From 9c2b859a76d565cff28c97b52cfab92a0e89ebc3 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten Date: Mon, 31 Jul 2023 12:32:04 +0200 Subject: [PATCH] feat(traefik): BREAKING CHANGE register traefik and use traefik namespace for middleware instead of tc-system (#11086) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** With the removal of manifest manager tc-system is removed for new users. Traefik should use it's own namespace for middlewares instead and common is already adapted to allow this. This change also allows us to throw errors if traefik isn't installed on a system when ingress is enabled. Downside is that this currently breaks ingressclass, which is a non-supported setup currently, untill we do more R&D for cleanly handling ingressClasses, namespaces and middlewares correctly. Also adds helm and SCALE support for the modsecurity plugin. Also fixes CI bug with metallb. **โš™๏ธ Type of change** - [x] โš™๏ธ Feature/App addition - [x] ๐Ÿช› Bugfix - [x] โš ๏ธ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [x] ๐Ÿ”ƒ Refactor of current code **๐Ÿงช How Has This Been Tested?** **๐Ÿ“ƒ Notes:** **โœ”๏ธ Checklist:** - [ ] โš–๏ธ My code follows the style guidelines of this project - [ ] ๐Ÿ‘€ I have performed a self-review of my own code - [ ] #๏ธโƒฃ I have commented my code, particularly in hard-to-understand areas - [ ] ๐Ÿ“„ I have made corresponding changes to the documentation - [ ] โš ๏ธ My changes generate no new warnings - [ ] ๐Ÿงช I have added tests to this description that prove my fix is effective or that my feature works - [ ] โฌ†๏ธ I increased versions for any altered app according to semantic versioning **โž• App addition** If this PR is an app addition please make sure you have done the following. - [ ] ๐Ÿชž I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] ๐Ÿ–ผ๏ธ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --- .github/workflows/charts-test.yaml | 12 +++--- charts/enterprise/traefik/Chart.yaml | 2 +- charts/enterprise/traefik/questions.yaml | 1 + .../traefik/templates/_portalhook.tpl | 1 - .../templates/middlewares/addPrefix.yaml | 2 +- .../middlewares/basic-middleware.yaml | 8 ++-- .../templates/middlewares/basicauth.yaml | 4 +- .../templates/middlewares/buffering.yaml | 2 +- .../traefik/templates/middlewares/chain.yaml | 6 +-- .../middlewares/customFrameOptionsValue.yaml | 2 +- .../middlewares/customRequestHeaders.yaml | 2 +- .../middlewares/customResponseHeaders.yaml | 2 +- .../templates/middlewares/forwardauth.yaml | 2 +- .../templates/middlewares/geoblock.yaml | 2 +- .../templates/middlewares/ipwhitelist.yaml | 2 +- .../templates/middlewares/modsecurity.yaml | 14 +++++++ .../templates/middlewares/ratelimit.yaml | 2 +- .../templates/middlewares/real-ip.yaml | 2 +- .../templates/middlewares/redirectScheme.yaml | 2 +- .../templates/middlewares/redirectregex.yaml | 2 +- .../middlewares/stripPrefixRegex.yaml | 2 +- .../templates/middlewares/tc-chains.yaml | 4 +- .../templates/middlewares/tc-headers.yaml | 4 +- .../templates/middlewares/tc-nextcloud.yaml | 4 +- .../templates/middlewares/theme-park.yaml | 2 +- charts/enterprise/traefik/values.yaml | 11 +++++ .../traefik/modsecurityMiddleware.yaml | 41 +++++++++++++++++++ 27 files changed, 103 insertions(+), 37 deletions(-) create mode 100644 charts/enterprise/traefik/templates/middlewares/modsecurity.yaml create mode 100644 templates/questions/traefik/modsecurityMiddleware.yaml diff --git a/.github/workflows/charts-test.yaml b/.github/workflows/charts-test.yaml index 08cc61568ea..64e6768a079 100644 --- a/.github/workflows/charts-test.yaml +++ b/.github/workflows/charts-test.yaml @@ -150,7 +150,7 @@ jobs: run: | ## TODO: Move to our Helm Charts ## TODO: Only add when required - if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then + if [[ "${{ matrix.chart }}" == "charts/operators/metallb-config" ]]; then kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest" fi if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then @@ -208,7 +208,7 @@ jobs: - name: Add Dependencies run: | - if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then + if [[ "${{ matrix.chart }}" == "charts/operators/metallb-config" ]]; then kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest" fi if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then @@ -266,7 +266,7 @@ jobs: - name: Add Dependencies run: | - if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then + if [[ "${{ matrix.chart }}" == "charts/operators/metallb-config" ]]; then kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest" fi if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then @@ -324,7 +324,7 @@ jobs: - name: Add Dependencies run: | - if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then + if [[ "${{ matrix.chart }}" == "charts/operators/metallb-config" ]]; then kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest" fi if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then @@ -382,7 +382,7 @@ jobs: - name: Add Dependencies run: | - if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then + if [[ "${{ matrix.chart }}" == "charts/operators/metallb-config" ]]; then kubectl apply -f --server-side --force-conflicts https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml fi if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then @@ -440,7 +440,7 @@ jobs: - name: Add Dependencies run: | - if [[ "${{ matrix.chart }}" != "charts/operators/metallb" ]]; then + if [[ "${{ matrix.chart }}" == "charts/operators/metallb-config" ]]; then kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml --server-side --force-conflicts || echo "error fetching metallb manifest" fi if [[ "${{ matrix.chart }}" != "charts/operators/cloudnative-pg" ]]; then diff --git a/charts/enterprise/traefik/Chart.yaml b/charts/enterprise/traefik/Chart.yaml index f45c0488673..d8db1332407 100644 --- a/charts/enterprise/traefik/Chart.yaml +++ b/charts/enterprise/traefik/Chart.yaml @@ -23,7 +23,7 @@ sources: - https://github.com/traefik/traefik-helm-chart - https://traefik.io/ type: application -version: 19.1.0 +version: 20.0.0 annotations: truecharts.org/catagories: | - network diff --git a/charts/enterprise/traefik/questions.yaml b/charts/enterprise/traefik/questions.yaml index bdfb2413ec0..9ce5b7829d4 100644 --- a/charts/enterprise/traefik/questions.yaml +++ b/charts/enterprise/traefik/questions.yaml @@ -198,6 +198,7 @@ questions: # Include{realIPMiddleware} # Include{geoBlockMiddleware} # Include{addPrefixMiddleware} +# Include{modsecurityMiddleware} - variable: service group: "Networking and Services" label: "Configure Service Entrypoint" diff --git a/charts/enterprise/traefik/templates/_portalhook.tpl b/charts/enterprise/traefik/templates/_portalhook.tpl index 242555bdc92..ec69a695ca6 100644 --- a/charts/enterprise/traefik/templates/_portalhook.tpl +++ b/charts/enterprise/traefik/templates/_portalhook.tpl @@ -10,7 +10,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ $name }} - namespace: tc-system data: {{- $ports := dict }} {{- range $.Values.service }} diff --git a/charts/enterprise/traefik/templates/middlewares/addPrefix.yaml b/charts/enterprise/traefik/templates/middlewares/addPrefix.yaml index cae53f113ea..47138233643 100644 --- a/charts/enterprise/traefik/templates/middlewares/addPrefix.yaml +++ b/charts/enterprise/traefik/templates/middlewares/addPrefix.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: addPrefix: prefix: {{ $middlewareData.prefix }} diff --git a/charts/enterprise/traefik/templates/middlewares/basic-middleware.yaml b/charts/enterprise/traefik/templates/middlewares/basic-middleware.yaml index 108b99499d3..ef4671254ef 100644 --- a/charts/enterprise/traefik/templates/middlewares/basic-middleware.yaml +++ b/charts/enterprise/traefik/templates/middlewares/basic-middleware.yaml @@ -3,7 +3,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-compress" $.Release.Name) "compress" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: compress: {} --- @@ -13,7 +13,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-basic-ratelimit" $.Release.Name) "basic-ratelimit" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: rateLimit: average: 600 @@ -23,7 +23,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-basic-secure-headers" $.Release.Name) "basic-secure-headers" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: headers: accessControlAllowMethods: @@ -48,7 +48,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-chain-basic" $.Release.Name) "chain-basic" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: chain: middlewares: diff --git a/charts/enterprise/traefik/templates/middlewares/basicauth.yaml b/charts/enterprise/traefik/templates/middlewares/basicauth.yaml index dab1a486a62..1bbdc462b34 100644 --- a/charts/enterprise/traefik/templates/middlewares/basicauth.yaml +++ b/charts/enterprise/traefik/templates/middlewares/basicauth.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ printf "%v-%v" $middlewareData.name "secret" }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} type: Opaque stringData: users: | @@ -23,7 +23,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: basicAuth: secret: {{ printf "%v-%v" $middlewareData.name "secret" }} diff --git a/charts/enterprise/traefik/templates/middlewares/buffering.yaml b/charts/enterprise/traefik/templates/middlewares/buffering.yaml index eae1dad276d..bcefddb6179 100644 --- a/charts/enterprise/traefik/templates/middlewares/buffering.yaml +++ b/charts/enterprise/traefik/templates/middlewares/buffering.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: buffering: {{/* Only render if its not and has a value of 0 or greater */}} {{- if not (kindIs "invalid" $middlewareData.maxRequestBodyBytes) (ge ($middlewareData.maxRequestBodyBytes | int) 0) }} diff --git a/charts/enterprise/traefik/templates/middlewares/chain.yaml b/charts/enterprise/traefik/templates/middlewares/chain.yaml index ec4c38100d7..17d8853fb05 100644 --- a/charts/enterprise/traefik/templates/middlewares/chain.yaml +++ b/charts/enterprise/traefik/templates/middlewares/chain.yaml @@ -1,7 +1,7 @@ {{- $values := .Values -}} -{{- $namespace := "tc-system" -}} +{{- $namespace := $.Release.Namespace -}} {{- if $.Values.ingressClass.enabled -}} - {{- $namespace := (printf "tc-system-%s" .Release.Name) -}} + {{- $namespace := (printf "%v-%v" $namespace .Release.Name) -}} {{- end -}} {{- range $index, $middlewareData := .Values.middlewares.chain }} @@ -11,7 +11,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: chain: middlewares: diff --git a/charts/enterprise/traefik/templates/middlewares/customFrameOptionsValue.yaml b/charts/enterprise/traefik/templates/middlewares/customFrameOptionsValue.yaml index 2931f1d1126..9b9f2b6606c 100644 --- a/charts/enterprise/traefik/templates/middlewares/customFrameOptionsValue.yaml +++ b/charts/enterprise/traefik/templates/middlewares/customFrameOptionsValue.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: headers: customFrameOptionsValue: {{ $middlewareData.value }} diff --git a/charts/enterprise/traefik/templates/middlewares/customRequestHeaders.yaml b/charts/enterprise/traefik/templates/middlewares/customRequestHeaders.yaml index e9c5b030fd6..3c43a131a1d 100644 --- a/charts/enterprise/traefik/templates/middlewares/customRequestHeaders.yaml +++ b/charts/enterprise/traefik/templates/middlewares/customRequestHeaders.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: headers: customRequestHeaders: diff --git a/charts/enterprise/traefik/templates/middlewares/customResponseHeaders.yaml b/charts/enterprise/traefik/templates/middlewares/customResponseHeaders.yaml index c11e151a2d7..a75db8a3382 100644 --- a/charts/enterprise/traefik/templates/middlewares/customResponseHeaders.yaml +++ b/charts/enterprise/traefik/templates/middlewares/customResponseHeaders.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: headers: customResponseHeaders: diff --git a/charts/enterprise/traefik/templates/middlewares/forwardauth.yaml b/charts/enterprise/traefik/templates/middlewares/forwardauth.yaml index 08ad72e5cca..787fa796823 100644 --- a/charts/enterprise/traefik/templates/middlewares/forwardauth.yaml +++ b/charts/enterprise/traefik/templates/middlewares/forwardauth.yaml @@ -4,7 +4,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: forwardAuth: address: {{ $middlewareData.address }} diff --git a/charts/enterprise/traefik/templates/middlewares/geoblock.yaml b/charts/enterprise/traefik/templates/middlewares/geoblock.yaml index ad78037f3cd..2a647778e56 100644 --- a/charts/enterprise/traefik/templates/middlewares/geoblock.yaml +++ b/charts/enterprise/traefik/templates/middlewares/geoblock.yaml @@ -4,7 +4,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: plugin: GeoBlock: diff --git a/charts/enterprise/traefik/templates/middlewares/ipwhitelist.yaml b/charts/enterprise/traefik/templates/middlewares/ipwhitelist.yaml index fcb7de882a7..fc876aca5fe 100644 --- a/charts/enterprise/traefik/templates/middlewares/ipwhitelist.yaml +++ b/charts/enterprise/traefik/templates/middlewares/ipwhitelist.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: ipWhiteList: sourceRange: diff --git a/charts/enterprise/traefik/templates/middlewares/modsecurity.yaml b/charts/enterprise/traefik/templates/middlewares/modsecurity.yaml new file mode 100644 index 00000000000..07a8d5d358f --- /dev/null +++ b/charts/enterprise/traefik/templates/middlewares/modsecurity.yaml @@ -0,0 +1,14 @@ +{{- range $index, $middlewareData := .Values.middlewares.modsecurity }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + plugin: + traefik-modsecurity-plugin: + modSecurityUrl: {{ $middlewareData.modSecurityUrl }} + timeoutMillis: {{ $middlewareData.timeoutMillis }} + maxBodySize: {{ $middlewareData.maxBodySize }} +{{- end -}} diff --git a/charts/enterprise/traefik/templates/middlewares/ratelimit.yaml b/charts/enterprise/traefik/templates/middlewares/ratelimit.yaml index d1ded79a7d7..cd9117633f6 100644 --- a/charts/enterprise/traefik/templates/middlewares/ratelimit.yaml +++ b/charts/enterprise/traefik/templates/middlewares/ratelimit.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: rateLimit: average: {{ $middlewareData.average }} diff --git a/charts/enterprise/traefik/templates/middlewares/real-ip.yaml b/charts/enterprise/traefik/templates/middlewares/real-ip.yaml index a0383c239c5..2877d9ce7f7 100644 --- a/charts/enterprise/traefik/templates/middlewares/real-ip.yaml +++ b/charts/enterprise/traefik/templates/middlewares/real-ip.yaml @@ -4,7 +4,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: plugin: traefik-real-ip: diff --git a/charts/enterprise/traefik/templates/middlewares/redirectScheme.yaml b/charts/enterprise/traefik/templates/middlewares/redirectScheme.yaml index 21f45fa1ab4..09f3093998a 100644 --- a/charts/enterprise/traefik/templates/middlewares/redirectScheme.yaml +++ b/charts/enterprise/traefik/templates/middlewares/redirectScheme.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: redirectScheme: scheme: {{ $middlewareData.scheme }} diff --git a/charts/enterprise/traefik/templates/middlewares/redirectregex.yaml b/charts/enterprise/traefik/templates/middlewares/redirectregex.yaml index ea6a64029a5..30f44f9081b 100644 --- a/charts/enterprise/traefik/templates/middlewares/redirectregex.yaml +++ b/charts/enterprise/traefik/templates/middlewares/redirectregex.yaml @@ -5,7 +5,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: redirectRegex: regex: {{ $middlewareData.regex | quote }} diff --git a/charts/enterprise/traefik/templates/middlewares/stripPrefixRegex.yaml b/charts/enterprise/traefik/templates/middlewares/stripPrefixRegex.yaml index 170f55df4e2..6fd4c8c9970 100644 --- a/charts/enterprise/traefik/templates/middlewares/stripPrefixRegex.yaml +++ b/charts/enterprise/traefik/templates/middlewares/stripPrefixRegex.yaml @@ -4,7 +4,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: stripPrefixRegex: regex: diff --git a/charts/enterprise/traefik/templates/middlewares/tc-chains.yaml b/charts/enterprise/traefik/templates/middlewares/tc-chains.yaml index 2548dc91521..5566d77c146 100644 --- a/charts/enterprise/traefik/templates/middlewares/tc-chains.yaml +++ b/charts/enterprise/traefik/templates/middlewares/tc-chains.yaml @@ -3,7 +3,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name "tc-opencors-chain") "tc-opencors-chain" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: chain: middlewares: @@ -15,7 +15,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name "tc-closedcors-chain") "tc-closedcors-chain" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: chain: middlewares: diff --git a/charts/enterprise/traefik/templates/middlewares/tc-headers.yaml b/charts/enterprise/traefik/templates/middlewares/tc-headers.yaml index 437f49147e0..b0500afc708 100644 --- a/charts/enterprise/traefik/templates/middlewares/tc-headers.yaml +++ b/charts/enterprise/traefik/templates/middlewares/tc-headers.yaml @@ -3,7 +3,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name "tc-opencors-headers") "tc-opencors-headers" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: headers: accessControlAllowHeaders: @@ -33,7 +33,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name "tc-closedcors-headers") "tc-closedcors-headers" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: headers: accessControlAllowMethods: diff --git a/charts/enterprise/traefik/templates/middlewares/tc-nextcloud.yaml b/charts/enterprise/traefik/templates/middlewares/tc-nextcloud.yaml index 13547ff5166..fcb09becb98 100644 --- a/charts/enterprise/traefik/templates/middlewares/tc-nextcloud.yaml +++ b/charts/enterprise/traefik/templates/middlewares/tc-nextcloud.yaml @@ -3,7 +3,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name "tc-nextcloud-redirectregex-dav") "tc-nextcloud-redirectregex-dav" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: redirectRegex: regex: "https://(.*)/.well-known/(card|cal)dav" @@ -13,7 +13,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name "tc-nextcloud-chain") "tc-nextcloud-chain" $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: chain: middlewares: diff --git a/charts/enterprise/traefik/templates/middlewares/theme-park.yaml b/charts/enterprise/traefik/templates/middlewares/theme-park.yaml index 103d53c314a..16abf2e2f34 100644 --- a/charts/enterprise/traefik/templates/middlewares/theme-park.yaml +++ b/charts/enterprise/traefik/templates/middlewares/theme-park.yaml @@ -4,7 +4,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} - namespace: tc-system + namespace: {{ $.Release.Namespace }} spec: plugin: traefik-themepark: diff --git a/charts/enterprise/traefik/values.yaml b/charts/enterprise/traefik/values.yaml index e60e9f75a86..c0e11042844 100644 --- a/charts/enterprise/traefik/values.yaml +++ b/charts/enterprise/traefik/values.yaml @@ -48,6 +48,9 @@ workload: podOptions: automountServiceAccountToken: true +operator: + register: true + # -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ingressClass: # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 @@ -421,6 +424,14 @@ middlewares: # blackListMode: false # countries: # - RU + modsecurity: [] + # - name: modsecurityName + # modSecurityUrl: modSecurity container URL + # timeoutMillis: Configurated timeout + # maxBodySize: maxBodySize + ## Note: body of every request will be buffered in memory while the request is in-flight + ## (i.e.: during the security check and during the request processing by traefik and the backend), + ## so you may want to tune maxBodySize depending on how much RAM you have. portalhook: enabled: true diff --git a/templates/questions/traefik/modsecurityMiddleware.yaml b/templates/questions/traefik/modsecurityMiddleware.yaml new file mode 100644 index 00000000000..e87a51f0b1e --- /dev/null +++ b/templates/questions/traefik/modsecurityMiddleware.yaml @@ -0,0 +1,41 @@ + - variable: modsecurity + label: modsecurity + schema: + type: list + default: [] + items: + - variable: modsecurityEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + description: This is a 3rd party plugin and not maintained by TrueCharts, + for more information go to traefik-modsecurity-plugin + schema: + type: string + required: true + default: "" + - variable: modSecurityUrl + label: ModSecurity Url + description: It's the URL for the owasp/modsecurity container. + schema: + type: string + required: true + default: "https://someurl" + - variable: timeoutMillis + label: timeout Millis + description: timeout in milliseconds for the http client to talk with modsecurity container. ( + schema: + type: int + required: true + default: 2 + - variable: maxBodySize + label: maxBody Size + description: it's the maximum limit for requests body size. Requests exceeding this value will be rejected using HTTP 413 Request Entity Too Large. Zero means "use default value". + schema: + type: int + required: true + default: 0