feat!: 💥 refactor custom services and port exposure

EXAMPLES.md

@@ -99,7 +99,7 @@ extraObjects:
 
 To expose the dashboard without IngressRoute, it's more complicated and less
 secure. You'll need to create an internal Service exposing Traefik API with
-special _traefik_ entrypoint.
+special _traefik_ entrypoint. This internal Service can be created from an other tool, with the `extraObjects` section or using [custom services](#add-custom-internal-services).
 
 You'll need to double check:
 1. Service selector with your setup.
@@ -473,6 +473,59 @@ spec:
       port: 80
 ```
 
+# Add custom (internal) services
+
+In some cases you might want to have more than one Traefik service within your cluster,
+e.g. a default (external) one and a service that is only exposed internally to pods within your cluster.
+
+The `service.additionalServices` allows you to add an arbitrary amount of services,
+provided as a name to service details mapping; for example you can use the following values:
+
+```yaml
+service:
+  additionalServices:
+    internal:
+      type: ClusterIP
+      labels:
+        traefik-service-label: internal
+```
+
+Ports can then be exposed on this service by using the port name to boolean mapping `expose` on the respective port;
+e.g. to expose the `traefik` API port on your internal service so pods within your cluster can use it, you can do:
+
+```yaml
+ports:
+  traefik:
+    expose:
+      # Sensitive data should not be exposed on the internet
+      # => Keep this disabled !
+      default: false
+      internal: true
+```
+
+This will then provide an additional Service manifest, looking like this:
+
+```yaml
+---
+# Source: traefik/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-internal
+  namespace: traefik
+[...]
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/instance: traefik-traefik
+  ports:
+  - port: 9000
+    name: "traefik"
+    targetPort: traefik
+    protocol: TCP
+```
+
 # Use this Chart as a dependency of your own chart
 
 

Makefile

@@ -1,6 +1,6 @@
 .PHONY: lint test
 
-IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.13.1-0.3.5
+IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.14.2-0.4.2
 IMAGE_CHART_TESTING=quay.io/helmpack/chart-testing:v3.10.1
 IMAGE_HELM_DOCS=jnorwood/helm-docs:v1.13.1
 

traefik/Changelog.md

@@ -1,5 +1,28 @@
 # Change Log
 
+## 27.0.0 (unreleased)
+
+**Upgrade notes**
+
+Custom services and port exposure have been redesigned, requiring the following changes:
+- if you were overriding port exposure behavior using the `expose` or `exposeInternal` flags, you should replace them with a service name to boolean mapping, i.e. replace this:
+```yaml
+ports:
+   web:
+      expose: false
+      exposeInternal: true
+```
+with this:
+```yaml
+ports:
+   web:
+      expose:
+         default: false
+         internal: true
+```
+- if you were previously using the `service.internal` value,
+you should migrate the values to the `service.additionalServices.internal` value instead; this should yield the same results, but make sure to carefully check for any changes!
+
 ## 26.1.0  ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
 
 **Release date:** 2024-02-16

traefik/templates/_service.tpl

@@ -1,44 +1,57 @@
+{{- define "traefik.service-name" -}}
+{{- $fullname := printf "%s-%s" (include "traefik.fullname" .root) .name -}}
+{{- if eq .name "default" -}}
+{{- $fullname = include "traefik.fullname" .root -}}
+{{- end -}}
+
+{{- if ge (len $fullname) 60 -}} # 64 - 4 (udp-postfix) = 60
+  {{- fail "ERROR: Cannot create a service whose full name contains more than 60 characters" -}}
+{{- end -}}
+
+{{- $fullname -}}
+{{- end -}}
+
 {{- define "traefik.service-metadata" }}
   labels:
-  {{- include "traefik.labels" . | nindent 4 -}}
-  {{- with .Values.service.labels }}
+  {{- include "traefik.labels" .root | nindent 4 -}}
+  {{- with .service.labels }}
   {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
 
 {{- define "traefik.service-spec" -}}
-  {{- $type := default "LoadBalancer" .Values.service.type }}
+  {{- $type := default "LoadBalancer" .service.type }}
   type: {{ $type }}
-  {{- with .Values.service.loadBalancerClass }}
+  {{- with .service.loadBalancerClass }}
   loadBalancerClass: {{ . }}
   {{- end}}
-  {{- with .Values.service.spec }}
+  {{- with .service.spec }}
   {{- toYaml . | nindent 2 }}
   {{- end }}
   selector:
-    {{- include "traefik.labelselector" . | nindent 4 }}
+    {{- include "traefik.labelselector" .root | nindent 4 }}
   {{- if eq $type "LoadBalancer" }}
-  {{- with .Values.service.loadBalancerSourceRanges }}
+  {{- with .service.loadBalancerSourceRanges }}
   loadBalancerSourceRanges:
   {{- toYaml . | nindent 2 }}
   {{- end -}}
   {{- end -}}
-  {{- with .Values.service.externalIPs }}
+  {{- with .service.externalIPs }}
   externalIPs:
   {{- toYaml . | nindent 2 }}
   {{- end -}}
-  {{- with .Values.service.ipFamilyPolicy }}
+  {{- with .service.ipFamilyPolicy }}
   ipFamilyPolicy: {{ . }}
   {{- end }}
-  {{- with .Values.service.ipFamilies }}
+  {{- with .service.ipFamilies }}
   ipFamilies:
   {{- toYaml . | nindent 2 }}
   {{- end -}}
 {{- end }}
 
 {{- define "traefik.service-ports" }}
-  {{- range $name, $config := . }}
-  {{- if $config.expose }}
+  {{- range $name, $config := .ports }}
+  {{- if (index (default dict $config.expose) $.serviceName) }}
   - port: {{ default $config.port $config.exposedPort }}
     name: {{ $name | quote }}
     targetPort: {{ default $name $config.targetPort }}

traefik/templates/service-metrics.yaml

@@ -9,7 +9,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ $fullname }}-metrics
+  name: {{ template "traefik.service-name" (dict "root" . "name" "metrics") }}
   namespace: {{ template "traefik.namespace" . }}
   {{- template "traefik.metrics-service-metadata" . }}
   annotations:

traefik/templates/service.yaml

@@ -1,9 +1,15 @@
-{{- if .Values.service.enabled -}}
+{{- $services := .Values.service.additionalServices -}}
+{{- $services = set $services "default" (omit .Values.service "additionalServices") }}
+
+{{- range $name, $service := $services -}}
+{{- if ne $service.enabled false -}}
+
+{{- $fullname := include "traefik.service-name" (dict "root" $ "name" $name) }}
 
 {{- $tcpPorts := dict -}}
 {{- $udpPorts := dict -}}
 {{- $exposedPorts := false -}}
-{{- range $name, $config := .Values.ports -}}
+{{- range $portName, $config := $.Values.ports -}}
   {{- if $config -}}
     {{- if $config.http3 -}}
     {{- if $config.http3.enabled -}}
@@ -13,12 +19,12 @@
     {{- end -}}
     {{- end -}}
     {{- if eq (toString $config.protocol) "UDP" -}}
-      {{ $_ := set $udpPorts $name $config -}}
+      {{ $_ := set $udpPorts $portName $config -}}
     {{- end -}}
     {{- if eq (toString (default "TCP" $config.protocol)) "TCP" -}}
-      {{ $_ := set $tcpPorts $name $config -}}
+      {{ $_ := set $tcpPorts $portName $config -}}
     {{- end -}}
-    {{- if (eq $config.expose true) -}}
+    {{- if (index (default dict $config.expose) $name) -}}
       {{- $exposedPorts = true -}}
     {{- end -}}
   {{- end -}}
@@ -28,42 +34,44 @@
   {{- fail "You need to expose at least one port or set enabled=false to service" -}}
 {{- end -}}
 
-{{- if and $exposedPorts (or $tcpPorts .Values.service.single) }}
+{{- if and $exposedPorts (or $tcpPorts $service.single) }}
+---
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "traefik.fullname" . }}
-  namespace: {{ template "traefik.namespace" . }}
-  {{- template "traefik.service-metadata" . }}
+  name: {{ $fullname }}
+  namespace: {{ template "traefik.namespace" $ }}
+  {{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
   annotations:
-  {{- with (merge dict .Values.service.annotationsTCP .Values.service.annotations) }}
+  {{- with (merge dict (default dict $service.annotationsTCP) (default dict $service.annotations)) }}
   {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- template "traefik.service-spec" . }}
+  {{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
   ports:
-  {{- template "traefik.service-ports" $tcpPorts }}
-{{- if .Values.service.single }}
-  {{- template "traefik.service-ports" $udpPorts }}
+  {{- template "traefik.service-ports" (dict "ports" $tcpPorts "serviceName" $name) }}
+{{- if $service.single }}
+  {{- template "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
 {{- end }}
 {{- end }}
 
-{{- if and $exposedPorts (and $udpPorts (not .Values.service.single)) }}
+{{- if and $exposedPorts (and $udpPorts (not $service.single)) }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "traefik.fullname" . }}-udp
-  namespace: {{ template "traefik.namespace" . }}
-  {{- template "traefik.service-metadata" . }}
+  name: {{ $fullname }}-udp
+  namespace: {{ template "traefik.namespace" $ }}
+  {{- template "traefik.service-metadata" (dict "root" $ "service" $service) }}
   annotations:
-  {{- with (merge dict .Values.service.annotationsUDP .Values.service.annotations) }}
+  {{- with (merge dict (default dict $service.annotationsUDP) (default dict $service.annotations)) }}
   {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- template "traefik.service-spec" . }}
+  {{- template "traefik.service-spec" (dict "root" $ "service" $service) }}
   ports:
-  {{- template "traefik.service-ports" $udpPorts }}
+  {{- template "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }}
 {{- end }}
 
 {{- end -}}
+{{- end -}}

traefik/tests/common-metadata_test.yaml

@@ -9,7 +9,6 @@ templates:
   - poddisruptionbudget.yaml
   - prometheusrules.yaml
   - pvc.yaml
-  - service-internal.yaml
   - servicemonitor.yaml
   - service.yaml
   - tlsoption.yaml