Fix ServersTransport reference from IngressRoute service definition

Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
This commit is contained in:
Romain 2021-09-16 15:12:13 +02:00 committed by GitHub
parent 6f8e8ea252
commit 76867e39ea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 323 additions and 66 deletions

View file

@ -337,7 +337,7 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
responseForwarding: responseForwarding:
flushInterval: 1ms flushInterval: 1ms
scheme: https scheme: https
serversTransport: transport serversTransport: transport # [10]
sticky: sticky:
cookie: cookie:
httpOnly: true httpOnly: true
@ -346,21 +346,21 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
sameSite: none sameSite: none
strategy: RoundRobin strategy: RoundRobin
weight: 10 weight: 10
tls: # [10] tls: # [11]
secretName: supersecret # [11] secretName: supersecret # [12]
options: # [12] options: # [13]
name: opt # [13] name: opt # [14]
namespace: default # [14] namespace: default # [15]
certResolver: foo # [15] certResolver: foo # [16]
domains: # [16] domains: # [17]
- main: example.net # [17] - main: example.net # [18]
sans: # [18] sans: # [19]
- a.example.net - a.example.net
- b.example.net - b.example.net
``` ```
| Ref | Attribute | Purpose | | Ref | Attribute | Purpose |
|------|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `entryPoints` | List of [entry points](../routers/index.md#entrypoints) names | | [1] | `entryPoints` | List of [entry points](../routers/index.md#entrypoints) names |
| [2] | `routes` | List of routes | | [2] | `routes` | List of routes |
| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule) corresponding to an underlying router. | | [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule) corresponding to an underlying router. |
@ -370,15 +370,16 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
| [7] | `middlewares[n].namespace` | Defines the [Middleware](#kind-middleware) namespace | | [7] | `middlewares[n].namespace` | Defines the [Middleware](#kind-middleware) namespace |
| [8] | `routes[n].services` | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) (See below for `ExternalName Service` setup) | | [8] | `routes[n].services` | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) (See below for `ExternalName Service` setup) |
| [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. | | [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. |
| [10] | `tls` | Defines [TLS](../routers/index.md#tls) certificate configuration | | [10] | `services[n].serversTransport` | Defines the reference to a [ServersTransport](#kind-serverstransport). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
| [11] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) | | [11] | `tls` | Defines [TLS](../routers/index.md#tls) certificate configuration |
| [12] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) | | [12] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) |
| [13] | `options.name` | Defines the [TLSOption](#kind-tlsoption) name | | [13] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) |
| [14] | `options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace | | [14] | `options.name` | Defines the [TLSOption](#kind-tlsoption) name |
| [15] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver) | | [15] | `options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace |
| [16] | `tls.domains` | List of [domains](../routers/index.md#domains) | | [16] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver) |
| [17] | `domains[n].main` | Defines the main domain name | | [17] | `tls.domains` | List of [domains](../routers/index.md#domains) |
| [18] | `domains[n].sans` | List of SANs (alternative domains) | | [18] | `domains[n].main` | Defines the main domain name |
| [19] | `domains[n].sans` | List of SANs (alternative domains) |
??? example "Declaring an IngressRoute" ??? example "Declaring an IngressRoute"
@ -1687,7 +1688,7 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
!!! info "ServersTransport Attributes" !!! info "ServersTransport Attributes"
```yaml tab="TLSStore" ```yaml tab="ServersTransport"
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport kind: ServersTransport
metadata: metadata:
@ -1763,6 +1764,16 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
serversTransport: mytransport serversTransport: mytransport
``` ```
#### ServersTransport reference
By default, the referenced ServersTransport CRD must be defined in the same [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace.
To reference a ServersTransport CRD from another namespace,
the value must be of form `namespace-name@kubernetescrd`,
and the [cross-namespace](../../../providers/kubernetes-crd/#allowcrossnamespace) option must be enabled.
If the ServersTransport CRD is defined in another provider the cross-provider format `name@provider` should be used.
## Further ## Further
Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt. Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.

View file

@ -180,7 +180,7 @@
} }
], ],
"passHostHeader": true, "passHostHeader": true,
"serversTransport": "mytransport@kubernetescrd" "serversTransport": "default-mytransport@kubernetescrd"
}, },
"status": "enabled", "status": "enabled",
"usedBy": [ "usedBy": [

View file

@ -27,6 +27,14 @@ spec:
namespace: cross-ns namespace: cross-ns
kind: TraefikService kind: TraefikService
- match: Host(`bar.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: whoami-svc
namespace: cross-ns
port: 80
serversTransport: test
--- ---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService kind: TraefikService
@ -89,3 +97,13 @@ spec:
namespace: cross-ns namespace: cross-ns
percent: 20 percent: 20
port: 80 port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: test
namespace: foo
spec:
serverName: "test"

View file

@ -109,3 +109,39 @@ spec:
dialTimeout: 42 dialTimeout: 42
responseHeaderTimeout: 42s responseHeaderTimeout: 42s
idleConnTimeout: 42ms idleConnTimeout: 42ms
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: test
namespace: default
spec:
serverName: "test"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`foo.com`)
kind: Rule
services:
- name: external-svc-with-https
port: 443
serversTransport: test
- name: whoamitls
port: 443
serversTransport: default-test
- name: whoami3
port: 8443
serversTransport: foo-test@kubernetescrd

View file

@ -339,7 +339,8 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
} }
} }
conf.HTTP.ServersTransports[serversTransport.Name] = &dynamic.ServersTransport{ id := provider.Normalize(makeID(serversTransport.Namespace, serversTransport.Name))
conf.HTTP.ServersTransports[id] = &dynamic.ServersTransport{
ServerName: serversTransport.Spec.ServerName, ServerName: serversTransport.Spec.ServerName,
InsecureSkipVerify: serversTransport.Spec.InsecureSkipVerify, InsecureSkipVerify: serversTransport.Spec.InsecureSkipVerify,
RootCAs: rootCAs, RootCAs: rootCAs,

View file

@ -297,11 +297,34 @@ func (c configBuilder) buildServersLB(namespace string, svc v1alpha1.LoadBalance
lb.ResponseForwarding = conf.ResponseForwarding lb.ResponseForwarding = conf.ResponseForwarding
lb.Sticky = svc.Sticky lb.Sticky = svc.Sticky
lb.ServersTransport = svc.ServersTransport
lb.ServersTransport, err = c.makeServersTransportKey(namespace, svc.ServersTransport)
if err != nil {
return nil, err
}
return &dynamic.Service{LoadBalancer: lb}, nil return &dynamic.Service{LoadBalancer: lb}, nil
} }
func (c *configBuilder) makeServersTransportKey(parentNamespace string, serversTransportName string) (string, error) {
if serversTransportName == "" {
return "", nil
}
if !c.allowCrossNamespace && strings.HasSuffix(serversTransportName, providerNamespaceSeparator+providerName) {
// Since we are not able to know if another namespace is in the name (namespace-name@kubernetescrd),
// if the provider namespace kubernetescrd is used,
// we don't allow this format to avoid cross namespace references.
return "", fmt.Errorf("invalid reference to serversTransport %s: namespace-name@kubernetescrd format is not allowed when crossnamespace is disallowed", serversTransportName)
}
if strings.Contains(serversTransportName, providerNamespaceSeparator) {
return serversTransportName, nil
}
return provider.Normalize(makeID(parentNamespace, serversTransportName)), nil
}
func (c configBuilder) loadServers(parentNamespace string, svc v1alpha1.LoadBalancerSpec) ([]dynamic.Server, error) { func (c configBuilder) loadServers(parentNamespace string, svc v1alpha1.LoadBalancerSpec) ([]dynamic.Server, error) {
strategy := svc.Strategy strategy := svc.Strategy
if strategy == "" { if strategy == "" {

View file

@ -1334,6 +1334,7 @@ func TestLoadIngressRoutes(t *testing.T) {
ingressClass string ingressClass string
paths []string paths []string
expected *dynamic.Configuration expected *dynamic.Configuration
AllowCrossNamespace bool
}{ }{
{ {
desc: "Empty", desc: "Empty",
@ -1401,6 +1402,7 @@ func TestLoadIngressRoutes(t *testing.T) {
}, },
{ {
desc: "Simple Ingress Route with middleware", desc: "Simple Ingress Route with middleware",
AllowCrossNamespace: true,
paths: []string{"services.yml", "with_middleware.yml"}, paths: []string{"services.yml", "with_middleware.yml"},
expected: &dynamic.Configuration{ expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{ UDP: &dynamic.UDPConfiguration{
@ -1456,6 +1458,7 @@ func TestLoadIngressRoutes(t *testing.T) {
}, },
{ {
desc: "Simple Ingress Route with middleware crossprovider", desc: "Simple Ingress Route with middleware crossprovider",
AllowCrossNamespace: true,
paths: []string{"services.yml", "with_middleware_crossprovider.yml"}, paths: []string{"services.yml", "with_middleware_crossprovider.yml"},
expected: &dynamic.Configuration{ expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{ UDP: &dynamic.UDPConfiguration{
@ -2025,6 +2028,7 @@ func TestLoadIngressRoutes(t *testing.T) {
}, },
{ {
desc: "services lb, servers lb, and mirror service, all in a wrr with different namespaces", desc: "services lb, servers lb, and mirror service, all in a wrr with different namespaces",
AllowCrossNamespace: true,
paths: []string{"with_namespaces.yml"}, paths: []string{"with_namespaces.yml"},
expected: &dynamic.Configuration{ expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{ UDP: &dynamic.UDPConfiguration{
@ -3482,6 +3486,7 @@ func TestLoadIngressRoutes(t *testing.T) {
}, },
{ {
desc: "ServersTransport", desc: "ServersTransport",
AllowCrossNamespace: true,
paths: []string{"services.yml", "with_servers_transport.yml"}, paths: []string{"services.yml", "with_servers_transport.yml"},
expected: &dynamic.Configuration{ expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{ UDP: &dynamic.UDPConfiguration{
@ -3495,7 +3500,7 @@ func TestLoadIngressRoutes(t *testing.T) {
}, },
HTTP: &dynamic.HTTPConfiguration{ HTTP: &dynamic.HTTPConfiguration{
ServersTransports: map[string]*dynamic.ServersTransport{ ServersTransports: map[string]*dynamic.ServersTransport{
"test": { "foo-test": {
ServerName: "test", ServerName: "test",
InsecureSkipVerify: true, InsecureSkipVerify: true,
RootCAs: []tls.FileOrContent{"TESTROOTCAS0", "TESTROOTCAS1", "TESTROOTCAS2", "TESTROOTCAS3", "TESTROOTCAS5", "TESTALLCERTS"}, RootCAs: []tls.FileOrContent{"TESTROOTCAS0", "TESTROOTCAS1", "TESTROOTCAS2", "TESTROOTCAS3", "TESTROOTCAS5", "TESTALLCERTS"},
@ -3512,10 +3517,154 @@ func TestLoadIngressRoutes(t *testing.T) {
IdleConnTimeout: types.Duration(42 * time.Millisecond), IdleConnTimeout: types.Duration(42 * time.Millisecond),
}, },
}, },
"default-test": {
ServerName: "test",
ForwardingTimeouts: &dynamic.ForwardingTimeouts{
DialTimeout: types.Duration(30 * time.Second),
IdleConnTimeout: types.Duration(90 * time.Second),
},
},
},
Routers: map[string]*dynamic.Router{
"default-test-route-6f97418635c7e18853da": {
EntryPoints: []string{"foo"},
Service: "default-test-route-6f97418635c7e18853da",
Rule: "Host(`foo.com`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-external-svc-with-https-443": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://external.domain:443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "default-test",
},
},
"default-whoami3-8443": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.7:8443",
},
{
URL: "http://10.10.0.8:8443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "foo-test@kubernetescrd",
},
},
"default-whoamitls-443": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://10.10.0.5:8443",
},
{
URL: "https://10.10.0.6:8443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "default-default-test",
},
},
"default-test-route-6f97418635c7e18853da": {
Weighted: &dynamic.WeightedRoundRobin{
Services: []dynamic.WRRService{
{
Name: "default-external-svc-with-https-443",
Weight: Int(1),
},
{
Name: "default-whoamitls-443",
Weight: Int(1),
},
{
Name: "default-whoami3-8443",
Weight: Int(1),
},
},
},
},
},
},
TLS: &dynamic.TLSConfiguration{},
},
},
{
desc: "ServersTransport without crossnamespace",
paths: []string{"services.yml", "with_servers_transport.yml"},
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
ServersTransports: map[string]*dynamic.ServersTransport{
"foo-test": {
ServerName: "test",
InsecureSkipVerify: true,
RootCAs: []tls.FileOrContent{"TESTROOTCAS0", "TESTROOTCAS1", "TESTROOTCAS2", "TESTROOTCAS3", "TESTROOTCAS5", "TESTALLCERTS"},
Certificates: tls.Certificates{
{CertFile: "TESTCERT1", KeyFile: "TESTKEY1"},
{CertFile: "TESTCERT2", KeyFile: "TESTKEY2"},
{CertFile: "TESTCERT3", KeyFile: "TESTKEY3"},
},
MaxIdleConnsPerHost: 42,
ForwardingTimeouts: &dynamic.ForwardingTimeouts{
DialTimeout: types.Duration(42 * time.Second),
ResponseHeaderTimeout: types.Duration(42 * time.Second),
IdleConnTimeout: types.Duration(42 * time.Millisecond),
},
DisableHTTP2: true,
},
"default-test": {
ServerName: "test",
ForwardingTimeouts: &dynamic.ForwardingTimeouts{
DialTimeout: types.Duration(30 * time.Second),
IdleConnTimeout: types.Duration(90 * time.Second),
},
},
}, },
Routers: map[string]*dynamic.Router{}, Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{}, Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{}, Services: map[string]*dynamic.Service{
"default-external-svc-with-https-443": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://external.domain:443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "default-test",
},
},
"default-whoamitls-443": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://10.10.0.5:8443",
},
{
URL: "https://10.10.0.6:8443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "default-default-test",
},
},
},
}, },
TLS: &dynamic.TLSConfiguration{}, TLS: &dynamic.TLSConfiguration{},
}, },
@ -3531,7 +3680,7 @@ func TestLoadIngressRoutes(t *testing.T) {
return return
} }
p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true, AllowExternalNameServices: true} p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: test.AllowCrossNamespace, AllowExternalNameServices: true}
clientMock := newClientMock(test.paths...) clientMock := newClientMock(test.paths...)
conf := p.loadConfigurationFromCRD(context.Background(), clientMock) conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@ -4473,6 +4622,11 @@ func TestCrossNamespace(t *testing.T) {
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)", Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12, Priority: 12,
}, },
"default-cross-ns-route-1bc3efa892379bb93c6e": {
EntryPoints: []string{"foo"},
Service: "default-cross-ns-route-1bc3efa892379bb93c6e",
Rule: "Host(`bar.com`) && PathPrefix(`/foo`)",
},
}, },
Middlewares: map[string]*dynamic.Middleware{}, Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{ Services: map[string]*dynamic.Service{
@ -4502,6 +4656,20 @@ func TestCrossNamespace(t *testing.T) {
}, },
}, },
}, },
"default-cross-ns-route-1bc3efa892379bb93c6e": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
ServersTransport: "cross-ns-test",
},
},
"cross-ns-whoami-svc-80": { "cross-ns-whoami-svc-80": {
LoadBalancer: &dynamic.ServersLoadBalancer{ LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{ Servers: []dynamic.Server{