package crd import ( "context" "crypto/sha256" "errors" "fmt" "os" "reflect" "sort" "strconv" "strings" "time" "github.com/cenkalti/backoff/v3" "github.com/containous/traefik/v2/pkg/config/dynamic" "github.com/containous/traefik/v2/pkg/job" "github.com/containous/traefik/v2/pkg/log" "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1" "github.com/containous/traefik/v2/pkg/safe" "github.com/containous/traefik/v2/pkg/tls" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/labels" ) const ( annotationKubernetesIngressClass = "kubernetes.io/ingress.class" traefikDefaultIngressClass = "traefik" ) // Provider holds configurations of the provider. type Provider struct { Endpoint string `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"` Token string `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"` CertAuthFilePath string `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"` DisablePassHostHeaders bool `description:"Kubernetes disable PassHost Headers." json:"disablePassHostHeaders,omitempty" toml:"disablePassHostHeaders,omitempty" yaml:"disablePassHostHeaders,omitempty" export:"true"` Namespaces []string `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"` LabelSelector string `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"` IngressClass string `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"` lastConfiguration safe.Safe } func (p *Provider) newK8sClient(ctx context.Context, labelSelector string) (*clientWrapper, error) { labelSel, err := labels.Parse(labelSelector) if err != nil { return nil, fmt.Errorf("invalid label selector: %q", labelSelector) } log.FromContext(ctx).Infof("label selector is: %q", labelSel) withEndpoint := "" if p.Endpoint != "" { withEndpoint = fmt.Sprintf(" with endpoint %v", p.Endpoint) } var client *clientWrapper switch { case os.Getenv("KUBERNETES_SERVICE_HOST") != "" && os.Getenv("KUBERNETES_SERVICE_PORT") != "": log.FromContext(ctx).Infof("Creating in-cluster Provider client%s", withEndpoint) client, err = newInClusterClient(p.Endpoint) case os.Getenv("KUBECONFIG") != "": log.FromContext(ctx).Infof("Creating cluster-external Provider client from KUBECONFIG %s", os.Getenv("KUBECONFIG")) client, err = newExternalClusterClientFromFile(os.Getenv("KUBECONFIG")) default: log.FromContext(ctx).Infof("Creating cluster-external Provider client%s", withEndpoint) client, err = newExternalClusterClient(p.Endpoint, p.Token, p.CertAuthFilePath) } if err == nil { client.labelSelector = labelSel } return client, err } // Init the provider. func (p *Provider) Init() error { return nil } // Provide allows the k8s provider to provide configurations to traefik // using the given configuration channel. func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.Pool) error { ctxLog := log.With(context.Background(), log.Str(log.ProviderName, "kubernetescrd")) logger := log.FromContext(ctxLog) logger.Debugf("Using label selector: %q", p.LabelSelector) k8sClient, err := p.newK8sClient(ctxLog, p.LabelSelector) if err != nil { return err } pool.Go(func(stop chan bool) { operation := func() error { stopWatch := make(chan struct{}, 1) defer close(stopWatch) eventsChan, err := k8sClient.WatchAll(p.Namespaces, stopWatch) if err != nil { logger.Errorf("Error watching kubernetes events: %v", err) timer := time.NewTimer(1 * time.Second) select { case <-timer.C: return err case <-stop: return nil } } for { select { case <-stop: return nil case event := <-eventsChan: conf := p.loadConfigurationFromCRD(ctxLog, k8sClient) if reflect.DeepEqual(p.lastConfiguration.Get(), conf) { logger.Debugf("Skipping Kubernetes event kind %T", event) } else { p.lastConfiguration.Set(conf) configurationChan <- dynamic.Message{ ProviderName: "kubernetescrd", Configuration: conf, } } } } } notify := func(err error, time time.Duration) { logger.Errorf("Provider connection error: %s; retrying in %s", err, time) } err := backoff.RetryNotify(safe.OperationWithRecover(operation), job.NewBackOff(backoff.NewExponentialBackOff()), notify) if err != nil { logger.Errorf("Cannot connect to Provider: %s", err) } }) return nil } func checkStringQuoteValidity(value string) error { _, err := strconv.Unquote(`"` + value + `"`) return err } func loadTCPServers(client Client, namespace string, svc v1alpha1.ServiceTCP) ([]dynamic.TCPServer, error) { service, exists, err := client.GetService(namespace, svc.Name) if err != nil { return nil, err } if !exists { return nil, errors.New("service not found") } var portSpec *corev1.ServicePort for _, p := range service.Spec.Ports { if svc.Port == p.Port { portSpec = &p break } } if portSpec == nil { return nil, errors.New("service port not found") } var servers []dynamic.TCPServer if service.Spec.Type == corev1.ServiceTypeExternalName { servers = append(servers, dynamic.TCPServer{ Address: fmt.Sprintf("%s:%d", service.Spec.ExternalName, portSpec.Port), }) } else { endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, svc.Name) if endpointsErr != nil { return nil, endpointsErr } if !endpointsExists { return nil, errors.New("endpoints not found") } if len(endpoints.Subsets) == 0 { return nil, errors.New("subset not found") } var port int32 for _, subset := range endpoints.Subsets { for _, p := range subset.Ports { if portSpec.Name == p.Name { port = p.Port break } } if port == 0 { return nil, errors.New("cannot define a port") } for _, addr := range subset.Addresses { servers = append(servers, dynamic.TCPServer{ Address: fmt.Sprintf("%s:%d", addr.IP, port), }) } } } return servers, nil } func loadServers(client Client, namespace string, svc v1alpha1.Service) ([]dynamic.Server, error) { strategy := svc.Strategy if strategy == "" { strategy = "RoundRobin" } if strategy != "RoundRobin" { return nil, fmt.Errorf("load balancing strategy %v is not supported", strategy) } service, exists, err := client.GetService(namespace, svc.Name) if err != nil { return nil, err } if !exists { return nil, errors.New("service not found") } var portSpec *corev1.ServicePort for _, p := range service.Spec.Ports { if svc.Port == p.Port { portSpec = &p break } } if portSpec == nil { return nil, errors.New("service port not found") } var servers []dynamic.Server if service.Spec.Type == corev1.ServiceTypeExternalName { servers = append(servers, dynamic.Server{ URL: fmt.Sprintf("http://%s:%d", service.Spec.ExternalName, portSpec.Port), }) } else { endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, svc.Name) if endpointsErr != nil { return nil, endpointsErr } if !endpointsExists { return nil, errors.New("endpoints not found") } if len(endpoints.Subsets) == 0 { return nil, errors.New("subset not found") } var port int32 for _, subset := range endpoints.Subsets { for _, p := range subset.Ports { if portSpec.Name == p.Name { port = p.Port break } } if port == 0 { return nil, errors.New("cannot define a port") } protocol := "http" switch svc.Scheme { case "http", "https", "h2c": protocol = svc.Scheme case "": if port == 443 || strings.HasPrefix(portSpec.Name, "https") { protocol = "https" } default: return nil, fmt.Errorf("invalid scheme %q specified", svc.Scheme) } for _, addr := range subset.Addresses { servers = append(servers, dynamic.Server{ URL: fmt.Sprintf("%s://%s:%d", protocol, addr.IP, port), }) } } } return servers, nil } func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options { tlsOptionsCRD := client.GetTLSOptions() var tlsOptions map[string]tls.Options if len(tlsOptionsCRD) == 0 { return tlsOptions } tlsOptions = make(map[string]tls.Options) for _, tlsOption := range tlsOptionsCRD { logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace))) var clientCAs []tls.FileOrContent for _, secretName := range tlsOption.Spec.ClientAuth.SecretNames { secret, exists, err := client.GetSecret(tlsOption.Namespace, secretName) if err != nil { logger.Errorf("Failed to fetch secret %s/%s: %v", tlsOption.Namespace, secretName, err) continue } if !exists { logger.Warnf("Secret %s/%s does not exist", tlsOption.Namespace, secretName) continue } cert, err := getCABlocks(secret, tlsOption.Namespace, secretName) if err != nil { logger.Errorf("Failed to extract CA from secret %s/%s: %v", tlsOption.Namespace, secretName, err) continue } clientCAs = append(clientCAs, tls.FileOrContent(cert)) } tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{ MinVersion: tlsOption.Spec.MinVersion, CipherSuites: tlsOption.Spec.CipherSuites, ClientAuth: tls.ClientAuth{ CAFiles: clientCAs, ClientAuthType: tlsOption.Spec.ClientAuth.ClientAuthType, }, SniStrict: tlsOption.Spec.SniStrict, } } return tlsOptions } func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *dynamic.HTTPConfiguration { conf := &dynamic.HTTPConfiguration{ Routers: map[string]*dynamic.Router{}, Middlewares: map[string]*dynamic.Middleware{}, Services: map[string]*dynamic.Service{}, } for _, ingressRoute := range client.GetIngressRoutes() { logger := log.FromContext(log.With(ctx, log.Str("ingress", ingressRoute.Name), log.Str("namespace", ingressRoute.Namespace))) // TODO keep the name ingressClass? if !shouldProcessIngress(p.IngressClass, ingressRoute.Annotations[annotationKubernetesIngressClass]) { continue } err := getTLSHTTP(ctx, ingressRoute, client, tlsConfigs) if err != nil { logger.Errorf("Error configuring TLS: %v", err) } ingressName := ingressRoute.Name if len(ingressName) == 0 { ingressName = ingressRoute.GenerateName } for _, route := range ingressRoute.Spec.Routes { if route.Kind != "Rule" { logger.Errorf("Unsupported match kind: %s. Only \"Rule\" is supported for now.", route.Kind) continue } if len(route.Match) == 0 { logger.Errorf("Empty match rule") continue } if err := checkStringQuoteValidity(route.Match); err != nil { logger.Errorf("Invalid syntax for match rule: %s", route.Match) continue } var allServers []dynamic.Server for _, service := range route.Services { servers, err := loadServers(client, ingressRoute.Namespace, service) if err != nil { logger. WithField("serviceName", service.Name). WithField("servicePort", service.Port). Errorf("Cannot create service: %v", err) continue } allServers = append(allServers, servers...) } var mds []string for _, mi := range route.Middlewares { if strings.Contains(mi.Name, "@") { if len(mi.Namespace) > 0 { logger. WithField(log.MiddlewareName, mi.Name). Warnf("namespace %q is ignored in cross-provider context", mi.Namespace) } mds = append(mds, mi.Name) continue } ns := mi.Namespace if len(ns) == 0 { ns = ingressRoute.Namespace } mds = append(mds, makeID(ns, mi.Name)) } key, err := makeServiceKey(route.Match, ingressName) if err != nil { logger.Error(err) continue } serviceName := makeID(ingressRoute.Namespace, key) conf.Routers[serviceName] = &dynamic.Router{ Middlewares: mds, Priority: route.Priority, EntryPoints: ingressRoute.Spec.EntryPoints, Rule: route.Match, Service: serviceName, } if ingressRoute.Spec.TLS != nil { tlsConf := &dynamic.RouterTLSConfig{ CertResolver: ingressRoute.Spec.TLS.CertResolver, } if ingressRoute.Spec.TLS.Options != nil && len(ingressRoute.Spec.TLS.Options.Name) > 0 { tlsOptionsName := ingressRoute.Spec.TLS.Options.Name // Is a Kubernetes CRD reference, (i.e. not a cross-provider reference) ns := ingressRoute.Spec.TLS.Options.Namespace if !strings.Contains(tlsOptionsName, "@") { if len(ns) == 0 { ns = ingressRoute.Namespace } tlsOptionsName = makeID(ns, tlsOptionsName) } else if len(ns) > 0 { logger. WithField("TLSoptions", ingressRoute.Spec.TLS.Options.Name). Warnf("namespace %q is ignored in cross-provider context", ns) } tlsConf.Options = tlsOptionsName } conf.Routers[serviceName].TLS = tlsConf } conf.Services[serviceName] = &dynamic.Service{ LoadBalancer: &dynamic.LoadBalancerService{ Servers: allServers, // TODO: support other strategies. PassHostHeader: true, }, } } } return conf } func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *dynamic.TCPConfiguration { conf := &dynamic.TCPConfiguration{ Routers: map[string]*dynamic.TCPRouter{}, Services: map[string]*dynamic.TCPService{}, } for _, ingressRouteTCP := range client.GetIngressRouteTCPs() { logger := log.FromContext(log.With(ctx, log.Str("ingress", ingressRouteTCP.Name), log.Str("namespace", ingressRouteTCP.Namespace))) if !shouldProcessIngress(p.IngressClass, ingressRouteTCP.Annotations[annotationKubernetesIngressClass]) { continue } if ingressRouteTCP.Spec.TLS != nil && !ingressRouteTCP.Spec.TLS.Passthrough { err := getTLSTCP(ctx, ingressRouteTCP, client, tlsConfigs) if err != nil { logger.Errorf("Error configuring TLS: %v", err) } } ingressName := ingressRouteTCP.Name if len(ingressName) == 0 { ingressName = ingressRouteTCP.GenerateName } for _, route := range ingressRouteTCP.Spec.Routes { if len(route.Match) == 0 { logger.Errorf("Empty match rule") continue } if err := checkStringQuoteValidity(route.Match); err != nil { logger.Errorf("Invalid syntax for match rule: %s", route.Match) continue } var allServers []dynamic.TCPServer for _, service := range route.Services { servers, err := loadTCPServers(client, ingressRouteTCP.Namespace, service) if err != nil { logger. WithField("serviceName", service.Name). WithField("servicePort", service.Port). Errorf("Cannot create service: %v", err) continue } allServers = append(allServers, servers...) } key, e := makeServiceKey(route.Match, ingressName) if e != nil { logger.Error(e) continue } serviceName := makeID(ingressRouteTCP.Namespace, key) conf.Routers[serviceName] = &dynamic.TCPRouter{ EntryPoints: ingressRouteTCP.Spec.EntryPoints, Rule: route.Match, Service: serviceName, } if ingressRouteTCP.Spec.TLS != nil { conf.Routers[serviceName].TLS = &dynamic.RouterTCPTLSConfig{ Passthrough: ingressRouteTCP.Spec.TLS.Passthrough, CertResolver: ingressRouteTCP.Spec.TLS.CertResolver, } if ingressRouteTCP.Spec.TLS.Options != nil && len(ingressRouteTCP.Spec.TLS.Options.Name) > 0 { tlsOptionsName := ingressRouteTCP.Spec.TLS.Options.Name // Is a Kubernetes CRD reference (i.e. not a cross-provider reference) ns := ingressRouteTCP.Spec.TLS.Options.Namespace if !strings.Contains(tlsOptionsName, "@") { if len(ns) == 0 { ns = ingressRouteTCP.Namespace } tlsOptionsName = makeID(ns, tlsOptionsName) } else if len(ns) > 0 { logger. WithField("TLSoptions", ingressRouteTCP.Spec.TLS.Options.Name). Warnf("namespace %q is ignored in cross-provider context", ns) } conf.Routers[serviceName].TLS.Options = tlsOptionsName } } conf.Services[serviceName] = &dynamic.TCPService{ LoadBalancer: &dynamic.TCPLoadBalancerService{ Servers: allServers, }, } } } return conf } func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client) *dynamic.Configuration { tlsConfigs := make(map[string]*tls.CertAndStores) conf := &dynamic.Configuration{ HTTP: p.loadIngressRouteConfiguration(ctx, client, tlsConfigs), TCP: p.loadIngressRouteTCPConfiguration(ctx, client, tlsConfigs), TLS: &dynamic.TLSConfiguration{ Certificates: getTLSConfig(tlsConfigs), Options: buildTLSOptions(ctx, client), }, } for _, middleware := range client.GetMiddlewares() { conf.HTTP.Middlewares[makeID(middleware.Namespace, middleware.Name)] = &middleware.Spec } return conf } func makeServiceKey(rule, ingressName string) (string, error) { h := sha256.New() if _, err := h.Write([]byte(rule)); err != nil { return "", err } key := fmt.Sprintf("%s-%.10x", ingressName, h.Sum(nil)) return key, nil } func makeID(namespace, name string) string { if namespace == "" { return name } return namespace + "/" + name } func shouldProcessIngress(ingressClass string, ingressClassAnnotation string) bool { return ingressClass == ingressClassAnnotation || (len(ingressClass) == 0 && ingressClassAnnotation == traefikDefaultIngressClass) } func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error { if ingressRoute.Spec.TLS == nil { return nil } if ingressRoute.Spec.TLS.SecretName == "" { log.FromContext(ctx).Debugf("Skipping TLS sub-section: No secret name provided") return nil } configKey := ingressRoute.Namespace + "/" + ingressRoute.Spec.TLS.SecretName if _, tlsExists := tlsConfigs[configKey]; !tlsExists { tlsConf, err := getTLS(k8sClient, ingressRoute.Spec.TLS.SecretName, ingressRoute.Namespace) if err != nil { return err } tlsConfigs[configKey] = tlsConf } return nil } func getTLSTCP(ctx context.Context, ingressRoute *v1alpha1.IngressRouteTCP, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error { if ingressRoute.Spec.TLS == nil { return nil } if ingressRoute.Spec.TLS.SecretName == "" { log.FromContext(ctx).Debugf("Skipping TLS sub-section for TCP: No secret name provided") return nil } configKey := ingressRoute.Namespace + "/" + ingressRoute.Spec.TLS.SecretName if _, tlsExists := tlsConfigs[configKey]; !tlsExists { tlsConf, err := getTLS(k8sClient, ingressRoute.Spec.TLS.SecretName, ingressRoute.Namespace) if err != nil { return err } tlsConfigs[configKey] = tlsConf } return nil } func getTLS(k8sClient Client, secretName, namespace string) (*tls.CertAndStores, error) { secret, exists, err := k8sClient.GetSecret(namespace, secretName) if err != nil { return nil, fmt.Errorf("failed to fetch secret %s/%s: %v", namespace, secretName, err) } if !exists { return nil, fmt.Errorf("secret %s/%s does not exist", namespace, secretName) } cert, key, err := getCertificateBlocks(secret, namespace, secretName) if err != nil { return nil, err } return &tls.CertAndStores{ Certificate: tls.Certificate{ CertFile: tls.FileOrContent(cert), KeyFile: tls.FileOrContent(key), }, }, nil } func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores { var secretNames []string for secretName := range tlsConfigs { secretNames = append(secretNames, secretName) } sort.Strings(secretNames) var configs []*tls.CertAndStores for _, secretName := range secretNames { configs = append(configs, tlsConfigs[secretName]) } return configs } func getCertificateBlocks(secret *corev1.Secret, namespace, secretName string) (string, string, error) { var missingEntries []string tlsCrtData, tlsCrtExists := secret.Data["tls.crt"] if !tlsCrtExists { missingEntries = append(missingEntries, "tls.crt") } tlsKeyData, tlsKeyExists := secret.Data["tls.key"] if !tlsKeyExists { missingEntries = append(missingEntries, "tls.key") } if len(missingEntries) > 0 { return "", "", fmt.Errorf("secret %s/%s is missing the following TLS data entries: %s", namespace, secretName, strings.Join(missingEntries, ", ")) } cert := string(tlsCrtData) if cert == "" { missingEntries = append(missingEntries, "tls.crt") } key := string(tlsKeyData) if key == "" { missingEntries = append(missingEntries, "tls.key") } if len(missingEntries) > 0 { return "", "", fmt.Errorf("secret %s/%s contains the following empty TLS data entries: %s", namespace, secretName, strings.Join(missingEntries, ", ")) } return cert, key, nil } func getCABlocks(secret *corev1.Secret, namespace, secretName string) (string, error) { tlsCrtData, tlsCrtExists := secret.Data["tls.ca"] if !tlsCrtExists { return "", fmt.Errorf("the tls.ca entry is missing from secret %s/%s", namespace, secretName) } cert := string(tlsCrtData) if cert == "" { return "", fmt.Errorf("the tls.ca entry in secret %s/%s is empty", namespace, secretName) } return cert, nil }