fix(certificateResolvers)!: 💥 🐛 use same syntax in Chart and in Traefik

Author: mloiseleur

EXAMPLES.md

@@ -331,14 +331,15 @@ Here is a more complete example, using also native Let's encrypt feature of Trae
 persistence:
   enabled: true
   size: 128Mi
-certResolvers:
+certificatesResolvers:
   letsencrypt:
-    email: "{{ letsencrypt_email }}"
-    #caServer: https://acme-v02.api.letsencrypt.org/directory # Production server
-    caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server
-    dnsChallenge:
-      provider: azuredns
-    storage: /data/acme.json
+    acme:
+      email: "{{ letsencrypt_email }}"
+      #caServer: https://acme-v02.api.letsencrypt.org/directory # Production server
+      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server
+      dnsChallenge:
+        provider: azuredns
+      storage: /data/acme.json
 env:
   - name: AZURE_CLIENT_ID
     value: "{{ azure_dns_challenge_application_id }}"
@@ -529,11 +530,12 @@ stringData:
 persistence:
   enabled: true
   storageClass: xxx
-certResolvers:
+certificatesResolvers:
   letsencrypt:
-    dnsChallenge:
-      provider: cloudflare
-    storage: /data/acme.json
+    acme:
+      dnsChallenge:
+        provider: cloudflare
+      storage: /data/acme.json
 env:
   - name: CF_DNS_API_TOKEN
     valueFrom:
@@ -553,6 +555,9 @@ podSecurityContext:
   fsGroupChangePolicy: "OnRootMismatch"
 ```
 
+>[!NOTE]
+> With [Traefik Hub](https://traefik.io/traefik-hub/), certificates can be stored as a `Secret` on Kubernetes with `distributedAcme` resolver.
+
 # Provide default certificate with cert-manager and CloudFlare DNS
 
 Setup:

traefik/VALUES.md

@@ -32,7 +32,7 @@ Kubernetes: `>=1.22.0-0`
 | additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container |
 | affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts |
 | autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. |
-| certResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
+| certificatesResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
 | commonLabels | object | `{}` | Add additional label to all resources |
 | core.defaultRuleSyntax | string | `""` | Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes |
 | deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) |
@@ -191,7 +191,7 @@ Kubernetes: `>=1.22.0-0`
 | nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. |
 | persistence.accessMode | string | `"ReadWriteOnce"` |  |
 | persistence.annotations | object | `{}` |  |
-| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ It can be used to store TLS certificates, see `storage` in certResolvers |
+| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/. It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage`  option |
 | persistence.existingClaim | string | `""` |  |
 | persistence.name | string | `"data"` |  |
 | persistence.path | string | `"/data"` |  |

traefik/templates/_helpers.tpl

@@ -159,3 +159,20 @@ Cert: {{ $cert.Cert | b64enc }}
 Key: {{ $cert.Key | b64enc }}
 {{- end -}}
 {{- end -}}
+
+{{- define "traefik.yaml2CommandLineArgsRec" -}}
+    {{- $path := .path -}}
+    {{- range $key, $value := .content -}}
+        {{- if kindIs "map" $value }}
+            {{- include "traefik.yaml2CommandLineArgsRec" (dict "path" (printf "%s.%s" $path $key) "content" $value) -}}
+        {{- else }}
+--{{ join "." (list $path $key)}}={{ join "," $value }}
+        {{- end -}}
+    {{- end -}}
+{{- end -}}
+
+{{- define "traefik.yaml2CommandLineArgs" -}}
+    {{- range ((regexSplit "\n" ((include "traefik.yaml2CommandLineArgsRec" (dict "path" .path "content" .content)) | trim) -1) | compact) -}}
+      {{ printf "- \"%s\"\n" . }}
+    {{- end -}}
+{{- end -}}

traefik/templates/_podtemplate.tpl

@@ -685,17 +685,7 @@
               {{- end }}
             {{- end }}
           {{- end }}
-          {{- range $resolver, $config := $.Values.certResolvers }}
-          {{- range $option, $setting := $config }}
-          {{- if kindIs "map" $setting }}
-          {{- range $field, $value := $setting }}
-          - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}.{{ $field }}={{ if kindIs "slice" $value }}{{ join "," $value }}{{ else }}{{ $value }}{{ end }}"
-          {{- end }}
-          {{- else }}
-          - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}={{ $setting }}"
-          {{- end }}
-          {{- end }}
-          {{- end }}
+          {{- include "traefik.yaml2CommandLineArgs" (dict "path" "certificatesresolvers" "content" $.Values.certificatesResolvers) | nindent 10 }}
           {{- with .Values.additionalArguments }}
           {{- range . }}
           - {{ . | quote }}

traefik/templates/requirements.yaml

@@ -5,6 +5,10 @@
   {{- end }}
 {{- end }}
 
+{{- if .Values.certResolvers }}
+  {{- fail "ERROR: certResolvers setting has been removed. See v33.0.0 Changelog." }}
+{{- end }}
+
 {{- if and .Values.hub.enabled (not (contains "traefik-hub" .Values.image.repository)) }}
   {{- fail "ERROR: traefik-hub image is required when enabling Traefik Hub" -}}
 {{- end }}

traefik/tests/pod-config_test.yaml

@@ -330,15 +330,16 @@ tests:
           content: "--experimental.kubernetesgateway"
   - it: should have the certificate resolver options applied
     set:
-      certResolvers:
+      certificatesResolvers:
         myAcmeResolver:
-          email: [email protected]
-          dnsChallenge:
-            provider: myProvider
-            resolvers:
-              - 1.1.1.1
-              - 8.8.8.8
-          tlsChallenge: true
+          acme:
+            email: [email protected]
+            dnsChallenge:
+              provider: myProvider
+              resolvers:
+                - 1.1.1.1
+                - 8.8.8.8
+            tlsChallenge: true
     asserts:
       - contains:
           path: spec.template.spec.containers[0].args
@@ -352,6 +353,38 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].args
           content: "--certificatesresolvers.myAcmeResolver.acme.tlsChallenge=true"
+
+  - it: should have the distributed acme resolver options applied
+    set:
+      certificatesResolvers:
+        my-resolver:
+          distributedAcme:
+            email: [email protected]
+            storage:
+              kubernetes: true
+            httpChallenge:
+              entrypoint: "web"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--certificatesresolvers.my-resolver.distributedAcme.email=email@example.com"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--certificatesresolvers.my-resolver.distributedAcme.storage.kubernetes=true"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--certificatesresolvers.my-resolver.distributedAcme.httpChallenge.entrypoint=web"
+
+  - it: should have the tailscale resolver options applied
+    set:
+      certificatesResolvers:
+        my-resolver:
+          tailscale: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--certificatesresolvers.my-resolver.tailscale=true"
+
   - it: should have prometheus annotations with specified values
     set:
       ports:

traefik/tests/requirements-config_test.yaml

@@ -87,3 +87,18 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced."
+  - it: should fail when trying to use certResolvers
+    set:
+      certResolvers:
+        myAcmeResolver:
+          email: [email protected]
+          dnsChallenge:
+            provider: myProvider
+            resolvers:
+              - 1.1.1.1
+              - 8.8.8.8
+          tlsChallenge: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "ERROR: certResolvers setting has been removed. See v33.0.0 Changelog."
+

traefik/values.schema.json

@@ -22,7 +22,7 @@
             },
             "type": "object"
         },
-        "certResolvers": {
+        "certificatesResolvers": {
             "properties": {},
             "type": "object"
         },

traefik/values.yaml

@@ -774,8 +774,8 @@ autoscaling:
 
 persistence:
   # -- Enable persistence using Persistent Volume Claims
-  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
-  # It can be used to store TLS certificates, see `storage` in certResolvers
+  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.
+  # It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage`  option
   enabled: false
   name: data
   existingClaim: ""
@@ -791,7 +791,7 @@ persistence:
 # -- Certificates resolvers configuration.
 # Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
 # See EXAMPLES.md for more details.
-certResolvers: {}
+certificatesResolvers: {}
 
 # -- If hostNetwork is true, runs traefik in the host network namespace
 # To prevent unschedulabel pods due to port collisions, if hostNetwork=true