Add traefik middleware support (#601)

* add basic middleware chain to traefik

* Try some idea's for common ingress middleware support

* create middleware namespace as pre-install hook

* rename namespace file

* Add additional list with middlewares and tune the output a bit

* Add basic auth middleware spawner

* add forwardAuth support

* polish middleware names and add config examples

* initial go at traefik middleware GUI elements

* fix labels

* more missing labels
This commit is contained in:
Kjeld Schouten-Lebbing 2021-06-30 12:56:17 +02:00 committed by GitHub
parent 64ca1db288
commit 373c834d35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 282 additions and 3 deletions

View File

@ -18,4 +18,4 @@ maintainers:
name: common
sources:
type: library
version: 6.3.8
version: 6.4.0

View File

@ -20,6 +20,29 @@ within the common library.
{{- $primaryPort := get $primaryService.ports (include "common.classes.service.ports.primary" (dict "values" $primaryService)) -}}
{{- $name := include "common.names.name" . -}}
{{- $isStable := include "common.capabilities.ingress.isStable" . }}
{{- $fixedMiddlewares := "" }}
{{ range $index, $fixedMiddleware := $values.fixedMiddlewares }}
{{- if $index }}
{{ $fixedMiddlewares = ( printf "%v, %v-%v@%v" $fixedMiddlewares "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }}
{{- else }}
{{ $fixedMiddlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }}
{{- end }}
{{ end }}
{{- $middlewares := "" }}
{{ range $index, $middleware := $values.middlewares }}
{{- if $index }}
{{ $middlewares = ( printf "%v, %v-%v@%v" $middlewares "traefikmiddlewares" $middleware "kubernetescrd" ) }}
{{- else }}
{{ $middlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $middleware "kubernetescrd" ) }}
{{- end }}
{{ end }}
{{- if $fixedMiddlewares }}
{{ $middlewares = ( printf "%v, %v" $fixedMiddlewares $middlewares ) }}
{{ end }}
---
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
@ -27,8 +50,9 @@ metadata:
name: {{ $ingressName }}
labels:
{{- include "common.labels" . | nindent 4 }}
{{- with $values.annotations }}
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": {{ $middlewares | quote }}
{{- with $values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:

View File

@ -281,6 +281,16 @@ ingress:
# -- Override the name suffix that is used for this ingress.
nameOverride:
# -- List of middlewares in the traefikmiddlewares k8s namespace to add automatically
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
# Primarily used for TrueNAS SCALE to add additional (seperate) middlewares without exposing them to the end-user
fixedMiddlewares:
- chain-basic
# -- Additional List of middlewares in the traefikmiddlewares k8s namespace to add automatically
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
middlewares: []
# -- Provide additional annotations which may be required.
annotations: {}
# kubernetes.io/ingress.class: nginx

View File

@ -25,5 +25,5 @@ sources:
- https://github.com/traefik/traefik-helm-chart
- https://traefik.io/
type: application
version: 6.1.8
version: 6.2.0
upstream_version: "v9.19.2"

View File

@ -7,6 +7,8 @@ groups:
description: "additional container configuration"
- name: "App Configuration"
description: "App specific config options"
- name: "Middlewares"
description: "Traefik Middlewares"
- name: "Networking and Services"
description: "Configure Network and Services for container"
- name: "Storage and Persistence"
@ -44,6 +46,114 @@ questions:
type: boolean
default: true
- variable: middlewares
label: ""
group: "Middlewares"
schema:
type: dict
hidden: true
attrs:
- variable: basicAuth
label: "basicAuth"
schema:
type: list
default: []
items:
- variable: basicAuthEntry
label: ""
schema:
type: dict
hidden: true
attrs:
- variable: name
label: "Name"
schema:
type: string
required: true
default: ""
- variable: users
label: "Users"
schema:
type: list
default: []
items:
- variable: usersEntry
label: ""
schema:
type: dict
hidden: true
attrs:
- variable: username
label: "Username"
schema:
type: string
required: true
default: ""
- variable: password
label: "Password"
schema:
type: string
required: true
default: ""
- variable: forwardAuth
label: "forwardAuth"
schema:
type: list
default: []
items:
- variable: basicAuthEntry
label: ""
schema:
type: dict
hidden: true
attrs:
- variable: name
label: "Name"
schema:
type: string
required: true
default: ""
- variable: address
label: "Address"
schema:
type: string
required: true
default: ""
- variable: trustForwardHeader
label: "trustForwardHeader"
schema:
type: boolean
default: false
- variable: authResponseHeadersRegex
label: "authResponseHeadersRegex"
schema:
type: string
default: ""
- variable: authResponseHeaders
label: "authResponseHeaders"
schema:
type: list
default: []
items:
- variable: authResponseHeadersEntry
label: ""
schema:
type: string
default: ""
- variable: authRequestHeaders
label: "authRequestHeaders"
schema:
type: list
default: []
items:
- variable: authRequestHeadersEntry
label: ""
schema:
type: string
default: ""
- variable: hostNetwork
group: "Networking and Services"
label: "Enable Host Networking"

View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: traefikmiddlewares
namespace: traefikmiddlewares
annotations:
"helm.sh/hook": pre-install

View File

@ -0,0 +1,57 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: compress
namespace: traefikmiddlewares
spec:
compress: {}
---
# Here, an average of 300 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-ratelimit
namespace: traefikmiddlewares
spec:
rateLimit:
average: 300
burst: 200
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-secure-headers
namespace: traefikmiddlewares
spec:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- HEAD
- PUT
accessControlMaxAge: 100
# sslRedirect: true
# stsSeconds: 63072000
# stsIncludeSubdomains: false
# stsPreload: false
# forceSTSHeader: true
contentTypeNosniff: true
browserXssFilter: true
sslForceHost: true
referrerPolicy: same-origin
customResponseHeaders:
X-Robots-Tag: 'none'
server: ''
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: chain-basic
namespace: traefikmiddlewares
spec:
chain:
middlewares:
- name: basic-ratelimit
- name: basic-secure-headers
- name: compress

View File

@ -0,0 +1,28 @@
{{ range $index, $middlewareData := .Values.middlewares.basicAuth }}
---
{{- $users := list }}
{{ range $index, $userdata := $middlewareData.users }}
{{ $users = append $users ( htpasswd $userdata.username $userdata.password | b64enc ) }}
{{ end }}
apiVersion: v1
kind: Secret
metadata:
name: {{printf "%v-%v" $middlewareData.name "secret" }}
namespace: traefikmiddlewares
data:
users: |{{ len $users }}
{{- range $index, $user := $users }}
{{ printf "%s" $user }}
{{- end }}
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: traefikmiddlewares
spec:
basicAuth:
secret: {{printf "%v-%v" $middlewareData.name "secret" }}
{{ end }}

View File

@ -0,0 +1,23 @@
{{ range $index, $middlewareData := .Values.middlewares.forwardAuth }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ $middlewareData.name }}
namespace: traefikmiddlewares
spec:
forwardAuth:
address: {{ $middlewareData.address }}
{{- if $middlewareData.authResponseHeaders }}
authResponseHeaders: {{ $middlewareData.authResponseHeaders }}
{{- end }}
{{- if $middlewareData.authRequestHeaders }}
authRequestHeaders: {{ $middlewareData.authRequestHeaders }}
{{- end }}
{{- if $middlewareData.authResponseHeadersRegex }}
authResponseHeadersRegex: {{ $middlewareData.authResponseHeadersRegex }}
{{- end }}
{{- if $middlewareData.trustForwardHeader }}
trustForwardHeader: true
{{- end }}
{{ end }}

View File

@ -404,3 +404,23 @@ securityContext:
podSecurityContext:
fsGroup: 65532
## SCALE Middleware Handlers
middlewares:
basicAuth: []
# - name: basicauthexample
# users:
# - username: testuser
# password: testpassword
forwardAuth: []
# - name: forwardAuthexample
# address: https://auth.example.com/
# authResponseHeaders:
# - X-Secret
# - X-Auth-User
# authRequestHeaders:
# - "Accept"
# - "X-CustomHeader"
# authResponseHeadersRegex: "^X-"
# trustForwardHeader: true