Add traefik middleware support (#601)
* add basic middleware chain to traefik * Try some idea's for common ingress middleware support * create middleware namespace as pre-install hook * rename namespace file * Add additional list with middlewares and tune the output a bit * Add basic auth middleware spawner * add forwardAuth support * polish middleware names and add config examples * initial go at traefik middleware GUI elements * fix labels * more missing labels
This commit is contained in:
parent
64ca1db288
commit
373c834d35
|
@ -18,4 +18,4 @@ maintainers:
|
|||
name: common
|
||||
sources:
|
||||
type: library
|
||||
version: 6.3.8
|
||||
version: 6.4.0
|
||||
|
|
|
@ -20,6 +20,29 @@ within the common library.
|
|||
{{- $primaryPort := get $primaryService.ports (include "common.classes.service.ports.primary" (dict "values" $primaryService)) -}}
|
||||
{{- $name := include "common.names.name" . -}}
|
||||
{{- $isStable := include "common.capabilities.ingress.isStable" . }}
|
||||
|
||||
{{- $fixedMiddlewares := "" }}
|
||||
{{ range $index, $fixedMiddleware := $values.fixedMiddlewares }}
|
||||
{{- if $index }}
|
||||
{{ $fixedMiddlewares = ( printf "%v, %v-%v@%v" $fixedMiddlewares "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }}
|
||||
{{- else }}
|
||||
{{ $fixedMiddlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
|
||||
{{- $middlewares := "" }}
|
||||
{{ range $index, $middleware := $values.middlewares }}
|
||||
{{- if $index }}
|
||||
{{ $middlewares = ( printf "%v, %v-%v@%v" $middlewares "traefikmiddlewares" $middleware "kubernetescrd" ) }}
|
||||
{{- else }}
|
||||
{{ $middlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $middleware "kubernetescrd" ) }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
|
||||
{{- if $fixedMiddlewares }}
|
||||
{{ $middlewares = ( printf "%v, %v" $fixedMiddlewares $middlewares ) }}
|
||||
{{ end }}
|
||||
|
||||
---
|
||||
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
|
||||
kind: Ingress
|
||||
|
@ -27,8 +50,9 @@ metadata:
|
|||
name: {{ $ingressName }}
|
||||
labels:
|
||||
{{- include "common.labels" . | nindent 4 }}
|
||||
{{- with $values.annotations }}
|
||||
annotations:
|
||||
"traefik.ingress.kubernetes.io/router.middlewares": {{ $middlewares | quote }}
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
|
|
|
@ -281,6 +281,16 @@ ingress:
|
|||
# -- Override the name suffix that is used for this ingress.
|
||||
nameOverride:
|
||||
|
||||
# -- List of middlewares in the traefikmiddlewares k8s namespace to add automatically
|
||||
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
|
||||
# Primarily used for TrueNAS SCALE to add additional (seperate) middlewares without exposing them to the end-user
|
||||
fixedMiddlewares:
|
||||
- chain-basic
|
||||
|
||||
# -- Additional List of middlewares in the traefikmiddlewares k8s namespace to add automatically
|
||||
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
|
||||
middlewares: []
|
||||
|
||||
# -- Provide additional annotations which may be required.
|
||||
annotations: {}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
|
|
|
@ -25,5 +25,5 @@ sources:
|
|||
- https://github.com/traefik/traefik-helm-chart
|
||||
- https://traefik.io/
|
||||
type: application
|
||||
version: 6.1.8
|
||||
version: 6.2.0
|
||||
upstream_version: "v9.19.2"
|
||||
|
|
|
@ -7,6 +7,8 @@ groups:
|
|||
description: "additional container configuration"
|
||||
- name: "App Configuration"
|
||||
description: "App specific config options"
|
||||
- name: "Middlewares"
|
||||
description: "Traefik Middlewares"
|
||||
- name: "Networking and Services"
|
||||
description: "Configure Network and Services for container"
|
||||
- name: "Storage and Persistence"
|
||||
|
@ -44,6 +46,114 @@ questions:
|
|||
type: boolean
|
||||
default: true
|
||||
|
||||
- variable: middlewares
|
||||
label: ""
|
||||
group: "Middlewares"
|
||||
schema:
|
||||
type: dict
|
||||
hidden: true
|
||||
attrs:
|
||||
- variable: basicAuth
|
||||
label: "basicAuth"
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: basicAuthEntry
|
||||
label: ""
|
||||
schema:
|
||||
type: dict
|
||||
hidden: true
|
||||
attrs:
|
||||
- variable: name
|
||||
label: "Name"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: users
|
||||
label: "Users"
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: usersEntry
|
||||
label: ""
|
||||
schema:
|
||||
type: dict
|
||||
hidden: true
|
||||
attrs:
|
||||
- variable: username
|
||||
label: "Username"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: password
|
||||
label: "Password"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
|
||||
|
||||
- variable: forwardAuth
|
||||
label: "forwardAuth"
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: basicAuthEntry
|
||||
label: ""
|
||||
schema:
|
||||
type: dict
|
||||
hidden: true
|
||||
attrs:
|
||||
- variable: name
|
||||
label: "Name"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: address
|
||||
label: "Address"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: trustForwardHeader
|
||||
label: "trustForwardHeader"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: authResponseHeadersRegex
|
||||
label: "authResponseHeadersRegex"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: authResponseHeaders
|
||||
label: "authResponseHeaders"
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: authResponseHeadersEntry
|
||||
label: ""
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: authRequestHeaders
|
||||
label: "authRequestHeaders"
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: authRequestHeadersEntry
|
||||
label: ""
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
|
||||
- variable: hostNetwork
|
||||
group: "Networking and Services"
|
||||
label: "Enable Host Networking"
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: traefikmiddlewares
|
||||
namespace: traefikmiddlewares
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install
|
|
@ -0,0 +1,57 @@
|
|||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: compress
|
||||
namespace: traefikmiddlewares
|
||||
spec:
|
||||
compress: {}
|
||||
---
|
||||
# Here, an average of 300 requests per second is allowed.
|
||||
# In addition, a burst of 200 requests is allowed.
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: basic-ratelimit
|
||||
namespace: traefikmiddlewares
|
||||
spec:
|
||||
rateLimit:
|
||||
average: 300
|
||||
burst: 200
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: basic-secure-headers
|
||||
namespace: traefikmiddlewares
|
||||
spec:
|
||||
headers:
|
||||
accessControlAllowMethods:
|
||||
- GET
|
||||
- OPTIONS
|
||||
- HEAD
|
||||
- PUT
|
||||
accessControlMaxAge: 100
|
||||
# sslRedirect: true
|
||||
# stsSeconds: 63072000
|
||||
# stsIncludeSubdomains: false
|
||||
# stsPreload: false
|
||||
# forceSTSHeader: true
|
||||
contentTypeNosniff: true
|
||||
browserXssFilter: true
|
||||
sslForceHost: true
|
||||
referrerPolicy: same-origin
|
||||
customResponseHeaders:
|
||||
X-Robots-Tag: 'none'
|
||||
server: ''
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: chain-basic
|
||||
namespace: traefikmiddlewares
|
||||
spec:
|
||||
chain:
|
||||
middlewares:
|
||||
- name: basic-ratelimit
|
||||
- name: basic-secure-headers
|
||||
- name: compress
|
|
@ -0,0 +1,28 @@
|
|||
{{ range $index, $middlewareData := .Values.middlewares.basicAuth }}
|
||||
---
|
||||
{{- $users := list }}
|
||||
{{ range $index, $userdata := $middlewareData.users }}
|
||||
{{ $users = append $users ( htpasswd $userdata.username $userdata.password | b64enc ) }}
|
||||
{{ end }}
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{printf "%v-%v" $middlewareData.name "secret" }}
|
||||
namespace: traefikmiddlewares
|
||||
data:
|
||||
users: |{{ len $users }}
|
||||
{{- range $index, $user := $users }}
|
||||
{{ printf "%s" $user }}
|
||||
{{- end }}
|
||||
---
|
||||
# Declaring the user list
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: {{ $middlewareData.name }}
|
||||
namespace: traefikmiddlewares
|
||||
spec:
|
||||
basicAuth:
|
||||
secret: {{printf "%v-%v" $middlewareData.name "secret" }}
|
||||
{{ end }}
|
|
@ -0,0 +1,23 @@
|
|||
{{ range $index, $middlewareData := .Values.middlewares.forwardAuth }}
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: {{ $middlewareData.name }}
|
||||
namespace: traefikmiddlewares
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: {{ $middlewareData.address }}
|
||||
{{- if $middlewareData.authResponseHeaders }}
|
||||
authResponseHeaders: {{ $middlewareData.authResponseHeaders }}
|
||||
{{- end }}
|
||||
{{- if $middlewareData.authRequestHeaders }}
|
||||
authRequestHeaders: {{ $middlewareData.authRequestHeaders }}
|
||||
{{- end }}
|
||||
{{- if $middlewareData.authResponseHeadersRegex }}
|
||||
authResponseHeadersRegex: {{ $middlewareData.authResponseHeadersRegex }}
|
||||
{{- end }}
|
||||
{{- if $middlewareData.trustForwardHeader }}
|
||||
trustForwardHeader: true
|
||||
{{- end }}
|
||||
{{ end }}
|
|
@ -404,3 +404,23 @@ securityContext:
|
|||
|
||||
podSecurityContext:
|
||||
fsGroup: 65532
|
||||
|
||||
## SCALE Middleware Handlers
|
||||
|
||||
middlewares:
|
||||
basicAuth: []
|
||||
# - name: basicauthexample
|
||||
# users:
|
||||
# - username: testuser
|
||||
# password: testpassword
|
||||
forwardAuth: []
|
||||
# - name: forwardAuthexample
|
||||
# address: https://auth.example.com/
|
||||
# authResponseHeaders:
|
||||
# - X-Secret
|
||||
# - X-Auth-User
|
||||
# authRequestHeaders:
|
||||
# - "Accept"
|
||||
# - "X-CustomHeader"
|
||||
# authResponseHeadersRegex: "^X-"
|
||||
# trustForwardHeader: true
|
||||
|
|
Loading…
Reference in New Issue