Add traefik middleware support (#601)

* add basic middleware chain to traefik

* Try some idea's for common ingress middleware support

* create middleware namespace as pre-install hook

* rename namespace file

* Add additional list with middlewares and tune the output a bit

* Add basic auth middleware spawner

* add forwardAuth support

* polish middleware names and add config examples

* initial go at traefik middleware GUI elements

* fix labels

* more missing labels

charts/library/common/Chart.yaml

@@ -18,4 +18,4 @@ maintainers:
 name: common
 sources:
 type: library
-version: 6.3.8
+version: 6.4.0

charts/library/common/templates/classes/_ingress.tpl

@@ -20,6 +20,29 @@ within the common library.
   {{- $primaryPort := get $primaryService.ports (include "common.classes.service.ports.primary" (dict "values" $primaryService)) -}}
   {{- $name := include "common.names.name" . -}}
   {{- $isStable := include "common.capabilities.ingress.isStable" . }}
+
+  {{- $fixedMiddlewares := "" }}
+  {{ range $index, $fixedMiddleware := $values.fixedMiddlewares }}
+      {{- if $index }}
+      {{ $fixedMiddlewares = ( printf "%v, %v-%v@%v" $fixedMiddlewares "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }}
+      {{- else }}
+      {{ $fixedMiddlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $fixedMiddleware "kubernetescrd" ) }}
+      {{- end }}
+  {{ end }}
+
+  {{- $middlewares := "" }}
+  {{ range $index, $middleware := $values.middlewares }}
+      {{- if $index }}
+      {{ $middlewares = ( printf "%v, %v-%v@%v" $middlewares "traefikmiddlewares" $middleware "kubernetescrd" ) }}
+      {{- else }}
+      {{ $middlewares = ( printf "%v-%v@%v" "traefikmiddlewares" $middleware "kubernetescrd" ) }}
+      {{- end }}
+  {{ end }}
+
+  {{- if $fixedMiddlewares }}
+    {{ $middlewares = ( printf "%v, %v" $fixedMiddlewares $middlewares ) }}
+  {{ end }}
+
 ---
 apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
 kind: Ingress
@@ -27,8 +50,9 @@ metadata:
   name: {{ $ingressName }}
   labels:
     {{- include "common.labels" . | nindent 4 }}
-  {{- with $values.annotations }}
   annotations:
+    "traefik.ingress.kubernetes.io/router.middlewares": {{ $middlewares | quote }}
+  {{- with $values.annotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:

charts/library/common/values.yaml

@@ -281,6 +281,16 @@ ingress:
     # -- Override the name suffix that is used for this ingress.
     nameOverride:
 
+    # -- List of middlewares in the traefikmiddlewares k8s namespace to add automatically
+    # Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
+    # Primarily used for TrueNAS SCALE to add additional (seperate) middlewares without exposing them to the end-user
+    fixedMiddlewares:
+      - chain-basic
+
+    # -- Additional List of middlewares in the traefikmiddlewares k8s namespace to add automatically
+    # Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
+    middlewares: []
+
     # -- Provide additional annotations which may be required.
     annotations: {}
       # kubernetes.io/ingress.class: nginx

charts/stable/traefik/Chart.yaml

@@ -25,5 +25,5 @@ sources:
 - https://github.com/traefik/traefik-helm-chart
 - https://traefik.io/
 type: application
-version: 6.1.8
+version: 6.2.0
 upstream_version: "v9.19.2"

charts/stable/traefik/SCALE/questions.yaml

@@ -7,6 +7,8 @@ groups:
     description: "additional container configuration"
   - name: "App Configuration"
     description: "App specific config options"
+  - name: "Middlewares"
+    description: "Traefik Middlewares"
   - name: "Networking and Services"
     description: "Configure Network and Services for container"
   - name: "Storage and Persistence"
@@ -44,6 +46,114 @@ questions:
             type: boolean
             default: true
 
+  - variable: middlewares
+    label: ""
+    group: "Middlewares"
+    schema:
+      type: dict
+      hidden: true
+      attrs:
+        - variable: basicAuth
+          label: "basicAuth"
+          schema:
+            type: list
+            default: []
+            items:
+              - variable: basicAuthEntry
+                label: ""
+                schema:
+                  type: dict
+                  hidden: true
+                  attrs:
+                    - variable: name
+                      label: "Name"
+                      schema:
+                        type: string
+                        required: true
+                        default: ""
+                    - variable: users
+                      label: "Users"
+                      schema:
+                        type: list
+                        default: []
+                        items:
+                          - variable: usersEntry
+                            label: ""
+                            schema:
+                              type: dict
+                              hidden: true
+                              attrs:
+                                - variable: username
+                                  label: "Username"
+                                  schema:
+                                    type: string
+                                    required: true
+                                    default: ""
+                                - variable: password
+                                  label: "Password"
+                                  schema:
+                                    type: string
+                                    required: true
+                                    default: ""
+
+
+        - variable: forwardAuth
+          label: "forwardAuth"
+          schema:
+            type: list
+            default: []
+            items:
+              - variable: basicAuthEntry
+                label: ""
+                schema:
+                  type: dict
+                  hidden: true
+                  attrs:
+                    - variable: name
+                      label: "Name"
+                      schema:
+                        type: string
+                        required: true
+                        default: ""
+                    - variable: address
+                      label: "Address"
+                      schema:
+                        type: string
+                        required: true
+                        default: ""
+                    - variable: trustForwardHeader
+                      label: "trustForwardHeader"
+                      schema:
+                        type: boolean
+                        default: false
+                    - variable: authResponseHeadersRegex
+                      label: "authResponseHeadersRegex"
+                      schema:
+                        type: string
+                        default: ""
+                    - variable: authResponseHeaders
+                      label: "authResponseHeaders"
+                      schema:
+                        type: list
+                        default: []
+                        items:
+                          - variable: authResponseHeadersEntry
+                            label: ""
+                            schema:
+                              type: string
+                              default: ""
+                    - variable: authRequestHeaders
+                      label: "authRequestHeaders"
+                      schema:
+                        type: list
+                        default: []
+                        items:
+                          - variable: authRequestHeadersEntry
+                            label: ""
+                            schema:
+                              type: string
+                              default: ""
+
   - variable: hostNetwork
     group: "Networking and Services"
     label: "Enable Host Networking"

charts/stable/traefik/templates/custom/middleware-namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefikmiddlewares
+  namespace: traefikmiddlewares
+  annotations:
+    "helm.sh/hook": pre-install

charts/stable/traefik/templates/custom/middlewares/basic-middleware.yaml

@@ -0,0 +1,57 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: compress
+  namespace: traefikmiddlewares
+spec:
+  compress: {}
+---
+# Here, an average of 300 requests per second is allowed.
+# In addition, a burst of 200 requests is allowed.
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: basic-ratelimit
+  namespace: traefikmiddlewares
+spec:
+  rateLimit:
+    average: 300
+    burst: 200
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: basic-secure-headers
+  namespace: traefikmiddlewares
+spec:
+  headers:
+    accessControlAllowMethods:
+      - GET
+      - OPTIONS
+      - HEAD
+      - PUT
+    accessControlMaxAge: 100
+    # sslRedirect: true
+    # stsSeconds: 63072000
+    # stsIncludeSubdomains: false
+    # stsPreload: false
+    # forceSTSHeader: true
+    contentTypeNosniff: true
+    browserXssFilter: true
+    sslForceHost: true
+    referrerPolicy: same-origin
+    customResponseHeaders:
+      X-Robots-Tag: 'none'
+      server: ''
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: chain-basic
+  namespace: traefikmiddlewares
+spec:
+  chain:
+    middlewares:
+    - name: basic-ratelimit
+    - name: basic-secure-headers
+    - name: compress

charts/stable/traefik/templates/custom/middlewares/basicauth.yaml

@@ -0,0 +1,28 @@
+{{ range $index, $middlewareData := .Values.middlewares.basicAuth }}
+---
+{{- $users := list }}
+{{ range $index, $userdata := $middlewareData.users }}
+    {{ $users = append $users ( htpasswd $userdata.username $userdata.password | b64enc ) }}
+{{ end }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{printf "%v-%v" $middlewareData.name "secret" }}
+  namespace: traefikmiddlewares
+data:
+  users: |{{ len $users }}
+    {{- range $index, $user := $users }}
+    {{ printf "%s" $user }}
+    {{- end }}
+---
+# Declaring the user list
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ $middlewareData.name }}
+  namespace: traefikmiddlewares
+spec:
+  basicAuth:
+    secret: {{printf "%v-%v" $middlewareData.name "secret" }}
+{{ end }}

charts/stable/traefik/templates/custom/middlewares/forwardauth.yaml

@@ -0,0 +1,23 @@
+{{ range $index, $middlewareData := .Values.middlewares.forwardAuth }}
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ $middlewareData.name }}
+  namespace: traefikmiddlewares
+spec:
+  forwardAuth:
+    address: {{ $middlewareData.address }}
+    {{- if $middlewareData.authResponseHeaders }}
+    authResponseHeaders: {{ $middlewareData.authResponseHeaders }}
+    {{- end }}
+    {{- if $middlewareData.authRequestHeaders }}
+    authRequestHeaders: {{ $middlewareData.authRequestHeaders }}
+    {{- end }}
+    {{- if $middlewareData.authResponseHeadersRegex }}
+    authResponseHeadersRegex: {{ $middlewareData.authResponseHeadersRegex }}
+    {{- end }}
+    {{- if $middlewareData.trustForwardHeader }}
+    trustForwardHeader: true
+    {{- end }}
+{{ end }}

charts/stable/traefik/values.yaml

@@ -404,3 +404,23 @@ securityContext:
 
 podSecurityContext:
   fsGroup: 65532
+
+## SCALE Middleware Handlers
+
+middlewares:
+  basicAuth: []
+  # - name: basicauthexample
+  #   users:
+  #     - username: testuser
+  #       password: testpassword
+  forwardAuth: []
+  # - name: forwardAuthexample
+  #   address: https://auth.example.com/
+  #   authResponseHeaders:
+  #     - X-Secret
+  #     - X-Auth-User
+  #   authRequestHeaders:
+  #     - "Accept"
+  #     - "X-CustomHeader"
+  #   authResponseHeadersRegex: "^X-"
+  #   trustForwardHeader: true