Skip to content

Commit

Permalink
fix(certificateResolvers)!: 💥 🐛 use same syntax in Chart and in Traefik
Browse files Browse the repository at this point in the history
  • Loading branch information
@mloiseleur
mloiseleur authored Oct 16, 2024
1 parent ac83953 commit 016822d
Show file tree
Hide file tree
Showing 9 changed files with 100 additions and 36 deletions.
27 changes: 16 additions & 11 deletions EXAMPLES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,14 +331,15 @@ Here is a more complete example, using also native Let's encrypt feature of Trae
persistence:
enabled: true
size: 128Mi
certResolvers:
certificatesResolvers:
letsencrypt:
email: "{{ letsencrypt_email }}"
#caServer: https://acme-v02.api.letsencrypt.org/directory # Production server
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server
dnsChallenge:
provider: azuredns
storage: /data/acme.json
acme:
email: "{{ letsencrypt_email }}"
#caServer: https://acme-v02.api.letsencrypt.org/directory # Production server
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server
dnsChallenge:
provider: azuredns
storage: /data/acme.json
env:
- name: AZURE_CLIENT_ID
value: "{{ azure_dns_challenge_application_id }}"
Expand Down Expand Up @@ -529,11 +530,12 @@ stringData:
persistence:
enabled: true
storageClass: xxx
certResolvers:
certificatesResolvers:
letsencrypt:
dnsChallenge:
provider: cloudflare
storage: /data/acme.json
acme:
dnsChallenge:
provider: cloudflare
storage: /data/acme.json
env:
- name: CF_DNS_API_TOKEN
valueFrom:
Expand All @@ -553,6 +555,9 @@ podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
```

>[!NOTE]
> With [Traefik Hub](https://traefik.io/traefik-hub/), certificates can be stored as a `Secret` on Kubernetes with `distributedAcme` resolver.

# Provide default certificate with cert-manager and CloudFlare DNS

Setup:
Expand Down
4 changes: 2 additions & 2 deletions traefik/VALUES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Kubernetes: `>=1.22.0-0`
| additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container |
| affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts |
| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. |
| certResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
| certificatesResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
| commonLabels | object | `{}` | Add additional label to all resources |
| core.defaultRuleSyntax | string | `""` | Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes |
| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) |
Expand Down Expand Up @@ -191,7 +191,7 @@ Kubernetes: `>=1.22.0-0`
| nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. |
| persistence.accessMode | string | `"ReadWriteOnce"` | |
| persistence.annotations | object | `{}` | |
| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ It can be used to store TLS certificates, see `storage` in certResolvers |
| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/. It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option |
| persistence.existingClaim | string | `""` | |
| persistence.name | string | `"data"` | |
| persistence.path | string | `"/data"` | |
Expand Down
17 changes: 17 additions & 0 deletions traefik/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,3 +159,20 @@ Cert: {{ $cert.Cert | b64enc }}
Key: {{ $cert.Key | b64enc }}
{{- end -}}
{{- end -}}

{{- define "traefik.yaml2CommandLineArgsRec" -}}
{{- $path := .path -}}
{{- range $key, $value := .content -}}
{{- if kindIs "map" $value }}
{{- include "traefik.yaml2CommandLineArgsRec" (dict "path" (printf "%s.%s" $path $key) "content" $value) -}}
{{- else }}
--{{ join "." (list $path $key)}}={{ join "," $value }}
{{- end -}}
{{- end -}}
{{- end -}}

{{- define "traefik.yaml2CommandLineArgs" -}}
{{- range ((regexSplit "\n" ((include "traefik.yaml2CommandLineArgsRec" (dict "path" .path "content" .content)) | trim) -1) | compact) -}}
{{ printf "- \"%s\"\n" . }}
{{- end -}}
{{- end -}}
12 changes: 1 addition & 11 deletions traefik/templates/_podtemplate.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -685,17 +685,7 @@
{{- end }}
{{- end }}
{{- end }}
{{- range $resolver, $config := $.Values.certResolvers }}
{{- range $option, $setting := $config }}
{{- if kindIs "map" $setting }}
{{- range $field, $value := $setting }}
- "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}.{{ $field }}={{ if kindIs "slice" $value }}{{ join "," $value }}{{ else }}{{ $value }}{{ end }}"
{{- end }}
{{- else }}
- "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}={{ $setting }}"
{{- end }}
{{- end }}
{{- end }}
{{- include "traefik.yaml2CommandLineArgs" (dict "path" "certificatesresolvers" "content" $.Values.certificatesResolvers) | nindent 10 }}
{{- with .Values.additionalArguments }}
{{- range . }}
- {{ . | quote }}
Expand Down
4 changes: 4 additions & 0 deletions traefik/templates/requirements.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@
{{- end }}
{{- end }}

{{- if .Values.certResolvers }}
{{- fail "ERROR: certResolvers setting has been removed. See v33.0.0 Changelog." }}
{{- end }}

{{- if and .Values.hub.enabled (not (contains "traefik-hub" .Values.image.repository)) }}
{{- fail "ERROR: traefik-hub image is required when enabling Traefik Hub" -}}
{{- end }}
Expand Down
49 changes: 41 additions & 8 deletions traefik/tests/pod-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -330,15 +330,16 @@ tests:
content: "--experimental.kubernetesgateway"
- it: should have the certificate resolver options applied
set:
certResolvers:
certificatesResolvers:
myAcmeResolver:
email: [email protected]
dnsChallenge:
provider: myProvider
resolvers:
- 1.1.1.1
- 8.8.8.8
tlsChallenge: true
acme:
email: [email protected]
dnsChallenge:
provider: myProvider
resolvers:
- 1.1.1.1
- 8.8.8.8
tlsChallenge: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
Expand All @@ -352,6 +353,38 @@ tests:
- contains:
path: spec.template.spec.containers[0].args
content: "--certificatesresolvers.myAcmeResolver.acme.tlsChallenge=true"

- it: should have the distributed acme resolver options applied
set:
certificatesResolvers:
my-resolver:
distributedAcme:
email: [email protected]
storage:
kubernetes: true
httpChallenge:
entrypoint: "web"
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--certificatesresolvers.my-resolver.distributedAcme.email=email@example.com"
- contains:
path: spec.template.spec.containers[0].args
content: "--certificatesresolvers.my-resolver.distributedAcme.storage.kubernetes=true"
- contains:
path: spec.template.spec.containers[0].args
content: "--certificatesresolvers.my-resolver.distributedAcme.httpChallenge.entrypoint=web"

- it: should have the tailscale resolver options applied
set:
certificatesResolvers:
my-resolver:
tailscale: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--certificatesresolvers.my-resolver.tailscale=true"

- it: should have prometheus annotations with specified values
set:
ports:
Expand Down
15 changes: 15 additions & 0 deletions traefik/tests/requirements-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,18 @@ tests:
asserts:
- failedTemplate:
errorMessage: "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced."
- it: should fail when trying to use certResolvers
set:
certResolvers:
myAcmeResolver:
email: [email protected]
dnsChallenge:
provider: myProvider
resolvers:
- 1.1.1.1
- 8.8.8.8
tlsChallenge: true
asserts:
- failedTemplate:
errorMessage: "ERROR: certResolvers setting has been removed. See v33.0.0 Changelog."

2 changes: 1 addition & 1 deletion traefik/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
},
"type": "object"
},
"certResolvers": {
"certificatesResolvers": {
"properties": {},
"type": "object"
},
Expand Down
6 changes: 3 additions & 3 deletions traefik/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -774,8 +774,8 @@ autoscaling:

persistence:
# -- Enable persistence using Persistent Volume Claims
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
# It can be used to store TLS certificates, see `storage` in certResolvers
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.
# It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage` option
enabled: false
name: data
existingClaim: ""
Expand All @@ -791,7 +791,7 @@ persistence:
# -- Certificates resolvers configuration.
# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
# See EXAMPLES.md for more details.
certResolvers: {}
certificatesResolvers: {}

# -- If hostNetwork is true, runs traefik in the host network namespace
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
Expand Down

0 comments on commit 016822d

Please sign in to comment.