowNginxConfigurationSnippets` to add custom
+configuration to the nginx ingress controller.
+In traefik this is not possible, but you can use [gateway api](https://gateway-api.sigs.k8s.io)
+instead, making this agnostic.
+
+If you want to keep nginx, you need to configure the following;
+
+```yaml
+ingress:
+  provider: nginx
+```
+
 {{ .Files.Get "values.md"  }}
diff --git a/charts/base-cluster/ci/artifacthub-values-2.yaml b/charts/base-cluster/ci/artifacthub-values-2.yaml
new file mode 100644
index 0000000000..00cd740043
--- /dev/null
+++ b/charts/base-cluster/ci/artifacthub-values-2.yaml
@@ -0,0 +1,6 @@
+global:
+  clusterName: test
+  baseDomain: example.com
+  serviceLevelAgreement: None
+ingress:
+  provider: traefik
diff --git a/charts/base-cluster/ci/artifacthub-values.yaml b/charts/base-cluster/ci/artifacthub-values.yaml
index 10a1211af8..9865d94297 100644
--- a/charts/base-cluster/ci/artifacthub-values.yaml
+++ b/charts/base-cluster/ci/artifacthub-values.yaml
@@ -53,7 +53,7 @@ kube-janitor:
 descheduler:
   enabled: true
 ingress:
-  enabled: true
+  provider: nginx
 reflector:
   enabled: true
 dns:
diff --git a/charts/base-cluster/ci/disabled-ingress-values.yaml b/charts/base-cluster/ci/disabled-ingress-values.yaml
index 9c60e56672..e224c3afcd 100644
--- a/charts/base-cluster/ci/disabled-ingress-values.yaml
+++ b/charts/base-cluster/ci/disabled-ingress-values.yaml
@@ -1,2 +1,2 @@
 ingress:
-  enabled: false
+  provider: none
diff --git a/charts/base-cluster/ci/traefik-ingress-values.yaml b/charts/base-cluster/ci/traefik-ingress-values.yaml
new file mode 100644
index 0000000000..853c4e4e43
--- /dev/null
+++ b/charts/base-cluster/ci/traefik-ingress-values.yaml
@@ -0,0 +1,2 @@
+ingress:
+  provider: traefik
diff --git a/charts/base-cluster/templates/NOTES.txt b/charts/base-cluster/templates/NOTES.txt
index 4b5d5b9eb4..08f6b2784a 100644
--- a/charts/base-cluster/templates/NOTES.txt
+++ b/charts/base-cluster/templates/NOTES.txt
@@ -20,7 +20,7 @@
 ===
 You can access your grafana instance via
 
-{{- if and .Values.ingress.enabled .Values.monitoring.grafana.ingress.enabled .Values.certManager.email (or .Values.global.baseDomain .Values.monitoring.grafana.ingress.customDomain) }}
+{{- if and (ne .Values.ingress.provider "none") .Values.monitoring.grafana.ingress.enabled .Values.certManager.email (or .Values.global.baseDomain .Values.monitoring.grafana.ingress.customDomain) }}
 {{- printf "https://%s" (include "base-cluster.grafana.host" $) | nindent 2 }}
 {{- else }}
 {{- printf "$ kubectl -n monitoring port-forward svc/kube-prometheus-stack-grafana 3000:http-web" | nindent 2 }}
diff --git a/charts/base-cluster/templates/backup/velero.yaml b/charts/base-cluster/templates/backup/velero.yaml
index 48fcc38864..7b72def267 100644
--- a/charts/base-cluster/templates/backup/velero.yaml
+++ b/charts/base-cluster/templates/backup/velero.yaml
@@ -90,11 +90,11 @@ spec:
       uploaderType: restic
     metrics:
       serviceMonitor:
-        additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 10 }}
+        additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 10 }}
         enabled: true
       prometheusRule:
         enabled: true
-        additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 10 }}
+        additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 10 }}
         spec:
           - alert: VeleroBackupFailures
             annotations:
diff --git a/charts/base-cluster/templates/cert-manager/cert-manager.yaml b/charts/base-cluster/templates/cert-manager/cert-manager.yaml
index 21119f9ab3..0976e11f3d 100644
--- a/charts/base-cluster/templates/cert-manager/cert-manager.yaml
+++ b/charts/base-cluster/templates/cert-manager/cert-manager.yaml
@@ -40,6 +40,12 @@ spec:
     extraArgs:
       - --dns01-recursive-nameservers={{- $nameservers | sortAlpha | join "," }}
     {{- end }}
+    {{- if eq .Values.ingress.provider "traefik" }}
+    config:
+      apiVersion: controller.config.cert-manager.io/v1alpha1
+      kind: ControllerConfiguration
+      enableGatewayAPI: true
+    {{- end }}
     resources: {{- include "common.resources" $.Values.certManager | nindent 6 }}
     replicaCount: 1
     securityContext: &securityContext
@@ -65,4 +71,4 @@ spec:
       enabled: {{ .Values.monitoring.prometheus.enabled }}
       servicemonitor:
         enabled: {{ .Values.monitoring.prometheus.enabled }}
-        labels: {{- toYaml .Values.monitoring.labels | nindent 10 }}
+        labels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 10 }}
diff --git a/charts/base-cluster/templates/cert-manager/clusterissuer.yaml b/charts/base-cluster/templates/cert-manager/clusterissuer.yaml
index 45dc87d5b4..a3cb956b73 100644
--- a/charts/base-cluster/templates/cert-manager/clusterissuer.yaml
+++ b/charts/base-cluster/templates/cert-manager/clusterissuer.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.certManager.email .Values.ingress.enabled }}
+{{- if and .Values.certManager.email (ne .Values.ingress.provider "none") }}
 {{- include "base-cluster.helm.resourceWithDependencies" (dict "name" "clusterissuer-letsencrypt-production" "resource" (include "base-cluster.cert-manager.clusterIssuer" (dict "name" "production" "url" "https://acme-v02.api.letsencrypt.org/directory" "context" $)) "dependencies" (dict "cert-manager" "cert-manager") "context" $ "additionalLabels" (dict "app.kubernetes.io/component" "cert-manager")) }}
 ---
 {{- include "base-cluster.helm.resourceWithDependencies" (dict "name" "clusterissuer-letsencrypt-staging" "resource" (include "base-cluster.cert-manager.clusterIssuer" (dict "name" "staging" "url" "https://acme-staging-v02.api.letsencrypt.org/directory" "context" $)) "dependencies" (dict "cert-manager" "cert-manager") "context" $ "additionalLabels" (dict "app.kubernetes.io/component" "cert-manager")) }}
@@ -33,7 +33,6 @@ spec:
       {{- end }}
       - http01:
           ingress:
-            class: nginx
             serviceType: ClusterIP
     privateKeySecretRef:
       name: letsencrypt-{{ .name }}-account
diff --git a/charts/base-cluster/templates/cert-manager/rules/certificate-expiration.yaml b/charts/base-cluster/templates/cert-manager/rules/certificate-expiration.yaml
index 91db2a6536..41b0a046e1 100644
--- a/charts/base-cluster/templates/cert-manager/rules/certificate-expiration.yaml
+++ b/charts/base-cluster/templates/cert-manager/rules/certificate-expiration.yaml
@@ -9,7 +9,7 @@ metadata:
   name: certificate-expiration
   namespace: cert-manager
   labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- with .Values.monitoring.labels }}{{ toYaml . | nindent 4 }}{{- end }}
+    {{- with .Values.monitoring.labels }}{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }}
     app.kubernetes.io/component: prometheus
     app.kubernetes.io/part-of: cert-manager
 spec:
diff --git a/charts/base-cluster/templates/descheduler/descheduler.yaml b/charts/base-cluster/templates/descheduler/descheduler.yaml
index 80e5a05899..c2a392b2b5 100644
--- a/charts/base-cluster/templates/descheduler/descheduler.yaml
+++ b/charts/base-cluster/templates/descheduler/descheduler.yaml
@@ -44,7 +44,7 @@ spec:
       enabled: true
     serviceMonitor:
       enabled: true
-      additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 8 }}
+      additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 8 }}
     {{- end }}
     deschedulerPolicy: {{- $telemetryConf := include "common.telemetry.conf" (dict "protocol" "otlp") | fromYaml }}
       {{- if and $telemetryConf.enabled .Values.monitoring.prometheus.enabled }}
diff --git a/charts/base-cluster/templates/dns/external-dns.yaml b/charts/base-cluster/templates/dns/external-dns.yaml
index 898f52f1db..61ba0e1776 100644
--- a/charts/base-cluster/templates/dns/external-dns.yaml
+++ b/charts/base-cluster/templates/dns/external-dns.yaml
@@ -31,6 +31,10 @@ spec:
     - name: kube-prometheus-stack
       namespace: monitoring
   {{- end }}
+  install:
+    crds: Skip
+  upgrade:
+    crds: Skip
   values:
     priorityClassName: cluster-components
     {{- if .Values.global.imageRegistry }}
@@ -47,6 +51,11 @@ spec:
     {{- end }}
     sources:
       - ingress
+      - gateway-httproute
+      - gateway-grpcroute
+      - gateway-tlsroute
+      - gateway-tcproute
+      - gateway-udproute
     rbac:
       create: true
     crd:
@@ -71,5 +80,5 @@ spec:
       enabled: {{ .Values.monitoring.prometheus.enabled }}
       serviceMonitor:
         enabled: {{ .Values.monitoring.prometheus.enabled }}
-        labels: {{- toYaml .Values.monitoring.labels | nindent 10 }}
+        labels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 10 }}
 {{- end -}}
diff --git a/charts/base-cluster/templates/flux/podMonitor.yaml b/charts/base-cluster/templates/flux/podMonitor.yaml
index 66e9a73443..b89bd1ffb2 100644
--- a/charts/base-cluster/templates/flux/podMonitor.yaml
+++ b/charts/base-cluster/templates/flux/podMonitor.yaml
@@ -9,7 +9,7 @@ metadata:
   name: flux
   namespace: {{ .Release.Namespace }}
   labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- with .Values.monitoring.labels }}{{- toYaml . | nindent 4 }}{{- end }}
+    {{- with .Values.monitoring.labels }}{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }}
     app.kubernetes.io/component: prometheus
     app.kubernetes.io/part-of: flux
 spec:
diff --git a/charts/base-cluster/templates/flux/rules/flux-status.yaml b/charts/base-cluster/templates/flux/rules/flux-status.yaml
index 18ad1facb5..988999dc56 100644
--- a/charts/base-cluster/templates/flux/rules/flux-status.yaml
+++ b/charts/base-cluster/templates/flux/rules/flux-status.yaml
@@ -9,7 +9,7 @@ metadata:
   name: flux-status
   namespace: {{ .Release.Namespace }}
   labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- with .Values.monitoring.labels }}{{- toYaml . | nindent 4 }}{{- end }}
+    {{- with .Values.monitoring.labels }}{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }}
     app.kubernetes.io/component: prometheus
     app.kubernetes.io/part-of: flux
 spec:
diff --git a/charts/base-cluster/templates/global/cluster-ingress.yaml b/charts/base-cluster/templates/global/cluster-ingress.yaml
index 21ec9ca663..6987559b26 100644
--- a/charts/base-cluster/templates/global/cluster-ingress.yaml
+++ b/charts/base-cluster/templates/global/cluster-ingress.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.dns.provider .Values.global.baseDomain .Values.ingress.enabled }}
+{{- if and .Values.dns.provider .Values.global.baseDomain (ne .Values.ingress.provider "none") }}
 {{- if false }}
 apiVersion: networking.k8s.io/v1
 {{- else }}
diff --git a/charts/base-cluster/templates/ingress/gateway-api.yaml b/charts/base-cluster/templates/ingress/gateway-api.yaml
new file mode 100644
index 0000000000..832ed48048
--- /dev/null
+++ b/charts/base-cluster/templates/ingress/gateway-api.yaml
@@ -0,0 +1,33 @@
+{{- if eq .Values.ingress.provider "traefik" -}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: gateway-api
+  namespace: ingress
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: gateway-api
+spec:
+  interval: 1h
+  url: https://github.com/kubernetes-sigs/gateway-api
+  ref:
+    semver: "1.2.1"
+  ignore: |
+    *
+    !config/crd/experimental
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: gateway-api
+  namespace: ingress
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: gateway-api
+spec:
+  interval: 1h
+  path: config/crd/experimental
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: gateway-api
+    namespace: ingress
+{{- end -}}
diff --git a/charts/base-cluster/templates/ingress/nginx.yaml b/charts/base-cluster/templates/ingress/nginx.yaml
index 969a216bb5..0060d181c3 100644
--- a/charts/base-cluster/templates/ingress/nginx.yaml
+++ b/charts/base-cluster/templates/ingress/nginx.yaml
@@ -1,4 +1,4 @@
-{{ if .Values.ingress.enabled }}
+{{- if eq .Values.ingress.provider "nginx" -}}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -26,7 +26,7 @@ spec:
         enabled: {{ .Values.monitoring.prometheus.enabled }}
         serviceMonitor:
           enabled: {{ .Values.monitoring.prometheus.enabled }}
-          additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 12 }}
+          additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 12 }}
       {{- $telemetryConf := include "common.telemetry.conf" (dict "protocol" "otlp") | fromYaml }}
       {{- if and $telemetryConf.enabled .Values.monitoring.prometheus.enabled }}
       opentelemetry:
@@ -94,4 +94,4 @@ spec:
       image:
         registry: {{ .Values.global.imageRegistry }}
       {{- end }}
-  {{ end }}
+{{- end -}}
diff --git a/charts/base-cluster/templates/ingress/traefik.yaml b/charts/base-cluster/templates/ingress/traefik.yaml
new file mode 100644
index 0000000000..77556a4be2
--- /dev/null
+++ b/charts/base-cluster/templates/ingress/traefik.yaml
@@ -0,0 +1,89 @@
+{{- if eq .Values.ingress.provider "traefik" -}}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ingress-controller
+  namespace: ingress
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: ingress
+spec:
+  chart:
+    spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "traefik" "chart" "traefik" "context" $) | nindent 6 }}
+  interval: 1h
+  driftDetection:
+    mode: enabled
+  {{- if .Values.monitoring.prometheus.enabled }}
+  dependsOn:
+    - name: kube-prometheus-stack
+      namespace: monitoring
+  {{- end }}
+  install:
+    crds: Skip
+  upgrade:
+    crds: Skip
+  values:
+    fullnameOverride: ingress-controller
+    {{- with .Values.global.imageRegistry }}
+    image:
+      registry: {{ . }}
+    {{- end }}
+    deployment:
+      replicas: {{ .Values.ingress.replicas }}
+    ports:
+      web:
+        redirections:
+          entryPoint:
+            to: websecure
+            scheme: https
+            permanent: true
+        proxyProtocol:
+          insecure: {{ .Values.ingress.useProxyProtocol }}
+      websecure:
+        proxyProtocol:
+          insecure: {{ .Values.ingress.useProxyProtocol }}
+    service:
+      annotations:
+        loadbalancer.openstack.org/proxy-protocol: {{ .Values.ingress.useProxyProtocol | quote }}
+        load-balancer.hetzner.cloud/uses-proxyprotocol: {{ .Values.ingress.useProxyProtocol | quote }}
+        load-balancer.hetzner.cloud/disable-private-ingress: "true"
+        {{- if .Values.ingress.IP }}
+        loadbalancer.openstack.org/keep-floatingip: "true"
+        {{- end }}
+      {{- if .Values.ingress.IP }}
+      spec:
+        loadBalancerIP: {{ .Values.ingress.IP | quote }}
+      {{- end }}
+    gatewayClass:
+      name: default
+    gateway:
+      enabled: false # Gateways need to be created for each set of hostnames, therefore having a clusterwide one makes no sense
+    resources: {{- include "common.resources" .Values.ingress | nindent 8 }}
+    metrics:
+      enabled: {{ .Values.monitoring.prometheus.enabled }}
+      serviceMonitor:
+        enabled: {{ .Values.monitoring.prometheus.enabled }}
+        additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 12 }}
+    providers:
+      kubernetesCRD:
+        enabled: false
+      kubernetesGateway:
+        enabled: true
+        experimentalChannel: true
+    logs:
+      general:
+        format: json
+    globalArguments: # Otherwise these are on by default
+      - --global.sendanonymoususage=false
+      - --global.checknewversion=false
+    {{- $telemetryConf := include "common.telemetry.conf" (dict "protocol" "otlp" "global" .Values.global) | fromYaml }}
+    {{- if $telemetryConf.enabled }}
+    tracing:
+      otlp:
+        enabled: true
+        grpc:
+          endpoint: {{ $telemetryConf.endpoint }}
+          {{- if $telemetryConf.insecure }}
+          insecure: true
+          {{- end }}
+    {{- end }}
+{{- end -}}
diff --git a/charts/base-cluster/templates/ingress/validation.tpl b/charts/base-cluster/templates/ingress/validation.tpl
index e30bb6d050..5385a8f179 100644
--- a/charts/base-cluster/templates/ingress/validation.tpl
+++ b/charts/base-cluster/templates/ingress/validation.tpl
@@ -1,6 +1,24 @@
+{{- if and (eq .Values.ingress.provider "traefik") .Values.ingress.allowNginxConfigurationSnippets -}}
+  {{- fail "allowNginxConfigurationSnippets cannot be enabled when using traefik as the ingress provider" -}}
+{{- end -}}
+
+{{- if eq .Values.ingress.provider "traefik" -}}
+  {{- $existingNginx := lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "ingress-nginx" "ingress-nginx" -}}
+  {{- if $existingNginx -}}
+    {{- fail "Cannot switch to traefik while nginx is installed. If you want to switch to traefik, please delete the HelmRelease 'ingress-nginx/ingress-nginx' first. Note: You might want to set .Values.ingress.IP to the current nginx LoadBalancer IP to keep the same IP. Warning: Switching providers will cause downtime until the new provider is fully deployed." -}}
+  {{- end -}}
+{{- else if eq .Values.ingress.provider "nginx" -}}
+  {{- $existingTraefik := lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "ingress" "ingress-controller" -}}
+  {{- if $existingTraefik -}}
+    {{- fail "Cannot switch to nginx while traefik is installed. If you want to switch to nginx, please delete the HelmRelease 'ingress/ingress-controller' first. Note: You might want to set .Values.ingress.IP to the current traefik LoadBalancer IP to keep the same IP. Warning: Switching providers will cause downtime until the new provider is fully deployed." -}}
+  {{- end -}}
+{{- end -}}
+
 {{- if .Values.ingress.IP -}}
   {{- $loadBalancerIP := (list nil) | first -}}
-  {{- $existingService := lookup "v1" "Service" "ingress-nginx" "ingress-nginx-controller" -}}
+  {{- $serviceName := (eq .Values.ingress.provider "traefik") | ternary "ingress-controller" "ingress-nginx-controller" -}}
+  {{- $serviceNamespace := (eq .Values.ingress.provider "traefik") | ternary "ingress" "ingress-nginx" -}}
+  {{- $existingService := lookup "v1" "Service" $serviceNamespace $serviceName -}}
   {{- if $existingService -}}
     {{- $existingSpecIP := $existingService.spec.loadBalancerIP -}}
     {{- if $existingSpecIP -}}
@@ -21,6 +39,6 @@
     {{- end -}}
   {{- end -}}
   {{- if and $loadBalancerIP (ne $loadBalancerIP .Values.ingress.IP) -}}
-      {{- fail "You cannot change the LoadBalancerIP on an existing service, if you really want to, please delete the service 'ingress-nginx/ingress-nginx-controller' beforehand" -}}
+      {{- fail (printf "You cannot change the LoadBalancerIP on an existing service, if you really want to, please delete the service '%s/%s' beforehand" $serviceNamespace $serviceName) -}}
   {{- end -}}
 {{- end -}}
diff --git a/charts/base-cluster/templates/kyverno/kyverno.yaml b/charts/base-cluster/templates/kyverno/kyverno.yaml
index 1f956b2f7e..f3607c880d 100644
--- a/charts/base-cluster/templates/kyverno/kyverno.yaml
+++ b/charts/base-cluster/templates/kyverno/kyverno.yaml
@@ -57,7 +57,7 @@ spec:
       {{- end }}
     serviceMonitor:
       enabled: {{ .Values.monitoring.prometheus.enabled }}
-      additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 8 }}
+      additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 8 }}
     priorityClassName: system-cluster-critical
     # this only works in version 3
     admissionController:
diff --git a/charts/base-cluster/templates/monitoring/alloy.yaml b/charts/base-cluster/templates/monitoring/alloy.yaml
index 183d98e014..7c42bd13e5 100644
--- a/charts/base-cluster/templates/monitoring/alloy.yaml
+++ b/charts/base-cluster/templates/monitoring/alloy.yaml
@@ -43,98 +43,98 @@ spec:
         content: |
           {{- if .Values.monitoring.loki.enabled }}
           discovery.kubernetes "pods" {
-          	role = "pod"
+            role = "pod"
           }
 
           discovery.relabel "pods" {
-          	targets = discovery.kubernetes.pods.targets
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_controller_name"]
-          		regex         = "([0-9a-z-.]+?)(-[0-9a-f]{8,10})?"
-          		target_label  = "__tmp_controller_name"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name", "__meta_kubernetes_pod_label_app", "__tmp_controller_name", "__meta_kubernetes_pod_name"]
-          		regex         = "^;*([^;]+)(;.*)?$"
-          		target_label  = "app"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_instance", "__meta_kubernetes_pod_label_instance"]
-          		regex         = "^;*([^;]+)(;.*)?$"
-          		target_label  = "instance"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_component", "__meta_kubernetes_pod_label_component"]
-          		regex         = "^;*([^;]+)(;.*)?$"
-          		target_label  = "component"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_node_name"]
-          		target_label  = "node_name"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_namespace"]
-          		target_label  = "namespace"
-          	}
-
-          	rule {
-          		source_labels = ["namespace", "app"]
-          		separator     = "/"
-          		target_label  = "job"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_name"]
-          		target_label  = "pod"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_container_name"]
-          		target_label  = "container"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
-          		separator     = "/"
-          		target_label  = "__path__"
-          		replacement   = "/var/log/pods/*$1/*.log"
-          	}
-
-          	rule {
-          		source_labels = ["__meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash", "__meta_kubernetes_pod_annotation_kubernetes_io_config_hash", "__meta_kubernetes_pod_container_name"]
-          		separator     = "/"
-          		regex         = "true/(.*)"
-          		target_label  = "__path__"
-          		replacement   = "/var/log/pods/*$1/*.log"
-          	}
+            targets = discovery.kubernetes.pods.targets
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_controller_name"]
+              regex         = "([0-9a-z-.]+?)(-[0-9a-f]{8,10})?"
+              target_label  = "__tmp_controller_name"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name", "__meta_kubernetes_pod_label_app", "__tmp_controller_name", "__meta_kubernetes_pod_name"]
+              regex         = "^;*([^;]+)(;.*)?$"
+              target_label  = "app"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_instance", "__meta_kubernetes_pod_label_instance"]
+              regex         = "^;*([^;]+)(;.*)?$"
+              target_label  = "instance"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_component", "__meta_kubernetes_pod_label_component"]
+              regex         = "^;*([^;]+)(;.*)?$"
+              target_label  = "component"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_node_name"]
+              target_label  = "node_name"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_namespace"]
+              target_label  = "namespace"
+            }
+
+            rule {
+              source_labels = ["namespace", "app"]
+              separator     = "/"
+              target_label  = "job"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_name"]
+              target_label  = "pod"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_container_name"]
+              target_label  = "container"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
+              separator     = "/"
+              target_label  = "__path__"
+              replacement   = "/var/log/pods/*$1/*.log"
+            }
+
+            rule {
+              source_labels = ["__meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash", "__meta_kubernetes_pod_annotation_kubernetes_io_config_hash", "__meta_kubernetes_pod_container_name"]
+              separator     = "/"
+              regex         = "true/(.*)"
+              target_label  = "__path__"
+              replacement   = "/var/log/pods/*$1/*.log"
+            }
           }
 
           local.file_match "pods" {
-          	path_targets = discovery.relabel.pods.output
+            path_targets = discovery.relabel.pods.output
           }
 
           loki.source.file "pods" {
-          	targets               = local.file_match.pods.targets
-          	forward_to            = [loki.process.pods.receiver]
+            targets               = local.file_match.pods.targets
+            forward_to            = [loki.process.pods.receiver]
           }
 
           loki.process "pods" {
-          	forward_to = [loki.write.default.receiver]
+            forward_to = [loki.write.default.receiver]
 
-          	stage.cri {}
+            stage.cri {}
           }
 
           loki.write "default" {
-          	endpoint {
-          		url = "http://loki:3100/loki/api/v1/push"
-          	}
-          	external_labels = {}
+            endpoint {
+              url = "http://loki:3100/loki/api/v1/push"
+            }
+            external_labels = {}
           }
           {{- end }}
 
@@ -256,5 +256,5 @@ spec:
       priorityClassName: monitoring-components
     serviceMonitor:
       enabled: true
-      additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 10 }}
+      additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 10 }}
 {{- end -}}
diff --git a/charts/base-cluster/templates/monitoring/kdave/kdave.yaml b/charts/base-cluster/templates/monitoring/kdave/kdave.yaml
index 5f9b192e55..d095a2b681 100644
--- a/charts/base-cluster/templates/monitoring/kdave/kdave.yaml
+++ b/charts/base-cluster/templates/monitoring/kdave/kdave.yaml
@@ -41,7 +41,7 @@ kind: ServiceMonitor
 metadata:
   name: kdave
   namespace: monitoring
-  labels: {{- include "common.helm.labels" (dict) | nindent 4 }}{{- toYaml .Values.monitoring.labels | nindent 4 }}
+  labels: {{- include "common.helm.labels" (dict) | nindent 4 }}{{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 4 }}
     app.kubernetes.io/component: kdave
     app.kubernetes.io/part-of: monitoring
 spec:
diff --git a/charts/base-cluster/templates/monitoring/kdave/rules/releases-with-deprecation.yaml b/charts/base-cluster/templates/monitoring/kdave/rules/releases-with-deprecation.yaml
index 4eedb6d15b..0313dd71bf 100644
--- a/charts/base-cluster/templates/monitoring/kdave/rules/releases-with-deprecation.yaml
+++ b/charts/base-cluster/templates/monitoring/kdave/rules/releases-with-deprecation.yaml
@@ -9,7 +9,7 @@ metadata:
   name: releases-with-deprecated-apis
   namespace: monitoring
   labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- with .Values.monitoring.labels }}{{ toYaml . | nindent 4 }}{{- end }}
+    {{- with .Values.monitoring.labels }}{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }}
     app.kubernetes.io/component: prometheus
     app.kubernetes.io/part-of: kdave
 spec:
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml
index ddd7822049..12bddbe53b 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml
@@ -32,7 +32,7 @@ alertmanagerSpec:
           requests:
             storage: {{ .Values.monitoring.prometheus.alertmanager.persistence.size }}
   alertmanagerConfigSelector:
-    matchLabels: {{- toYaml .Values.monitoring.labels | nindent 6 }}
+    matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 6 }}
 config:
   {{- if .Values.monitoring.prometheus.alertmanager.receivers.pagerduty.enabled }}
   global:
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml
index bbce78e8cc..fae6edb400 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml
@@ -53,7 +53,7 @@ deploymentStrategy:
 {{- end }}
 serviceMonitor:
   interval: "30s"
-  labels: {{- toYaml .Values.monitoring.labels | nindent 4 }}
+  labels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 4 }}
 podAnnotations:
   # This might change on every `template` call, this can be ignored
   checksum/secret: {{ include "common.utils.checksumTemplate" (dict "path" "/monitoring/kube-prometheus-stack/grafana-secret.yaml" "context" $) }}
@@ -118,12 +118,17 @@ dashboards:
     metrics:
       <<: *dashboard
       gnetId: 8588
-    {{- if .Values.ingress.enabled}}
+    {{- if eq .Values.ingress.provider "nginx" }}
     ingress-nginx:
       <<: *dashboard
       gnetId: 9614
       revision: 1
-    {{- end}}
+    {{- else if eq .Values.ingress.provider "traefik" }}
+    traefik:
+      <<: *dashboard
+      gnetId: 17347
+      revision: 9
+    {{- end }}
     cert-manager:
       <<: *dashboard
       gnetId: 11001
@@ -175,7 +180,7 @@ dashboards:
   {{- end }}
 {{- include "base-cluster.monitoring.ingress" (dict "name" "grafana" "context" $) | nindent 0 }}
 {{- $grafanaIni := .Values.monitoring.grafana.config | default (dict) }}
-{{- if and .Values.ingress.enabled .Values.monitoring.grafana.ingress.enabled .Values.certManager.email (or .Values.global.baseDomain .Values.monitoring.grafana.ingress.customDomain) }}
+{{- if and (ne .Values.ingress.provider "none") .Values.monitoring.grafana.ingress.enabled .Values.certManager.email (or .Values.global.baseDomain .Values.monitoring.grafana.ingress.customDomain) }}
   {{- $grafanaIni = mustMerge $grafanaIni (include "base-cluster.prometheus-stack.grafana.ini.ingress" (dict "context" $) | fromYaml) }}
   {{- if .Values.global.authentication.config }}
     {{- $grafanaIni = mustMerge $grafanaIni (include "base-cluster.prometheus-stack.grafana.ini.oauth" (dict "context" $) | fromYaml) }}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml
index e5f310a9e4..67b4c01d40 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml
@@ -45,7 +45,7 @@ privileged: false
   {{- $domainIsConfigured := or (not (empty .Values.global.baseDomain)) (not (empty $ingress.customDomain)) -}}
   {{- $certManagerIsConfigured := not (empty .Values.certManager.email) -}}
   {{- $ingressSpecificallyDisabled := eq false $ingress.enabled -}}
-  {{- and $certManagerIsConfigured (not $ingressSpecificallyDisabled) .Values.ingress.enabled $domainIsConfigured | ternary true "" -}}
+  {{- and $certManagerIsConfigured (not $ingressSpecificallyDisabled) (ne .Values.ingress.provider "none") $domainIsConfigured | ternary true "" -}}
 {{- end -}}
 
 {{- define "base-cluster.monitoring.unauthenticated-ingress.enabled" -}}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_kube-state-metrics-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_kube-state-metrics-config.yaml
index dce607e244..4fe6e09e81 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_kube-state-metrics-config.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_kube-state-metrics-config.yaml
@@ -96,5 +96,5 @@ securityContext:
 containerSecurityContext: {{- include "base-cluster.prometheus-stack.containerSecurityContext" (dict) | nindent 2 }}
 prometheus:
   monitor:
-    additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 6 }}
+    additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 6 }}
 {{- end -}}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_node-exporter-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_node-exporter-config.yaml
index 933d30cf2b..1bf96a6651 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_node-exporter-config.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_node-exporter-config.yaml
@@ -11,5 +11,5 @@ securityContext:
 containerSecurityContext: {{- include "base-cluster.prometheus-stack.containerSecurityContext" (dict) | nindent 2 }}
 prometheus:
   monitor:
-    additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 6 }}
+    additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 6 }}
 {{- end -}}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml
index 354edc07d8..d49fa8032a 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml
@@ -22,7 +22,7 @@ defaultRules:
 kubelet:
   serviceMonitor:
     resource: false
-commonLabels: {{- toYaml .Values.monitoring.labels | nindent 2 }}
+commonLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 2 }}
 grafana: {{- include "base-cluster.prometheus-stack.grafana.config" . | nindent 2 }}
 kube-state-metrics: {{- include "base-cluster.prometheus-stack.kube-state-metrics.config" . | nindent 2 }}
 prometheus-node-exporter: {{- include "base-cluster.prometheus-stack.node-exporter.config" . | nindent 2 }}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml
index 5522148ec5..6a32c85d7f 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml
@@ -33,13 +33,13 @@ prometheusSpec:
             storage: {{ .Values.monitoring.prometheus.persistence.size }}
   replicas: {{ .Values.monitoring.prometheus.replicas }}
   ruleSelector:
-    matchLabels: {{- toYaml .Values.monitoring.labels | nindent 6 }}
+    matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 6 }}
   serviceMonitorSelector:
-    matchLabels: {{- toYaml .Values.monitoring.labels | nindent 6 }}
+    matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 6 }}
   podMonitorSelector:
-    matchLabels: {{- toYaml .Values.monitoring.labels | nindent 6 }}
+    matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 6 }}
   probeSelector:
-    matchLabels: {{- toYaml .Values.monitoring.labels | nindent 6 }}
+    matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 6 }}
   additionalAlertRelabelConfigs:
     {{- if not .Values.monitoring.monitorAllNamespaces }}
       {{- $namespaces := list .Release.Namespace "kube-node-lease" "kube-public" "kube-system" -}}
diff --git a/charts/base-cluster/templates/monitoring/logs/loki.yaml b/charts/base-cluster/templates/monitoring/logs/loki.yaml
index 8e8927818f..a6613d0320 100644
--- a/charts/base-cluster/templates/monitoring/logs/loki.yaml
+++ b/charts/base-cluster/templates/monitoring/logs/loki.yaml
@@ -99,5 +99,5 @@ spec:
     monitoring:
       serviceMonitor:
         enabled: true
-        additionalLabels: {{- toYaml .Values.monitoring.labels | nindent 10 }}
+        additionalLabels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 10 }}
 {{- end -}}
diff --git a/charts/base-cluster/templates/monitoring/security/trivy.yaml b/charts/base-cluster/templates/monitoring/security/trivy.yaml
index 5dee7c1d39..54f96089de 100644
--- a/charts/base-cluster/templates/monitoring/security/trivy.yaml
+++ b/charts/base-cluster/templates/monitoring/security/trivy.yaml
@@ -72,5 +72,5 @@ spec:
     excludeNamespaces: ""
     serviceMonitor:
       enabled: {{ .Values.monitoring.prometheus.enabled }}
-      labels: {{- toYaml .Values.monitoring.labels | nindent 8 }}
+      labels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 8 }}
 {{- end }}
diff --git a/charts/base-cluster/templates/monitoring/tracing/grafana-tempo.yaml b/charts/base-cluster/templates/monitoring/tracing/grafana-tempo.yaml
index c0b1b40b7b..18f944335a 100644
--- a/charts/base-cluster/templates/monitoring/tracing/grafana-tempo.yaml
+++ b/charts/base-cluster/templates/monitoring/tracing/grafana-tempo.yaml
@@ -54,7 +54,7 @@ spec:
       enabled: true
       serviceMonitor:
         enabled: true
-        labels: {{- toYaml .Values.monitoring.labels | nindent 10 }}
+        labels: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 10 }}
 ---
 apiVersion: v1
 kind: ConfigMap
diff --git a/charts/base-cluster/templates/nfs-server-provisioner/rules/storage-size.yaml b/charts/base-cluster/templates/nfs-server-provisioner/rules/storage-size.yaml
index 724db16b9f..0ce7bdb06a 100644
--- a/charts/base-cluster/templates/nfs-server-provisioner/rules/storage-size.yaml
+++ b/charts/base-cluster/templates/nfs-server-provisioner/rules/storage-size.yaml
@@ -9,7 +9,7 @@ metadata:
   name: storage-size
   namespace: nfs-server-provisioner
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
-    {{- with .Values.monitoring.labels }}{{- toYaml . | nindent 4 }}{{- end }}
+    {{- with .Values.monitoring.labels }}{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }}
     app.kubernetes.io/component: prometheus
     app.kubernetes.io/part-of: nfs-server-provisioner
 spec:
diff --git a/charts/base-cluster/templates/tetragon/tetragon.yaml b/charts/base-cluster/templates/tetragon/tetragon.yaml
index 2fea41ff94..6d9788c7ca 100644
--- a/charts/base-cluster/templates/tetragon/tetragon.yaml
+++ b/charts/base-cluster/templates/tetragon/tetragon.yaml
@@ -43,6 +43,6 @@ spec:
       prometheus:
         serviceMonitor:
           enabled: true
-          labelsOverride: {{- toYaml .Values.monitoring.labels | nindent 12 }}
+          labelsOverride: {{- include "common.tplvalues.render" (dict "value" .Values.monitoring.labels "context" .) | nindent 12 }}
       {{- end }}
   {{- end }}
diff --git a/charts/base-cluster/values.schema.json b/charts/base-cluster/values.schema.json
index aa876688eb..df406ce6d9 100644
--- a/charts/base-cluster/values.schema.json
+++ b/charts/base-cluster/values.schema.json
@@ -121,28 +121,49 @@
               ]
             },
             "metricsLabels": {
-              "type": "object",
               "description": "The labels used to allow ingress from the metrics service",
-              "additionalProperties": {
-                "type": "string"
-              },
-              "minProperties": 1
+              "oneOf": [
+                {
+                  "type": "object",
+                  "additionalProperties": {
+                    "type": "string"
+                  },
+                  "minProperties": 1
+                },
+                {
+                  "type": "string"
+                }
+              ]
             },
             "dnsLabels": {
-              "type": "object",
               "description": "The labels used to allow egress to the DNS service",
-              "additionalProperties": {
-                "type": "string"
-              },
-              "minProperties": 1
+              "oneOf": [
+                {
+                  "type": "object",
+                  "additionalProperties": {
+                    "type": "string"
+                  },
+                  "minProperties": 1
+                },
+                {
+                  "type": "string"
+                }
+              ]
             },
             "ingressLabels": {
-              "type": "object",
-              "description": "The labels used to allow egress to the DNS service",
-              "additionalProperties": {
-                "type": "string"
-              },
-              "minProperties": 1
+              "description": "The labels used to allow ingress from the ingress controller",
+              "oneOf": [
+                {
+                  "type": "object",
+                  "additionalProperties": {
+                    "type": "string"
+                  },
+                  "minProperties": 1
+                },
+                {
+                  "type": "string"
+                }
+              ]
             }
           },
           "additionalProperties": false
@@ -1328,8 +1349,14 @@
         "resources": {
           "$ref": "#/$defs/resourceRequirements"
         },
-        "enabled": {
-          "type": "boolean"
+        "provider": {
+          "type": "string",
+          "enum": [
+            "nginx",
+            "traefik",
+            "none"
+          ],
+          "description": "Which ingress controller to use"
         },
         "allowNginxConfigurationSnippets": {
           "type": "boolean",
diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml
index 52ecda6286..3ada08977a 100644
--- a/charts/base-cluster/values.yaml
+++ b/charts/base-cluster/values.yaml
@@ -7,7 +7,7 @@ global:
   priorityClasses: {}
   namespaces:
     ingress:
-      condition: "{{ not (empty .Values.dns.provider) }}"
+      condition: '{{ or (not (empty .Values.dns.provider)) (eq .Values.ingress.provider "traefik") }}'
       additionalLabels:
         app.kubernetes.io/component: ingress
     cert-manager:
@@ -25,7 +25,7 @@ global:
           limits.cpu: "2"
           limits.memory: 2Gi
     ingress-nginx:
-      condition: "{{ .Values.ingress.enabled }}"
+      condition: '{{ eq .Values.ingress.provider "nginx" }}'
       additionalLabels:
         app.kubernetes.io/component: ingress
     kyverno:
@@ -93,8 +93,8 @@ global:
       io.kubernetes.pod.namespace: monitoring
       app.kubernetes.io/name: prometheus
     ingressLabels:
-      io.kubernetes.pod.namespace: ingress-nginx
-      app.kubernetes.io/name: ingress-nginx
+      io.kubernetes.pod.namespace: '{{ eq .Values.ingress.provider "nginx" | ternary "ingress-nginx" "ingress" }}'
+      app.kubernetes.io/name: '{{ eq .Values.ingress.provider "nginx" | ternary "ingress-nginx" "ingress-controller" }}'
   # it's important that the `url` is the first key and `charts` is right below, otherwise renovate won't detect it
   helmRepositories:
     prometheus:
@@ -133,7 +133,12 @@ global:
       url: https://kubernetes.github.io/ingress-nginx
       charts:
         ingress-nginx: 4.12.1
-      condition: '{{ .Values.ingress.enabled }}'
+      condition: '{{ eq .Values.ingress.provider "nginx" }}'
+    traefik:
+      url: https://helm.traefik.io/traefik
+      charts:
+        traefik: 35.2.0
+      condition: '{{ eq .Values.ingress.provider "traefik" }}'
     kyverno:
       url: https://kyverno.github.io/kyverno
       charts:
@@ -419,7 +424,7 @@ flux:
   gitRepositories: {}
 
 ingress:
-  enabled: true
+  provider: traefik
   allowNginxConfigurationSnippets: false
   useProxyProtocol: true
   replicas: 2