Skip to content

Commit

Permalink
feat: ✨ add AllowACMEByPass and improve schema/doc on ports values
Browse files Browse the repository at this point in the history
  • Loading branch information
@mloiseleur
mloiseleur authored Sep 18, 2024
1 parent d7c3622 commit 458cab9
Show file tree
Hide file tree
Showing 6 changed files with 210 additions and 78 deletions.
29 changes: 23 additions & 6 deletions traefik/VALUES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,24 +207,41 @@ Kubernetes: `>=1.22.0-0`
| ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
| ports.traefik.expose | object | `{"default":false}` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
| ports.traefik.exposedPort | int | `9000` | The exposed port for this service |
| ports.traefik.hostIP | string | `nil` | Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which means it's listening on all your interfaces and all your IPs. You may want to set this value if you need traefik to listen on specific interface only. |
| ports.traefik.hostPort | string | `nil` | Use hostPort if set. |
| ports.traefik.port | int | `9000` | |
| ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
| ports.web.expose.default | bool | `true` | |
| ports.web.exposedPort | int | `80` | |
| ports.web.forwardedHeaders.insecure | bool | `false` | |
| ports.web.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
| ports.web.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
| ports.web.port | int | `8000` | |
| ports.web.protocol | string | `"TCP"` | |
| ports.web.proxyProtocol.insecure | bool | `false` | |
| ports.web.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
| ports.web.redirectTo | object | `{}` | |
| ports.web.targetPort | string | `nil` | |
| ports.web.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport |
| ports.websecure.allowACMEByPass | bool | `false` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) |
| ports.websecure.appProtocol | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) |
| ports.websecure.containerPort | string | `nil` | |
| ports.websecure.expose.default | bool | `true` | |
| ports.websecure.exposedPort | int | `443` | |
| ports.websecure.forwardedHeaders.insecure | bool | `false` | |
| ports.websecure.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). |
| ports.websecure.hostPort | string | `nil` | |
| ports.websecure.http3.advertisedPort | string | `nil` | |
| ports.websecure.http3.enabled | bool | `false` | |
| ports.websecure.middlewares | list | `[]` | /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace middlewares: - namespace-name1@kubernetescrd - namespace-name2@kubernetescrd |
| ports.websecure.middlewares | list | `[]` | /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace - namespace-name1@kubernetescrd - namespace-name2@kubernetescrd |
| ports.websecure.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) |
| ports.websecure.port | int | `8443` | |
| ports.websecure.protocol | string | `"TCP"` | |
| ports.websecure.tls.certResolver | string | `""` | |
| ports.websecure.tls.domains | list | `[]` | |
| ports.websecure.tls.enabled | bool | `true` | |
| ports.websecure.tls.options | string | `""` | |
| ports.websecure.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport |
| ports.websecure.proxyProtocol.insecure | bool | `false` | |
| ports.websecure.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point |
| ports.websecure.targetPort | string | `nil` | |
| ports.websecure.tls | object | `{"certResolver":"","domains":[],"enabled":true,"options":""}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) |
| ports.websecure.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) |
| priorityClassName | string | `""` | [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) |
| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) |
| providers.file.enabled | bool | `false` | Create a file provider |
Expand Down
9 changes: 6 additions & 3 deletions traefik/templates/_podtemplate.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -538,9 +538,6 @@
{{- range $entrypoint, $config := $.Values.ports }}
{{- if $config }}
{{- if $config.redirectTo }}
{{- if eq (typeOf $config.redirectTo) "string" }}
{{- fail "ERROR: Syntax of `ports.web.redirectTo` has changed to `ports.web.redirectTo.port`. Details in PR #934." }}
{{- end }}
{{- $toPort := index $.Values.ports $config.redirectTo.port }}
- "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}"
- "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https"
Expand Down Expand Up @@ -583,6 +580,12 @@
{{- end }}
{{- end }}
{{- end }}
{{- if $config.allowACMEByPass }}
{{- if (semverCompare "<3.1.3-0" $version) }}
{{- fail "ERROR: allowACMEByPass has been introduced with Traefik v3.1.3+" -}}
{{- end }}
- "--entryPoints.name.allowACMEByPass=true"
{{- end }}
{{- if $config.forwardedHeaders }}
{{- if $config.forwardedHeaders.trustedIPs }}
- "--entryPoints.{{ $entrypoint }}.forwardedHeaders.trustedIPs={{ join "," $config.forwardedHeaders.trustedIPs }}"
Expand Down
2 changes: 1 addition & 1 deletion traefik/tests/deployment-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ tests:
exposedPort: 443
asserts:
- failedTemplate:
errorMessage: "ERROR: Syntax of `ports.web.redirectTo` has changed to `ports.web.redirectTo.port`. Details in PR #934."
errorPattern: "redirectTo"
- it: should have http redirections enabled, when enabled with redirectTo
set:
ports:
Expand Down
25 changes: 21 additions & 4 deletions traefik/tests/traefik-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -445,11 +445,9 @@ tests:
ports:
websecure:
forwardedHeaders:
insecure: True
- 127.0.0.1/32
- 192.168.1.7
insecure: true
proxyProtocol:
insecure: True
insecure: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
Expand Down Expand Up @@ -631,3 +629,22 @@ tests:
- contains:
path: spec.template.spec.containers[0].args
content: "--providers.kubernetesgateway.labelselector=app=traefik"
- it: should be possible to allow ACME bypass
set:
ports:
websecure:
allowACMEByPass: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--entryPoints.name.allowACMEByPass=true"
- it: should fail when setting ACME bypass with Proxy v3.1.0
set:
image:
tag: v3.1.0
ports:
websecure:
allowACMEByPass: true
asserts:
- failedTemplate:
errorMessage: "ERROR: allowACMEByPass has been introduced with Traefik v3.1.3+"
119 changes: 119 additions & 0 deletions traefik/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -980,6 +980,19 @@
"exposedPort": {
"type": "integer"
},
"hostIP": {
"type": [
"string",
"null"
]
},
"hostPort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"port": {
"type": "integer"
},
Expand All @@ -1002,12 +1015,52 @@
"exposedPort": {
"type": "integer"
},
"forwardedHeaders": {
"properties": {
"insecure": {
"type": "boolean"
},
"trustedIPs": {
"type": "array"
}
},
"type": "object"
},
"nodePort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"port": {
"type": "integer"
},
"protocol": {
"type": "string"
},
"proxyProtocol": {
"properties": {
"insecure": {
"type": "boolean"
},
"trustedIPs": {
"type": "array"
}
},
"type": "object"
},
"redirectTo": {
"properties": {},
"type": "object"
},
"targetPort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"transport": {
"properties": {
"keepAliveMaxRequests": {
Expand Down Expand Up @@ -1077,6 +1130,22 @@
},
"websecure": {
"properties": {
"allowACMEByPass": {
"type": "boolean"
},
"appProtocol": {
"type": [
"string",
"null"
]
},
"containerPort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"expose": {
"properties": {
"default": {
Expand All @@ -1088,8 +1157,33 @@
"exposedPort": {
"type": "integer"
},
"forwardedHeaders": {
"properties": {
"insecure": {
"type": "boolean"
},
"trustedIPs": {
"type": "array"
}
},
"type": "object"
},
"hostPort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"http3": {
"properties": {
"advertisedPort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"enabled": {
"type": "boolean"
}
Expand All @@ -1099,12 +1193,37 @@
"middlewares": {
"type": "array"
},
"nodePort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"port": {
"type": "integer"
},
"protocol": {
"type": "string"
},
"proxyProtocol": {
"properties": {
"insecure": {
"type": "boolean"
},
"trustedIPs": {
"type": "array"
}
},
"type": "object"
},
"targetPort": {
"minimum": 0,
"type": [
"integer",
"null"
]
},
"tls": {
"properties": {
"certResolver": {
Expand Down
Loading

0 comments on commit 458cab9

Please sign in to comment.