From 373c834d350fba03567afa85f9e33e164b436782 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten-Lebbing Date: Wed, 30 Jun 2021 12:56:17 +0200 Subject: [PATCH] Add traefik middleware support (#601) * add basic middleware chain to traefik * Try some idea's for common ingress middleware support * create middleware namespace as pre-install hook * rename namespace file * Add additional list with middlewares and tune the output a bit * Add basic auth middleware spawner * add forwardAuth support * polish middleware names and add config examples * initial go at traefik middleware GUI elements * fix labels * more missing labels --- charts/library/common/Chart.yaml | 2 +- .../common/templates/classes/_ingress.tpl | 26 ++++- charts/library/common/values.yaml | 10 ++ charts/stable/traefik/Chart.yaml | 2 +- charts/stable/traefik/SCALE/questions.yaml | 110 ++++++++++++++++++ .../custom/middleware-namespace.yaml | 7 ++ .../custom/middlewares/basic-middleware.yaml | 57 +++++++++ .../custom/middlewares/basicauth.yaml | 28 +++++ .../custom/middlewares/forwardauth.yaml | 23 ++++ charts/stable/traefik/values.yaml | 20 ++++ 10 files changed, 282 insertions(+), 3 deletions(-) create mode 100644 charts/stable/traefik/templates/custom/middleware-namespace.yaml create mode 100644 charts/stable/traefik/templates/custom/middlewares/basic-middleware.yaml create mode 100644 charts/stable/traefik/templates/custom/middlewares/basicauth.yaml create mode 100644 charts/stable/traefik/templates/custom/middlewares/forwardauth.yaml diff --git a/charts/library/common/Chart.yaml b/charts/library/common/Chart.yaml index 1c93cd15f29..01d13456368 100644 --- a/charts/library/common/Chart.yaml +++ b/charts/library/common/Chart.yaml @@ -18,4 +18,4 @@ maintainers: name: common sources: type: library -version: 6.3.8 +version: 6.4.0 diff --git a/charts/library/common/templates/classes/_ingress.tpl b/charts/library/common/templates/classes/_ingress.tpl index 6aa779658ef..00dda2c7377 100644 --- a/charts/library/common/templates/classes/_ingress.tpl +++ b/charts/library/common/templates/classes/_ingress.tpl @@ -20,6 +20,29 @@ within the common library. {{- $primaryPort := get $primaryService.ports (include "common.classes.service.ports.primary" (dict "values" $primaryService)) -}} {{- $name := include "common.names.name" . -}} {{- $isStable := include "common.capabilities.ingress.isStable" . }} + + {{- $fixedMiddlewares := "" }} + {{ range $index, $fixedMiddleware := $values.fixedMiddlewares }} + {{- if $index }} + {{ $fixedMiddlewares = ( printf "%v, %v-%v@%v" $fixedMiddlewares "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }} + {{- else }} + {{ $fixedMiddlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }} + {{- end }} + {{ end }} + + {{- $middlewares := "" }} + {{ range $index, $middleware := $values.middlewares }} + {{- if $index }} + {{ $middlewares = ( printf "%v, %v-%v@%v" $middlewares "traefikmiddlewares" $middleware "kubernetescrd" ) }} + {{- else }} + {{ $middlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $middleware "kubernetescrd" ) }} + {{- end }} + {{ end }} + + {{- if $fixedMiddlewares }} + {{ $middlewares = ( printf "%v, %v" $fixedMiddlewares $middlewares ) }} + {{ end }} + --- apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress @@ -27,8 +50,9 @@ metadata: name: {{ $ingressName }} labels: {{- include "common.labels" . | nindent 4 }} - {{- with $values.annotations }} annotations: + "traefik.ingress.kubernetes.io/router.middlewares": {{ $middlewares | quote }} + {{- with $values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/charts/library/common/values.yaml b/charts/library/common/values.yaml index f73f8771df6..a438396847e 100644 --- a/charts/library/common/values.yaml +++ b/charts/library/common/values.yaml @@ -281,6 +281,16 @@ ingress: # -- Override the name suffix that is used for this ingress. nameOverride: + # -- List of middlewares in the traefikmiddlewares k8s namespace to add automatically + # Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names + # Primarily used for TrueNAS SCALE to add additional (seperate) middlewares without exposing them to the end-user + fixedMiddlewares: + - chain-basic + + # -- Additional List of middlewares in the traefikmiddlewares k8s namespace to add automatically + # Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names + middlewares: [] + # -- Provide additional annotations which may be required. annotations: {} # kubernetes.io/ingress.class: nginx diff --git a/charts/stable/traefik/Chart.yaml b/charts/stable/traefik/Chart.yaml index da50b33ed02..79b441483c1 100644 --- a/charts/stable/traefik/Chart.yaml +++ b/charts/stable/traefik/Chart.yaml @@ -25,5 +25,5 @@ sources: - https://github.com/traefik/traefik-helm-chart - https://traefik.io/ type: application -version: 6.1.8 +version: 6.2.0 upstream_version: "v9.19.2" diff --git a/charts/stable/traefik/SCALE/questions.yaml b/charts/stable/traefik/SCALE/questions.yaml index b90aec04449..075a5a5ef19 100644 --- a/charts/stable/traefik/SCALE/questions.yaml +++ b/charts/stable/traefik/SCALE/questions.yaml @@ -7,6 +7,8 @@ groups: description: "additional container configuration" - name: "App Configuration" description: "App specific config options" + - name: "Middlewares" + description: "Traefik Middlewares" - name: "Networking and Services" description: "Configure Network and Services for container" - name: "Storage and Persistence" @@ -44,6 +46,114 @@ questions: type: boolean default: true + - variable: middlewares + label: "" + group: "Middlewares" + schema: + type: dict + hidden: true + attrs: + - variable: basicAuth + label: "basicAuth" + schema: + type: list + default: [] + items: + - variable: basicAuthEntry + label: "" + schema: + type: dict + hidden: true + attrs: + - variable: name + label: "Name" + schema: + type: string + required: true + default: "" + - variable: users + label: "Users" + schema: + type: list + default: [] + items: + - variable: usersEntry + label: "" + schema: + type: dict + hidden: true + attrs: + - variable: username + label: "Username" + schema: + type: string + required: true + default: "" + - variable: password + label: "Password" + schema: + type: string + required: true + default: "" + + + - variable: forwardAuth + label: "forwardAuth" + schema: + type: list + default: [] + items: + - variable: basicAuthEntry + label: "" + schema: + type: dict + hidden: true + attrs: + - variable: name + label: "Name" + schema: + type: string + required: true + default: "" + - variable: address + label: "Address" + schema: + type: string + required: true + default: "" + - variable: trustForwardHeader + label: "trustForwardHeader" + schema: + type: boolean + default: false + - variable: authResponseHeadersRegex + label: "authResponseHeadersRegex" + schema: + type: string + default: "" + - variable: authResponseHeaders + label: "authResponseHeaders" + schema: + type: list + default: [] + items: + - variable: authResponseHeadersEntry + label: "" + schema: + type: string + default: "" + - variable: authRequestHeaders + label: "authRequestHeaders" + schema: + type: list + default: [] + items: + - variable: authRequestHeadersEntry + label: "" + schema: + type: string + default: "" + - variable: hostNetwork group: "Networking and Services" label: "Enable Host Networking" diff --git a/charts/stable/traefik/templates/custom/middleware-namespace.yaml b/charts/stable/traefik/templates/custom/middleware-namespace.yaml new file mode 100644 index 00000000000..16156ee5e12 --- /dev/null +++ b/charts/stable/traefik/templates/custom/middleware-namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: traefikmiddlewares + namespace: traefikmiddlewares + annotations: + "helm.sh/hook": pre-install diff --git a/charts/stable/traefik/templates/custom/middlewares/basic-middleware.yaml b/charts/stable/traefik/templates/custom/middlewares/basic-middleware.yaml new file mode 100644 index 00000000000..d81132ed5a1 --- /dev/null +++ b/charts/stable/traefik/templates/custom/middlewares/basic-middleware.yaml @@ -0,0 +1,57 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: compress + namespace: traefikmiddlewares +spec: + compress: {} +--- +# Here, an average of 300 requests per second is allowed. +# In addition, a burst of 200 requests is allowed. +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-ratelimit + namespace: traefikmiddlewares +spec: + rateLimit: + average: 300 + burst: 200 +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: basic-secure-headers + namespace: traefikmiddlewares +spec: + headers: + accessControlAllowMethods: + - GET + - OPTIONS + - HEAD + - PUT + accessControlMaxAge: 100 + # sslRedirect: true + # stsSeconds: 63072000 + # stsIncludeSubdomains: false + # stsPreload: false + # forceSTSHeader: true + contentTypeNosniff: true + browserXssFilter: true + sslForceHost: true + referrerPolicy: same-origin + customResponseHeaders: + X-Robots-Tag: 'none' + server: '' +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: chain-basic + namespace: traefikmiddlewares +spec: + chain: + middlewares: + - name: basic-ratelimit + - name: basic-secure-headers + - name: compress diff --git a/charts/stable/traefik/templates/custom/middlewares/basicauth.yaml b/charts/stable/traefik/templates/custom/middlewares/basicauth.yaml new file mode 100644 index 00000000000..412502ed73c --- /dev/null +++ b/charts/stable/traefik/templates/custom/middlewares/basicauth.yaml @@ -0,0 +1,28 @@ +{{ range $index, $middlewareData := .Values.middlewares.basicAuth }} +--- +{{- $users := list }} +{{ range $index, $userdata := $middlewareData.users }} + {{ $users = append $users ( htpasswd $userdata.username $userdata.password | b64enc ) }} +{{ end }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{printf "%v-%v" $middlewareData.name "secret" }} + namespace: traefikmiddlewares +data: + users: |{{ len $users }} + {{- range $index, $user := $users }} + {{ printf "%s" $user }} + {{- end }} +--- +# Declaring the user list +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: {{ $middlewareData.name }} + namespace: traefikmiddlewares +spec: + basicAuth: + secret: {{printf "%v-%v" $middlewareData.name "secret" }} +{{ end }} diff --git a/charts/stable/traefik/templates/custom/middlewares/forwardauth.yaml b/charts/stable/traefik/templates/custom/middlewares/forwardauth.yaml new file mode 100644 index 00000000000..bb90d33775e --- /dev/null +++ b/charts/stable/traefik/templates/custom/middlewares/forwardauth.yaml @@ -0,0 +1,23 @@ +{{ range $index, $middlewareData := .Values.middlewares.forwardAuth }} +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: {{ $middlewareData.name }} + namespace: traefikmiddlewares +spec: + forwardAuth: + address: {{ $middlewareData.address }} + {{- if $middlewareData.authResponseHeaders }} + authResponseHeaders: {{ $middlewareData.authResponseHeaders }} + {{- end }} + {{- if $middlewareData.authRequestHeaders }} + authRequestHeaders: {{ $middlewareData.authRequestHeaders }} + {{- end }} + {{- if $middlewareData.authResponseHeadersRegex }} + authResponseHeadersRegex: {{ $middlewareData.authResponseHeadersRegex }} + {{- end }} + {{- if $middlewareData.trustForwardHeader }} + trustForwardHeader: true + {{- end }} +{{ end }} diff --git a/charts/stable/traefik/values.yaml b/charts/stable/traefik/values.yaml index 8d0ba5213e5..74e6d4760b6 100644 --- a/charts/stable/traefik/values.yaml +++ b/charts/stable/traefik/values.yaml @@ -404,3 +404,23 @@ securityContext: podSecurityContext: fsGroup: 65532 + +## SCALE Middleware Handlers + +middlewares: + basicAuth: [] + # - name: basicauthexample + # users: + # - username: testuser + # password: testpassword + forwardAuth: [] + # - name: forwardAuthexample + # address: https://auth.example.com/ + # authResponseHeaders: + # - X-Secret + # - X-Auth-User + # authRequestHeaders: + # - "Accept" + # - "X-CustomHeader" + # authResponseHeadersRegex: "^X-" + # trustForwardHeader: true