From 7e349d4782b72c36220a1ec8dace803640e289e0 Mon Sep 17 00:00:00 2001 From: Jesper Noordsij <45041769+jnoordsij@users.noreply.github.com> Date: Fri, 29 Mar 2024 15:22:04 +0100 Subject: [PATCH] feat!: :boom: refactor custom services and port exposure --- EXAMPLES.md | 55 ++++- Makefile | 2 +- traefik/Changelog.md | 23 ++ traefik/templates/_service-internal.tpl | 48 ---- traefik/templates/_service.tpl | 37 +++- traefik/templates/service-internal.yaml | 58 ----- traefik/templates/service-metrics.yaml | 2 +- traefik/templates/service.yaml | 50 +++-- traefik/tests/common-metadata_test.yaml | 1 - traefik/tests/ports-config_test.yaml | 21 +- traefik/tests/service-config-custom_test.yaml | 166 ++++++++++++++ .../tests/service-config-multiple_test.yaml | 18 +- traefik/tests/service-config_test.yaml | 53 ++++- .../tests/service-internal-config_test.yaml | 205 ------------------ traefik/values.yaml | 29 +-- 15 files changed, 377 insertions(+), 391 deletions(-) delete mode 100644 traefik/templates/_service-internal.tpl delete mode 100644 traefik/templates/service-internal.yaml create mode 100644 traefik/tests/service-config-custom_test.yaml delete mode 100644 traefik/tests/service-internal-config_test.yaml diff --git a/EXAMPLES.md b/EXAMPLES.md index 8f210ff7c..5800d9fab 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -99,7 +99,7 @@ extraObjects: To expose the dashboard without IngressRoute, it's more complicated and less secure. You'll need to create an internal Service exposing Traefik API with -special _traefik_ entrypoint. +special _traefik_ entrypoint. This internal Service can be created from an other tool, with the `extraObjects` section or using [custom services](#add-custom-internal-services). You'll need to double check: 1. Service selector with your setup. @@ -473,6 +473,59 @@ spec: port: 80 ``` +# Add custom (internal) services + +In some cases you might want to have more than one Traefik service within your cluster, +e.g. a default (external) one and a service that is only exposed internally to pods within your cluster. + +The `service.additionalServices` allows you to add an arbitrary amount of services, +provided as a name to service details mapping; for example you can use the following values: + +```yaml +service: + additionalServices: + internal: + type: ClusterIP + labels: + traefik-service-label: internal +``` + +Ports can then be exposed on this service by using the port name to boolean mapping `expose` on the respective port; +e.g. to expose the `traefik` API port on your internal service so pods within your cluster can use it, you can do: + +```yaml +ports: + traefik: + expose: + # Sensitive data should not be exposed on the internet + # => Keep this disabled ! + default: false + internal: true +``` + +This will then provide an additional Service manifest, looking like this: + +```yaml +--- +# Source: traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: traefik-internal + namespace: traefik +[...] +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-traefik + ports: + - port: 9000 + name: "traefik" + targetPort: traefik + protocol: TCP +``` + # Use this Chart as a dependency of your own chart diff --git a/Makefile b/Makefile index 8ff3fd25b..6b77fb943 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ .PHONY: lint test -IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.13.1-0.3.5 +IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.14.2-0.4.2 IMAGE_CHART_TESTING=quay.io/helmpack/chart-testing:v3.10.1 IMAGE_HELM_DOCS=jnorwood/helm-docs:v1.13.1 diff --git a/traefik/Changelog.md b/traefik/Changelog.md index 4b5d8af36..76e514b7a 100644 --- a/traefik/Changelog.md +++ b/traefik/Changelog.md @@ -1,5 +1,28 @@ # Change Log +## 27.0.0 (unreleased) + +**Upgrade notes** + +Custom services and port exposure have been redesigned, requiring the following changes: +- if you were overriding port exposure behavior using the `expose` or `exposeInternal` flags, you should replace them with a service name to boolean mapping, i.e. replace this: +```yaml +ports: + web: + expose: false + exposeInternal: true +``` +with this: +```yaml +ports: + web: + expose: + default: false + internal: true +``` +- if you were previously using the `service.internal` value, +you should migrate the values to the `service.additionalServices.internal` value instead; this should yield the same results, but make sure to carefully check for any changes! + ## 26.1.0 ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) **Release date:** 2024-02-16 diff --git a/traefik/templates/_service-internal.tpl b/traefik/templates/_service-internal.tpl deleted file mode 100644 index 2ddec02f7..000000000 --- a/traefik/templates/_service-internal.tpl +++ /dev/null @@ -1,48 +0,0 @@ -{{- define "traefik.service-internal-metadata" }} - labels: - {{- include "traefik.labels" . | nindent 4 -}} - {{- with .Values.service.internal.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} - -{{- define "traefik.service-internal-spec" -}} - {{- $type := default "ClusterIP" .Values.service.internal.type }} - type: {{ $type }} - {{- with .Values.service.internal.spec }} - {{- toYaml . | nindent 2 }} - {{- end }} - selector: - {{- include "traefik.labelselector" . | nindent 4 }} - {{- if eq $type "LoadBalancer" }} - {{- with .Values.service.internal.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- toYaml . | nindent 2 }} - {{- end -}} - {{- end -}} - {{- with .Values.service.internal.externalIPs }} - externalIPs: - {{- toYaml . | nindent 2 }} - {{- end -}} - {{- with .Values.service.internal.ipFamilyPolicy }} - ipFamilyPolicy: {{ . }} - {{- end }} - {{- with .Values.service.internal.ipFamilies }} - ipFamilies: - {{- toYaml . | nindent 2 }} - {{- end -}} -{{- end }} - -{{- define "traefik.service-internal-ports" }} - {{- range $name, $config := . }} - {{- if (or $config.expose $config.exposeInternal) }} - - port: {{ default $config.port $config.exposedPort }} - name: {{ $name | quote }} - targetPort: {{ default $name $config.targetPort }} - protocol: {{ default "TCP" $config.protocol }} - {{- if $config.nodePort }} - nodePort: {{ $config.nodePort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/traefik/templates/_service.tpl b/traefik/templates/_service.tpl index 825ce7fce..7d913ccd3 100644 --- a/traefik/templates/_service.tpl +++ b/traefik/templates/_service.tpl @@ -1,44 +1,57 @@ +{{- define "traefik.service-name" -}} +{{- $fullname := printf "%s-%s" (include "traefik.fullname" .root) .name -}} +{{- if eq .name "default" -}} +{{- $fullname = include "traefik.fullname" .root -}} +{{- end -}} + +{{- if ge (len $fullname) 60 -}} # 64 - 4 (udp-postfix) = 60 + {{- fail "ERROR: Cannot create a service whose full name contains more than 60 characters" -}} +{{- end -}} + +{{- $fullname -}} +{{- end -}} + {{- define "traefik.service-metadata" }} labels: - {{- include "traefik.labels" . | nindent 4 -}} - {{- with .Values.service.labels }} + {{- include "traefik.labels" .root | nindent 4 -}} + {{- with .service.labels }} {{- toYaml . | nindent 4 }} {{- end }} {{- end }} {{- define "traefik.service-spec" -}} - {{- $type := default "LoadBalancer" .Values.service.type }} + {{- $type := default "LoadBalancer" .service.type }} type: {{ $type }} - {{- with .Values.service.loadBalancerClass }} + {{- with .service.loadBalancerClass }} loadBalancerClass: {{ . }} {{- end}} - {{- with .Values.service.spec }} + {{- with .service.spec }} {{- toYaml . | nindent 2 }} {{- end }} selector: - {{- include "traefik.labelselector" . | nindent 4 }} + {{- include "traefik.labelselector" .root | nindent 4 }} {{- if eq $type "LoadBalancer" }} - {{- with .Values.service.loadBalancerSourceRanges }} + {{- with .service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{- toYaml . | nindent 2 }} {{- end -}} {{- end -}} - {{- with .Values.service.externalIPs }} + {{- with .service.externalIPs }} externalIPs: {{- toYaml . | nindent 2 }} {{- end -}} - {{- with .Values.service.ipFamilyPolicy }} + {{- with .service.ipFamilyPolicy }} ipFamilyPolicy: {{ . }} {{- end }} - {{- with .Values.service.ipFamilies }} + {{- with .service.ipFamilies }} ipFamilies: {{- toYaml . | nindent 2 }} {{- end -}} {{- end }} {{- define "traefik.service-ports" }} - {{- range $name, $config := . }} - {{- if $config.expose }} + {{- range $name, $config := .ports }} + {{- if (index (default dict $config.expose) $.serviceName) }} - port: {{ default $config.port $config.exposedPort }} name: {{ $name | quote }} targetPort: {{ default $name $config.targetPort }} diff --git a/traefik/templates/service-internal.yaml b/traefik/templates/service-internal.yaml deleted file mode 100644 index 343674412..000000000 --- a/traefik/templates/service-internal.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.service.internal -}} - -{{- $fullname := include "traefik.fullname" . }} -{{- if ge (len $fullname) 50 }} - {{- fail "ERROR: Cannot create an internal service when name contains more than 50 characters" }} -{{- end }} - -{{- $tcpPorts := dict -}} -{{- $udpPorts := dict -}} -{{- $exposedPorts := false -}} -{{- range $name, $config := .Values.ports -}} - {{- if eq (toString $config.protocol) "UDP" -}} - {{ $_ := set $udpPorts $name $config -}} - {{- end -}} - {{- if eq (toString (default "TCP" $config.protocol)) "TCP" -}} - {{ $_ := set $tcpPorts $name $config -}} - {{- end -}} -{{- end -}} - -{{- if (or $tcpPorts .Values.service.single) }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $fullname}}-internal - namespace: {{ template "traefik.namespace" . }} - {{- template "traefik.service-internal-metadata" . }} - annotations: - {{- with .Values.service.internal.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- template "traefik.service-internal-spec" . }} - ports: - {{- template "traefik.service-internal-ports" $tcpPorts }} -{{- if .Values.service.single }} - {{- template "traefik.service-internal-ports" $udpPorts }} -{{- end }} -{{- end }} - -{{- if (and $udpPorts (not .Values.service.single)) }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ $fullname }}-internal-udp - namespace: {{ template "traefik.namespace" . }} - {{- template "traefik.service-internal-metadata" . }} - annotations: - {{- with .Values.service.internal.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- template "traefik.service-internal-spec" . }} - ports: - {{- template "traefik.service-internal-ports" $udpPorts }} -{{- end }} - -{{- end -}} diff --git a/traefik/templates/service-metrics.yaml b/traefik/templates/service-metrics.yaml index 766090741..94c516e59 100644 --- a/traefik/templates/service-metrics.yaml +++ b/traefik/templates/service-metrics.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ $fullname }}-metrics + name: {{ template "traefik.service-name" (dict "root" . "name" "metrics") }} namespace: {{ template "traefik.namespace" . }} {{- template "traefik.metrics-service-metadata" . }} annotations: diff --git a/traefik/templates/service.yaml b/traefik/templates/service.yaml index 66483fa37..e74e81fc0 100644 --- a/traefik/templates/service.yaml +++ b/traefik/templates/service.yaml @@ -1,9 +1,15 @@ -{{- if .Values.service.enabled -}} +{{- $services := .Values.service.additionalServices -}} +{{- $services = set $services "default" (omit .Values.service "additionalServices") }} + +{{- range $name, $service := $services -}} +{{- if ne $service.enabled false -}} + +{{- $fullname := include "traefik.service-name" (dict "root" $ "name" $name) }} {{- $tcpPorts := dict -}} {{- $udpPorts := dict -}} {{- $exposedPorts := false -}} -{{- range $name, $config := .Values.ports -}} +{{- range $portName, $config := $.Values.ports -}} {{- if $config -}} {{- if $config.http3 -}} {{- if $config.http3.enabled -}} @@ -13,12 +19,12 @@ {{- end -}} {{- end -}} {{- if eq (toString $config.protocol) "UDP" -}} - {{ $_ := set $udpPorts $name $config -}} + {{ $_ := set $udpPorts $portName $config -}} {{- end -}} {{- if eq (toString (default "TCP" $config.protocol)) "TCP" -}} - {{ $_ := set $tcpPorts $name $config -}} + {{ $_ := set $tcpPorts $portName $config -}} {{- end -}} - {{- if (eq $config.expose true) -}} + {{- if (index (default dict $config.expose) $name) -}} {{- $exposedPorts = true -}} {{- end -}} {{- end -}} @@ -28,42 +34,44 @@ {{- fail "You need to expose at least one port or set enabled=false to service" -}} {{- end -}} -{{- if and $exposedPorts (or $tcpPorts .Values.service.single) }} +{{- if and $exposedPorts (or $tcpPorts $service.single) }} +--- apiVersion: v1 kind: Service metadata: - name: {{ template "traefik.fullname" . }} - namespace: {{ template "traefik.namespace" . }} - {{- template "traefik.service-metadata" . }} + name: {{ $fullname }} + namespace: {{ template "traefik.namespace" $ }} + {{- template "traefik.service-metadata" (dict "root" $ "service" $service) }} annotations: - {{- with (merge dict .Values.service.annotationsTCP .Values.service.annotations) }} + {{- with (merge dict (default dict $service.annotationsTCP) (default dict $service.annotations)) }} {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- template "traefik.service-spec" . }} + {{- template "traefik.service-spec" (dict "root" $ "service" $service) }} ports: - {{- template "traefik.service-ports" $tcpPorts }} -{{- if .Values.service.single }} - {{- template "traefik.service-ports" $udpPorts }} + {{- template "traefik.service-ports" (dict "ports" $tcpPorts "serviceName" $name) }} +{{- if $service.single }} + {{- template "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }} {{- end }} {{- end }} -{{- if and $exposedPorts (and $udpPorts (not .Values.service.single)) }} +{{- if and $exposedPorts (and $udpPorts (not $service.single)) }} --- apiVersion: v1 kind: Service metadata: - name: {{ template "traefik.fullname" . }}-udp - namespace: {{ template "traefik.namespace" . }} - {{- template "traefik.service-metadata" . }} + name: {{ $fullname }}-udp + namespace: {{ template "traefik.namespace" $ }} + {{- template "traefik.service-metadata" (dict "root" $ "service" $service) }} annotations: - {{- with (merge dict .Values.service.annotationsUDP .Values.service.annotations) }} + {{- with (merge dict (default dict $service.annotationsUDP) (default dict $service.annotations)) }} {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- template "traefik.service-spec" . }} + {{- template "traefik.service-spec" (dict "root" $ "service" $service) }} ports: - {{- template "traefik.service-ports" $udpPorts }} + {{- template "traefik.service-ports" (dict "ports" $udpPorts "serviceName" $name) }} {{- end }} {{- end -}} +{{- end -}} diff --git a/traefik/tests/common-metadata_test.yaml b/traefik/tests/common-metadata_test.yaml index 246553f89..7e0c9c122 100644 --- a/traefik/tests/common-metadata_test.yaml +++ b/traefik/tests/common-metadata_test.yaml @@ -9,7 +9,6 @@ templates: - poddisruptionbudget.yaml - prometheusrules.yaml - pvc.yaml - - service-internal.yaml - servicemonitor.yaml - service.yaml - tlsoption.yaml diff --git a/traefik/tests/ports-config_test.yaml b/traefik/tests/ports-config_test.yaml index b3b751ef7..e80d481c9 100644 --- a/traefik/tests/ports-config_test.yaml +++ b/traefik/tests/ports-config_test.yaml @@ -70,7 +70,8 @@ tests: ports: ssh: port: 22 - expose: true + expose: + default: true asserts: - contains: path: spec.template.spec.containers[0].ports @@ -96,7 +97,8 @@ tests: ports: ssh: port: 22 - expose: true + expose: + default: true hostPort: 22 asserts: - contains: @@ -124,7 +126,8 @@ tests: ports: udp: port: 51 - expose: true + expose: + default: true protocol: UDP asserts: - contains: @@ -188,7 +191,8 @@ tests: ports: ssh: port: 2222 - expose: true + expose: + default: true containerPort: 22 asserts: - contains: @@ -215,7 +219,8 @@ tests: ports: web: port: 666 - expose: true + expose: + default: true containerPort: 666 asserts: - contains: @@ -286,12 +291,14 @@ tests: port: 8443 tls: enabled: true - expose: true + expose: + default: true http-external: port: 8445 tls: enabled: true - expose: true + expose: + default: true asserts: - containsDocument: kind: Deployment diff --git a/traefik/tests/service-config-custom_test.yaml b/traefik/tests/service-config-custom_test.yaml new file mode 100644 index 000000000..0aa182495 --- /dev/null +++ b/traefik/tests/service-config-custom_test.yaml @@ -0,0 +1,166 @@ +suite: Custom Service configuration +templates: + - service.yaml +set: + ports: + web: + expose: + internal: true + service: + additionalServices: + internal: {} +tests: + - it: should be possible to configure only a custom Service + set: + service: + enabled: false + asserts: + - hasDocuments: + count: 1 + - it: should be possible to configure a custom LoadBalancer Service + set: + service: + additionalServices: + internal: + type: LoadBalancer + asserts: + - equal: + path: spec.type + value: LoadBalancer + documentIndex: 1 + - it: should fail when the name is too long + release: + name: yesthisnameiscontainingwaymorethan50charactersinit + set: + service: + internal: + type: ClusterIP + asserts: + - failedTemplate: + errorMessage: "ERROR: Cannot create a service whose full name contains more than 60 characters" + - it: should fail when no ports are exposed + set: + ports: + web: + expose: + internal: false + asserts: + - failedTemplate: + errorMessage: "You need to expose at least one port or set enabled=false to service" + - it: should have customized annotations when specified via values + set: + service: + additionalServices: + internal: + annotations: + azure-load-balancer-internal: true + asserts: + - equal: + path: metadata.annotations.azure-load-balancer-internal + value: true + documentIndex: 1 + - it: should have customized labels when specified via values + set: + service: + additionalServices: + internal: + labels: + custom-label: custom-value + asserts: + - equal: + path: metadata.labels.custom-label + value: custom-value + documentIndex: 1 + - it: should have custom spec elements when specified via values + set: + service: + additionalServices: + internal: + spec: + externalTrafficPolicy: Cluster + loadBalancerIP: "1.2.3.4" + clusterIP: "2.3.4.5" + loadBalancerSourceRanges: + - 192.168.0.1/32 + - 172.16.0.0/16 + externalIPs: + - "1.2.3.4" + asserts: + - equal: + path: spec.ports[0].name + value: web + documentIndex: 1 + - equal: + path: spec.ports[0].protocol + value: TCP + documentIndex: 1 + - equal: + path: spec.externalTrafficPolicy + value: Cluster + documentIndex: 1 + - equal: + path: spec.loadBalancerIP + value: "1.2.3.4" + documentIndex: 1 + - equal: + path: spec.clusterIP + value: "2.3.4.5" + documentIndex: 1 + - equal: + path: spec.loadBalancerSourceRanges[0] + value: 192.168.0.1/32 + documentIndex: 1 + - equal: + path: spec.loadBalancerSourceRanges[1] + value: 172.16.0.0/16 + documentIndex: 1 + - equal: + path: spec.externalIPs[0] + value: "1.2.3.4" + documentIndex: 1 + - it: should use helm managed namespace as default behavior + asserts: + - equal: + path: metadata.namespace + value: NAMESPACE + documentIndex: 1 + - it: should accept overridden namespace + set: + namespaceOverride: "traefik-ns-override" + asserts: + - equal: + path: metadata.namespace + value: "traefik-ns-override" + documentIndex: 1 + - it: should expose ports that are marked exposed for the service only + set: + ports: + internal: + expose: + default: false + internal: true + port: 3000 + protocol: TCP + hidden: + expose: + default: true + internal: false + port: 3001 + protocol: TCP + asserts: + - contains: + path: spec.ports + content: + name: internal + port: 3000 + protocol: TCP + targetPort: internal + documentIndex: 1 + - notContains: + path: spec.ports + content: + name: hidden + port: 3001 + protocol: TCP + targetPort: hidden + documentIndex: 1 diff --git a/traefik/tests/service-config-multiple_test.yaml b/traefik/tests/service-config-multiple_test.yaml index 30860fe9f..8e912ba47 100644 --- a/traefik/tests/service-config-multiple_test.yaml +++ b/traefik/tests/service-config-multiple_test.yaml @@ -11,7 +11,8 @@ tests: ports: udp: port: 3000 - expose: true + expose: + default: true exposedPort: 80 protocol: UDP asserts: @@ -31,7 +32,8 @@ tests: ports: udp: port: 3000 - expose: true + expose: + default: true exposedPort: 80 protocol: UDP asserts: @@ -55,7 +57,8 @@ tests: ports: udp: port: 3000 - expose: true + expose: + default: true exposedPort: 80 protocol: UDP asserts: @@ -82,7 +85,8 @@ tests: ports: udp: port: 3000 - expose: true + expose: + default: true exposedPort: 80 protocol: UDP asserts: @@ -108,7 +112,8 @@ tests: ports: udp: port: 3000 - expose: true + expose: + default: true exposedPort: 80 protocol: UDP asserts: @@ -130,7 +135,8 @@ tests: ports: udp: port: 3000 - expose: true + expose: + default: true exposedPort: 80 protocol: UDP documentIndex: 1 diff --git a/traefik/tests/service-config_test.yaml b/traefik/tests/service-config_test.yaml index 808954609..e7e2728d8 100644 --- a/traefik/tests/service-config_test.yaml +++ b/traefik/tests/service-config_test.yaml @@ -2,6 +2,29 @@ suite: Service configuration templates: - service.yaml tests: + - it: should provide a single service by default + asserts: + - hasDocuments: + count: 1 + - it: should be possible to disable default service + set: + service: + enabled: false + asserts: + - hasDocuments: + count: 0 + - it: should fail when no ports are exposed + set: + ports: + web: + expose: + default: false + websecure: + expose: + default: false + asserts: + - failedTemplate: + errorMessage: "You need to expose at least one port or set enabled=false to service" - it: should be a type LoadBalancer by default asserts: - equal: @@ -87,12 +110,15 @@ tests: set: ports: web: - expose: false + expose: + default: false websecure: - expose: false + expose: + default: false tcp: port: 3000 - expose: true + expose: + default: true exposedPort: 8080 protocol: TCP documentIndex: 0 @@ -110,12 +136,15 @@ tests: set: ports: web: - expose: false + expose: + default: false websecure: - expose: false + expose: + default: false udp: port: 3000 - expose: true + expose: + default: true exposedPort: 8080 protocol: UDP documentIndex: 0 @@ -248,9 +277,11 @@ tests: set: ports: web: - expose: false + expose: + default: false websecure: - expose: false + expose: + default: false asserts: - failedTemplate: errorMessage: "You need to expose at least one port or set enabled=false to service" @@ -314,12 +345,14 @@ tests: web: port: 8080 exposedPort: 80 - expose: true + expose: + default: true targetPort: 80 websecure: port: 443 exposedPort: 443 - expose: true + expose: + default: true targetPort: 80 documentIndex: 0 asserts: diff --git a/traefik/tests/service-internal-config_test.yaml b/traefik/tests/service-internal-config_test.yaml deleted file mode 100644 index 36084ec5c..000000000 --- a/traefik/tests/service-internal-config_test.yaml +++ /dev/null @@ -1,205 +0,0 @@ -suite: Internal Service configuration -templates: - - service-internal.yaml -tests: - - it: should not provide an internal service by default - asserts: - - hasDocuments: - count: 0 - - it: should be possible to configure an internal LoadBalancer Service - set: - service: - internal: - type: LoadBalancer - asserts: - - equal: - path: spec.type - value: LoadBalancer - - it: should be possible to configure only an internal Service - set: - service: - enabled: false - internal: - type: LoadBalancer - asserts: - - equal: - path: spec.type - value: LoadBalancer - - it: should fail when the name is too long - release: - name: yesthisnameiscontainingwaymorethan50charactersinit - set: - service: - internal: - type: ClusterIP - asserts: - - failedTemplate: - errorMessage: "ERROR: Cannot create an internal service when name contains more than 50 characters" - - it: should have internal customized annotations when specified via values - set: - service: - internal: - annotations: - azure-load-balancer-internal: true - asserts: - - equal: - path: metadata.annotations.azure-load-balancer-internal - value: true - - it: should have customized labels when specified via values - set: - service: - internal: - labels: - custom-label: custom-value - asserts: - - equal: - path: metadata.labels.custom-label - value: custom-value - - it: should have custom spec elements when specified via values - set: - service: - internal: - enabled: true - spec: - externalTrafficPolicy: Cluster - loadBalancerIP: "1.2.3.4" - clusterIP: "2.3.4.5" - loadBalancerSourceRanges: - - 192.168.0.1/32 - - 172.16.0.0/16 - externalIPs: - - "1.2.3.4" - asserts: - - equal: - path: spec.ports[0].name - value: web - - equal: - path: spec.ports[0].protocol - value: TCP - - equal: - path: spec.externalTrafficPolicy - value: Cluster - - equal: - path: spec.loadBalancerIP - value: "1.2.3.4" - - equal: - path: spec.clusterIP - value: "2.3.4.5" - - equal: - path: spec.loadBalancerSourceRanges[0] - value: 192.168.0.1/32 - - equal: - path: spec.loadBalancerSourceRanges[1] - value: 172.16.0.0/16 - - equal: - path: spec.externalIPs[0] - value: "1.2.3.4" - - it: should use helm managed namespace as default behavior UDP - set: - service: - internal: - enabled: true - spec: - externalTrafficPolicy: Cluster - loadBalancerIP: "1.2.3.4" - clusterIP: "2.3.4.5" - loadBalancerSourceRanges: - - 192.168.0.1/32 - - 172.16.0.0/16 - externalIPs: - - "1.2.3.4" - ports: - udp: - port: 3000 - protocol: UDP - asserts: - - equal: - path: metadata.namespace - value: NAMESPACE - - it: should use helm managed namespace as default behavior TCP - set: - service: - internal: - enabled: true - spec: - externalTrafficPolicy: Cluster - loadBalancerIP: "1.2.3.4" - clusterIP: "2.3.4.5" - loadBalancerSourceRanges: - - 192.168.0.1/32 - - 172.16.0.0/16 - externalIPs: - - "1.2.3.4" - ports: - tcp: - port: 3000 - protocol: TCP - asserts: - - equal: - path: metadata.namespace - value: NAMESPACE - - it: should accept overridden namespace UDP - set: - namespaceOverride: "traefik-ns-override" - service: - internal: - enabled: true - spec: - externalTrafficPolicy: Cluster - loadBalancerIP: "1.2.3.4" - clusterIP: "2.3.4.5" - loadBalancerSourceRanges: - - 192.168.0.1/32 - - 172.16.0.0/16 - externalIPs: - - "1.2.3.4" - ports: - udp: - port: 3000 - protocol: UDP - asserts: - - equal: - path: metadata.namespace - value: "traefik-ns-override" - - it: should accept overridden namespace TCP - set: - namespaceOverride: "traefik-ns-override" - service: - internal: - enabled: true - spec: - externalTrafficPolicy: Cluster - loadBalancerIP: "1.2.3.4" - clusterIP: "2.3.4.5" - loadBalancerSourceRanges: - - 192.168.0.1/32 - - 172.16.0.0/16 - externalIPs: - - "1.2.3.4" - ports: - tcp: - port: 3000 - protocol: TCP - asserts: - - equal: - path: metadata.namespace - value: "traefik-ns-override" - - it: should expose ports that are exposed internally only - set: - service: - internal: - enabled: true - ports: - internal: - expose: false - exposeInternal: true - port: 3000 - protocol: TCP - asserts: - - contains: - path: spec.ports - content: - name: internal - port: 3000 - protocol: TCP - targetPort: internal diff --git a/traefik/values.yaml b/traefik/values.yaml index f2ac54b73..327fe4a96 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -629,22 +629,20 @@ ports: # -- You SHOULD NOT expose the traefik port on production deployments. # If you want to access it from outside your cluster, # use `kubectl port-forward` or create a secure ingress - expose: false + expose: + default: false # -- The exposed port for this service exposedPort: 9000 # -- The port protocol (TCP/UDP) protocol: TCP - # -- Defines whether the port is exposed on the internal service; - # note that ports exposed on the default service are exposed on the internal - # service by default as well. - exposeInternal: false web: ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. # asDefault: true port: 8000 # hostPort: 8000 # containerPort: 8000 - expose: true + expose: + default: true exposedPort: 80 ## -- Different target traefik port on the cluster, useful for IP type LB # targetPort: 80 @@ -653,10 +651,6 @@ ports: # -- Use nodeport if set. This is useful if you have configured Traefik in a # LoadBalancer. # nodePort: 32080 - # -- Defines whether the port is exposed on the internal service; - # note that ports exposed on the default service are exposed on the internal - # service by default as well. - exposeInternal: false # Port Redirections # Added in 2.2, you can make permanent redirects via entrypoints. # https://docs.traefik.io/routing/entrypoints/#redirection @@ -680,17 +674,14 @@ ports: port: 8443 # hostPort: 8443 # containerPort: 8443 - expose: true + expose: + default: true exposedPort: 443 ## -- Different target traefik port on the cluster, useful for IP type LB # targetPort: 80 ## -- The port protocol (TCP/UDP) protocol: TCP # nodePort: 32443 - # -- Defines whether the port is exposed on the internal service; - # note that ports exposed on the default service are exposed on the internal - # service by default as well. - exposeInternal: false ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. # appProtocol: https # @@ -747,15 +738,12 @@ ports: # -- You may not want to expose the metrics port on production deployments. # If you want to access it from outside your cluster, # use `kubectl port-forward` or create a secure ingress - expose: false + expose: + default: false # -- The exposed port for this service exposedPort: 9100 # -- The port protocol (TCP/UDP) protocol: TCP - # -- Defines whether the port is exposed on the internal service; - # note that ports exposed on the default service are exposed on the internal - # service by default as well. - exposeInternal: false # -- TLS Options are created as TLSOption CRDs # https://doc.traefik.io/traefik/https/tls/#tls-options @@ -817,6 +805,7 @@ service: # - IPv4 # - IPv6 ## + additionalServices: {} ## -- An additional and optional internal Service. ## Same parameters as external Service # internal: