homelab/traefik
1
0
Fork 0
Code Activity

Add Ingress annotations support

Browse source 
Co-authored-by: jbdoumenjou <jb.doumenjou@gmail.com>
This commit is contained in:
Ludovic Fernandez 2020-01-14 15:48:06 +01:00 committed by Traefiker Bot
parent 4f52691f71
commit 6b7be462b8
11 changed files with 1086 additions and 296 deletions
Download patch file Download diff file Expand all files Collapse all files

108
pkg/provider/kubernetes/ingress/annotations.go Normal file
View file

@ -0,0 +1,108 @@
package ingress
import (
"regexp"
"strings"
"github.com/containous/traefik/v2/pkg/config/dynamic"
"github.com/containous/traefik/v2/pkg/config/label"
)
const (
// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
annotationsPrefix = "traefik.ingress.kubernetes.io/"
)
// RouterConfig is the router's root configuration from annotations.
type RouterConfig struct {
Router *RouterIng `json:"router,omitempty"`
}
// RouterIng is the router's configuration from annotations.
type RouterIng struct {
PathMatcher string `json:"pathMatcher,omitempty"`
EntryPoints []string `json:"entryPoints,omitempty"`
Middlewares []string `json:"middlewares,omitempty"`
Priority int `json:"priority,omitempty"`
TLS *dynamic.RouterTLSConfig `json:"tls,omitempty" label:"allowEmpty"`
}
// SetDefaults sets the default values.
func (r *RouterIng) SetDefaults() {
r.PathMatcher = defaultPathMatcher
}
// ServiceConfig is the service's root configuration from annotations.
type ServiceConfig struct {
Service *ServiceIng `json:"service,omitempty"`
}
// ServiceIng is the service's configuration from annotations.
type ServiceIng struct {
ServersScheme string `json:"serversScheme,omitempty"`
PassHostHeader *bool `json:"passHostHeader"`
Sticky *dynamic.Sticky `json:"sticky,omitempty" label:"allowEmpty"`
}
// SetDefaults sets the default values.
func (s *ServiceIng) SetDefaults() {
s.PassHostHeader = func(v bool) *bool { return &v }(true)
}
func parseRouterConfig(annotations map[string]string) (*RouterConfig, error) {
labels := convertAnnotations(annotations)
if len(labels) == 0 {
return nil, nil
}
cfg := &RouterConfig{}
err := label.Decode(labels, cfg, "traefik.router.")
if err != nil {
return nil, err
}
return cfg, nil
}
func parseServiceConfig(annotations map[string]string) (*ServiceConfig, error) {
labels := convertAnnotations(annotations)
if len(labels) == 0 {
return nil, nil
}
cfg := &ServiceConfig{}
err := label.Decode(labels, cfg, "traefik.service.")
if err != nil {
return nil, err
}
return cfg, nil
}
func convertAnnotations(annotations map[string]string) map[string]string {
if len(annotations) == 0 {
return nil
}
exp := regexp.MustCompile(`(.+)\.(\w+)\.(\d+)\.(.+)`)
result := make(map[string]string)
for key, value := range annotations {
if !strings.HasPrefix(key, annotationsPrefix) {
continue
}
newKey := strings.ReplaceAll(key, "ingress.kubernetes.io/", "")
if exp.MatchString(newKey) {
newKey = exp.ReplaceAllString(newKey, "$1.$2[$3].$4")
}
result[newKey] = value
}
return result
}

243
pkg/provider/kubernetes/ingress/annotations_test.go Normal file
View file

@ -0,0 +1,243 @@
package ingress
import (
"testing"
"github.com/containous/traefik/v2/pkg/config/dynamic"
"github.com/containous/traefik/v2/pkg/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_parseRouterConfig(t *testing.T) {
testCases := []struct {
desc string
annotations map[string]string
expected *RouterConfig
}{
{
desc: "router annotations",
annotations: map[string]string{
"ingress.kubernetes.io/foo": "bar",
"traefik.ingress.kubernetes.io/foo": "bar",
"traefik.ingress.kubernetes.io/router.pathmatcher": "foobar",
"traefik.ingress.kubernetes.io/router.entrypoints": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.middlewares": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.priority": "42",
"traefik.ingress.kubernetes.io/router.tls": "true",
"traefik.ingress.kubernetes.io/router.tls.certresolver": "foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.0.main": "foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.0.sans": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.1.main": "foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.1.sans": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.tls.options": "foobar",
},
expected: &RouterConfig{
Router: &RouterIng{
PathMatcher: "foobar",
EntryPoints: []string{"foobar", "foobar"},
Middlewares: []string{"foobar", "foobar"},
Priority: 42,
TLS: &dynamic.RouterTLSConfig{
CertResolver: "foobar",
Domains: []types.Domain{
{
Main: "foobar",
SANs: []string{"foobar", "foobar"},
},
{
Main: "foobar",
SANs: []string{"foobar", "foobar"},
},
},
Options: "foobar",
},
},
},
},
{
desc: "simple TLS annotation",
annotations: map[string]string{
"traefik.ingress.kubernetes.io/router.tls": "true",
},
expected: &RouterConfig{
Router: &RouterIng{
PathMatcher: "PathPrefix",
TLS: &dynamic.RouterTLSConfig{},
},
},
},
{
desc: "empty map",
annotations: nil,
expected: nil,
},
{
desc: "nil map",
annotations: nil,
expected: nil,
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
cfg, err := parseRouterConfig(test.annotations)
require.NoError(t, err)
assert.Equal(t, test.expected, cfg)
})
}
}
func Test_parseServiceConfig(t *testing.T) {
testCases := []struct {
desc string
annotations map[string]string
expected *ServiceConfig
}{
{
desc: "service annotations",
annotations: map[string]string{
"ingress.kubernetes.io/foo": "bar",
"traefik.ingress.kubernetes.io/foo": "bar",
"traefik.ingress.kubernetes.io/service.serversscheme": "protocol",
"traefik.ingress.kubernetes.io/service.passhostheader": "true",
"traefik.ingress.kubernetes.io/service.sticky": "true",
"traefik.ingress.kubernetes.io/service.sticky.cookie.httponly": "true",
"traefik.ingress.kubernetes.io/service.sticky.cookie.name": "foobar",
"traefik.ingress.kubernetes.io/service.sticky.cookie.secure": "true",
},
expected: &ServiceConfig{
Service: &ServiceIng{
Sticky: &dynamic.Sticky{
Cookie: &dynamic.Cookie{
Name: "foobar",
Secure: true,
HTTPOnly: true,
},
},
ServersScheme: "protocol",
PassHostHeader: Bool(true),
},
},
},
{
desc: "simple sticky annotation",
annotations: map[string]string{
"traefik.ingress.kubernetes.io/service.sticky": "true",
},
expected: &ServiceConfig{
Service: &ServiceIng{
Sticky: &dynamic.Sticky{},
PassHostHeader: Bool(true),
},
},
},
{
desc: "empty map",
annotations: map[string]string{},
expected: nil,
},
{
desc: "nil map",
annotations: nil,
expected: nil,
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
cfg, err := parseServiceConfig(test.annotations)
require.NoError(t, err)
assert.Equal(t, test.expected, cfg)
})
}
}
func Test_convertAnnotations(t *testing.T) {
testCases := []struct {
desc string
annotations map[string]string
expected map[string]string
}{
{
desc: "router annotations",
annotations: map[string]string{
"ingress.kubernetes.io/foo": "bar",
"traefik.ingress.kubernetes.io/foo": "bar",
"traefik.ingress.kubernetes.io/router.pathmatcher": "foobar",
"traefik.ingress.kubernetes.io/router.entrypoints": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.middlewares": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.priority": "42",
"traefik.ingress.kubernetes.io/router.tls": "true",
"traefik.ingress.kubernetes.io/router.tls.certresolver": "foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.0.main": "foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.0.sans": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.1.main": "foobar",
"traefik.ingress.kubernetes.io/router.tls.domains.1.sans": "foobar,foobar",
"traefik.ingress.kubernetes.io/router.tls.options": "foobar",
},
expected: map[string]string{
"traefik.foo": "bar",
"traefik.router.pathmatcher": "foobar",
"traefik.router.entrypoints": "foobar,foobar",
"traefik.router.middlewares": "foobar,foobar",
"traefik.router.priority": "42",
"traefik.router.tls": "true",
"traefik.router.tls.certresolver": "foobar",
"traefik.router.tls.domains[0].main": "foobar",
"traefik.router.tls.domains[0].sans": "foobar,foobar",
"traefik.router.tls.domains[1].main": "foobar",
"traefik.router.tls.domains[1].sans": "foobar,foobar",
"traefik.router.tls.options": "foobar",
},
},
{
desc: "service annotations",
annotations: map[string]string{
"traefik.ingress.kubernetes.io/service.serversscheme": "protocol",
"traefik.ingress.kubernetes.io/service.passhostheader": "true",
"traefik.ingress.kubernetes.io/service.sticky": "true",
"traefik.ingress.kubernetes.io/service.sticky.cookie.httponly": "true",
"traefik.ingress.kubernetes.io/service.sticky.cookie.name": "foobar",
"traefik.ingress.kubernetes.io/service.sticky.cookie.secure": "true",
},
expected: map[string]string{
"traefik.service.passhostheader": "true",
"traefik.service.serversscheme": "protocol",
"traefik.service.sticky": "true",
"traefik.service.sticky.cookie.httponly": "true",
"traefik.service.sticky.cookie.name": "foobar",
"traefik.service.sticky.cookie.secure": "true",
},
},
{
desc: "empty map",
annotations: map[string]string{},
expected: nil,
},
{
desc: "nil map",
annotations: nil,
expected: nil,
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
labels := convertAnnotations(test.annotations)
assert.Equal(t, test.expected, labels)
})
}
}

15
pkg/provider/kubernetes/ingress/fixtures/Ingress-with-annotations_endpoint.yml Normal file
View file

@ -0,0 +1,15 @@
kind: Endpoints
apiVersion: v1
metadata:
name: service1
namespace: testing
subsets:
- addresses:
- ip: 10.10.0.1
ports:
- port: 8080
- addresses:
- ip: 10.21.0.1
ports:
- port: 8080

28
pkg/provider/kubernetes/ingress/fixtures/Ingress-with-annotations_ingress.yml Normal file
View file

@ -0,0 +1,28 @@
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ""
namespace: testing
annotations:
ingress.kubernetes.io/foo: bar
traefik.ingress.kubernetes.io/foo: bar
traefik.ingress.kubernetes.io/router.pathmatcher: Path
traefik.ingress.kubernetes.io/router.entrypoints: ep1,ep2
traefik.ingress.kubernetes.io/router.middlewares: md1,md2
traefik.ingress.kubernetes.io/router.priority: "42"
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: foobar
traefik.ingress.kubernetes.io/router.tls.domains.0.main: domain.com
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: one.domain.com,two.domain.com
traefik.ingress.kubernetes.io/router.tls.domains.1.main: example.com
traefik.ingress.kubernetes.io/router.tls.domains.1.sans: one.example.com,two.example.com
traefik.ingress.kubernetes.io/router.tls.options: foobar
spec:
rules:
- http:
paths:
- path: /bar
backend:
serviceName: service1
servicePort: 80

20
pkg/provider/kubernetes/ingress/fixtures/Ingress-with-annotations_service.yml Normal file
View file

@ -0,0 +1,20 @@
---
kind: Service
apiVersion: v1
metadata:
name: service1
namespace: testing
annotations:
ingress.kubernetes.io/foo: bar
traefik.ingress.kubernetes.io/foo: bar
traefik.ingress.kubernetes.io/service.serversscheme: protocol
traefik.ingress.kubernetes.io/service.passhostheader: "true"
traefik.ingress.kubernetes.io/service.sticky: "true"
traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"
traefik.ingress.kubernetes.io/service.sticky.cookie.name: foobar
traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true"
spec:
ports:
- port: 80
clusterIp: 10.0.0.1

529
pkg/provider/kubernetes/ingress/kubernetes.go
View file

@ -29,6 +29,7 @@ import (
const (
annotationKubernetesIngressClass = "kubernetes.io/ingress.class"
traefikDefaultIngressClass = "traefik"
defaultPathMatcher = "PathPrefix"
)
// Provider holds configurations of the provider.
@ -173,96 +174,6 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
return nil
}
func checkStringQuoteValidity(value string) error {
_, err := strconv.Unquote(`"` + value + `"`)
return err
}
func loadService(client Client, namespace string, backend v1beta1.IngressBackend) (*dynamic.Service, error) {
service, exists, err := client.GetService(namespace, backend.ServiceName)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.New("service not found")
}
var servers []dynamic.Server
var portName string
var portSpec corev1.ServicePort
var match bool
for _, p := range service.Spec.Ports {
if (backend.ServicePort.Type == intstr.Int && backend.ServicePort.IntVal == p.Port) ||
(backend.ServicePort.Type == intstr.String && backend.ServicePort.StrVal == p.Name) {
portName = p.Name
portSpec = p
match = true
break
}
}
if !match {
return nil, errors.New("service port not found")
}
if service.Spec.Type == corev1.ServiceTypeExternalName {
protocol := "http"
if portSpec.Port == 443 || strings.HasPrefix(portSpec.Name, "https") {
protocol = "https"
}
servers = append(servers, dynamic.Server{
URL: fmt.Sprintf("%s://%s:%d", protocol, service.Spec.ExternalName, portSpec.Port),
})
} else {
endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, backend.ServiceName)
if endpointsErr != nil {
return nil, endpointsErr
}
if !endpointsExists {
return nil, errors.New("endpoints not found")
}
if len(endpoints.Subsets) == 0 {
return nil, errors.New("subset not found")
}
var port int32
for _, subset := range endpoints.Subsets {
for _, p := range subset.Ports {
if portName == p.Name {
port = p.Port
break
}
}
if port == 0 {
return nil, errors.New("cannot define a port")
}
protocol := "http"
if portSpec.Port == 443 || strings.HasPrefix(portName, "https") {
protocol = "https"
}
for _, addr := range subset.Addresses {
servers = append(servers, dynamic.Server{
URL: fmt.Sprintf("%s://%s:%d", protocol, addr.IP, port),
})
}
}
}
return &dynamic.Service{
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: servers,
PassHostHeader: func(v bool) *bool { return &v }(true),
},
}, nil
}
func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Client) *dynamic.Configuration {
conf := &dynamic.Configuration{
HTTP: &dynamic.HTTPConfiguration{
@ -275,7 +186,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
ingresses := client.GetIngresses()
tlsConfigs := make(map[string]*tls.CertAndStores)
certConfigs := make(map[string]*tls.CertAndStores)
for _, ingress := range ingresses {
ctx = log.With(ctx, log.Str("ingress", ingress.Name), log.Str("namespace", ingress.Namespace))
@ -283,35 +194,46 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
continue
}
err := getTLS(ctx, ingress, client, tlsConfigs)
rtConfig, err := parseRouterConfig(ingress.Annotations)
if err != nil {
log.FromContext(ctx).Errorf("Failed to parse annotations: %v", err)
continue
}
err = getCertificates(ctx, ingress, client, certConfigs)
if err != nil {
log.FromContext(ctx).Errorf("Error configuring TLS: %v", err)
}
if len(ingress.Spec.Rules) == 0 {
if ingress.Spec.Backend != nil {
if _, ok := conf.HTTP.Services["default-backend"]; ok {
log.FromContext(ctx).Error("The default backend already exists.")
continue
}
service, err := loadService(client, ingress.Namespace, *ingress.Spec.Backend)
if err != nil {
log.FromContext(ctx).
WithField("serviceName", ingress.Spec.Backend.ServiceName).
WithField("servicePort", ingress.Spec.Backend.ServicePort.String()).
Errorf("Cannot create service: %v", err)
continue
}
conf.HTTP.Routers["default-router"] = &dynamic.Router{
Rule: "PathPrefix(`/`)",
Priority: math.MinInt32,
Service: "default-backend",
}
conf.HTTP.Services["default-backend"] = service
if len(ingress.Spec.Rules) == 0 && ingress.Spec.Backend != nil {
if _, ok := conf.HTTP.Services["default-backend"]; ok {
log.FromContext(ctx).Error("The default backend already exists.")
continue
}
service, err := loadService(client, ingress.Namespace, *ingress.Spec.Backend)
if err != nil {
log.FromContext(ctx).
WithField("serviceName", ingress.Spec.Backend.ServiceName).
WithField("servicePort", ingress.Spec.Backend.ServicePort.String()).
Errorf("Cannot create service: %v", err)
continue
}
rt := &dynamic.Router{
Rule: "PathPrefix(`/`)",
Priority: math.MinInt32,
Service: "default-backend",
}
if rtConfig != nil && rtConfig.Router != nil {
rt.EntryPoints = rtConfig.Router.EntryPoints
rt.Middlewares = rtConfig.Router.Middlewares
rt.TLS = rtConfig.Router.TLS
}
conf.HTTP.Routers["default-router"] = rt
conf.HTTP.Services["default-backend"] = service
}
for _, rule := range ingress.Spec.Rules {
@ -321,46 +243,26 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
}
if rule.HTTP != nil {
for _, p := range rule.HTTP.Paths {
service, err := loadService(client, ingress.Namespace, p.Backend)
for _, pa := range rule.HTTP.Paths {
if err = checkStringQuoteValidity(pa.Path); err != nil {
log.FromContext(ctx).Errorf("Invalid syntax for path: %s", pa.Path)
continue
}
service, err := loadService(client, ingress.Namespace, pa.Backend)
if err != nil {
log.FromContext(ctx).
WithField("serviceName", p.Backend.ServiceName).
WithField("servicePort", p.Backend.ServicePort.String()).
WithField("serviceName", pa.Backend.ServiceName).
WithField("servicePort", pa.Backend.ServicePort.String()).
Errorf("Cannot create service: %v", err)
continue
}
if err = checkStringQuoteValidity(p.Path); err != nil {
log.FromContext(ctx).Errorf("Invalid syntax for path: %s", p.Path)
continue
}
serviceName := provider.Normalize(ingress.Namespace + "-" + p.Backend.ServiceName + "-" + p.Backend.ServicePort.String())
var rules []string
if len(rule.Host) > 0 {
rules = []string{"Host(`" + rule.Host + "`)"}
}
if len(p.Path) > 0 {
rules = append(rules, "PathPrefix(`"+p.Path+"`)")
}
routerKey := strings.TrimPrefix(provider.Normalize(rule.Host+p.Path), "-")
conf.HTTP.Routers[routerKey] = &dynamic.Router{
Rule: strings.Join(rules, " && "),
Service: serviceName,
}
if len(ingress.Spec.TLS) > 0 {
// TLS enabled for this ingress, add TLS router
conf.HTTP.Routers[routerKey+"-tls"] = &dynamic.Router{
Rule: strings.Join(rules, " && "),
Service: serviceName,
TLS: &dynamic.RouterTLSConfig{},
}
}
serviceName := provider.Normalize(ingress.Namespace + "-" + pa.Backend.ServiceName + "-" + pa.Backend.ServicePort.String())
conf.HTTP.Services[serviceName] = service
routerKey := strings.TrimPrefix(provider.Normalize(rule.Host+pa.Path), "-")
conf.HTTP.Routers[routerKey] = loadRouter(ingress, rule, pa, rtConfig, serviceName)
}
}
@ -371,7 +273,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
}
}
certs := getTLSConfig(tlsConfigs)
certs := getTLSConfig(certConfigs)
if len(certs) > 0 {
conf.TLS = &dynamic.TLSConfiguration{
Certificates: certs,
@ -381,96 +283,6 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
return conf
}
func shouldProcessIngress(ingressClass string, ingressClassAnnotation string) bool {
return ingressClass == ingressClassAnnotation ||
(len(ingressClass) == 0 && ingressClassAnnotation == traefikDefaultIngressClass)
}
func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
for _, t := range ingress.Spec.TLS {
if t.SecretName == "" {
log.FromContext(ctx).Debugf("Skipping TLS sub-section: No secret name provided")
continue
}
configKey := ingress.Namespace + "-" + t.SecretName
if _, tlsExists := tlsConfigs[configKey]; !tlsExists {
secret, exists, err := k8sClient.GetSecret(ingress.Namespace, t.SecretName)
if err != nil {
return fmt.Errorf("failed to fetch secret %s/%s: %v", ingress.Namespace, t.SecretName, err)
}
if !exists {
return fmt.Errorf("secret %s/%s does not exist", ingress.Namespace, t.SecretName)
}
cert, key, err := getCertificateBlocks(secret, ingress.Namespace, t.SecretName)
if err != nil {
return err
}
tlsConfigs[configKey] = &tls.CertAndStores{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key),
},
}
}
}
return nil
}
func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores {
var secretNames []string
for secretName := range tlsConfigs {
secretNames = append(secretNames, secretName)
}
sort.Strings(secretNames)
var configs []*tls.CertAndStores
for _, secretName := range secretNames {
configs = append(configs, tlsConfigs[secretName])
}
return configs
}
func getCertificateBlocks(secret *corev1.Secret, namespace, secretName string) (string, string, error) {
var missingEntries []string
tlsCrtData, tlsCrtExists := secret.Data["tls.crt"]
if !tlsCrtExists {
missingEntries = append(missingEntries, "tls.crt")
}
tlsKeyData, tlsKeyExists := secret.Data["tls.key"]
if !tlsKeyExists {
missingEntries = append(missingEntries, "tls.key")
}
if len(missingEntries) > 0 {
return "", "", fmt.Errorf("secret %s/%s is missing the following TLS data entries: %s",
namespace, secretName, strings.Join(missingEntries, ", "))
}
cert := string(tlsCrtData)
if cert == "" {
missingEntries = append(missingEntries, "tls.crt")
}
key := string(tlsKeyData)
if key == "" {
missingEntries = append(missingEntries, "tls.key")
}
if len(missingEntries) > 0 {
return "", "", fmt.Errorf("secret %s/%s contains the following empty TLS data entries: %s",
namespace, secretName, strings.Join(missingEntries, ", "))
}
return cert, key, nil
}
func (p *Provider) updateIngressStatus(i *v1beta1.Ingress, k8sClient Client) error {
// Only process if an EndpointIngress has been configured
if p.IngressEndpoint == nil {
@ -509,6 +321,245 @@ func (p *Provider) updateIngressStatus(i *v1beta1.Ingress, k8sClient Client) err
return k8sClient.UpdateIngressStatus(i.Namespace, i.Name, service.Status.LoadBalancer.Ingress[0].IP, service.Status.LoadBalancer.Ingress[0].Hostname)
}
func shouldProcessIngress(ingressClass string, ingressClassAnnotation string) bool {
return ingressClass == ingressClassAnnotation ||
(len(ingressClass) == 0 && ingressClassAnnotation == traefikDefaultIngressClass)
}
func getCertificates(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
for _, t := range ingress.Spec.TLS {
if t.SecretName == "" {
log.FromContext(ctx).Debugf("Skipping TLS sub-section: No secret name provided")
continue
}
configKey := ingress.Namespace + "-" + t.SecretName
if _, tlsExists := tlsConfigs[configKey]; !tlsExists {
secret, exists, err := k8sClient.GetSecret(ingress.Namespace, t.SecretName)
if err != nil {
return fmt.Errorf("failed to fetch secret %s/%s: %v", ingress.Namespace, t.SecretName, err)
}
if !exists {
return fmt.Errorf("secret %s/%s does not exist", ingress.Namespace, t.SecretName)
}
cert, key, err := getCertificateBlocks(secret, ingress.Namespace, t.SecretName)
if err != nil {
return err
}
tlsConfigs[configKey] = &tls.CertAndStores{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key),
},
}
}
}
return nil
}
func getCertificateBlocks(secret *corev1.Secret, namespace, secretName string) (string, string, error) {
var missingEntries []string
tlsCrtData, tlsCrtExists := secret.Data["tls.crt"]
if !tlsCrtExists {
missingEntries = append(missingEntries, "tls.crt")
}
tlsKeyData, tlsKeyExists := secret.Data["tls.key"]
if !tlsKeyExists {
missingEntries = append(missingEntries, "tls.key")
}
if len(missingEntries) > 0 {
return "", "", fmt.Errorf("secret %s/%s is missing the following TLS data entries: %s",
namespace, secretName, strings.Join(missingEntries, ", "))
}
cert := string(tlsCrtData)
if cert == "" {
missingEntries = append(missingEntries, "tls.crt")
}
key := string(tlsKeyData)
if key == "" {
missingEntries = append(missingEntries, "tls.key")
}
if len(missingEntries) > 0 {
return "", "", fmt.Errorf("secret %s/%s contains the following empty TLS data entries: %s",
namespace, secretName, strings.Join(missingEntries, ", "))
}
return cert, key, nil
}
func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores {
var secretNames []string
for secretName := range tlsConfigs {
secretNames = append(secretNames, secretName)
}
sort.Strings(secretNames)
var configs []*tls.CertAndStores
for _, secretName := range secretNames {
configs = append(configs, tlsConfigs[secretName])
}
return configs
}
func loadService(client Client, namespace string, backend v1beta1.IngressBackend) (*dynamic.Service, error) {
service, exists, err := client.GetService(namespace, backend.ServiceName)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.New("service not found")
}
var portName string
var portSpec corev1.ServicePort
var match bool
for _, p := range service.Spec.Ports {
if (backend.ServicePort.Type == intstr.Int && backend.ServicePort.IntVal == p.Port) ||
(backend.ServicePort.Type == intstr.String && backend.ServicePort.StrVal == p.Name) {
portName = p.Name
portSpec = p
match = true
break
}
}
if !match {
return nil, errors.New("service port not found")
}
svc := &dynamic.Service{
LoadBalancer: &dynamic.ServersLoadBalancer{
PassHostHeader: func(v bool) *bool { return &v }(true),
},
}
svcConfig, err := parseServiceConfig(service.Annotations)
if err != nil {
return nil, err
}
if svcConfig != nil && svcConfig.Service != nil {
svc.LoadBalancer.Sticky = svcConfig.Service.Sticky
if svcConfig.Service.PassHostHeader != nil {
svc.LoadBalancer.PassHostHeader = svcConfig.Service.PassHostHeader
}
}
if service.Spec.Type == corev1.ServiceTypeExternalName {
protocol := getProtocol(portSpec, portSpec.Name, svcConfig)
svc.LoadBalancer.Servers = []dynamic.Server{
{URL: fmt.Sprintf("%s://%s:%d", protocol, service.Spec.ExternalName, portSpec.Port)},
}
return svc, nil
}
endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, backend.ServiceName)
if endpointsErr != nil {
return nil, endpointsErr
}
if !endpointsExists {
return nil, errors.New("endpoints not found")
}
if len(endpoints.Subsets) == 0 {
return nil, errors.New("subset not found")
}
var port int32
for _, subset := range endpoints.Subsets {
for _, p := range subset.Ports {
if portName == p.Name {
port = p.Port
break
}
}
if port == 0 {
return nil, errors.New("cannot define a port")
}
protocol := getProtocol(portSpec, portName, svcConfig)
for _, addr := range subset.Addresses {
svc.LoadBalancer.Servers = append(svc.LoadBalancer.Servers, dynamic.Server{
URL: fmt.Sprintf("%s://%s:%d", protocol, addr.IP, port),
})
}
}
return svc, nil
}
func getProtocol(portSpec corev1.ServicePort, portName string, svcConfig *ServiceConfig) string {
if svcConfig != nil && svcConfig.Service != nil && svcConfig.Service.ServersScheme != "" {
return svcConfig.Service.ServersScheme
}
protocol := "http"
if portSpec.Port == 443 || strings.HasPrefix(portName, "https") {
protocol = "https"
}
return protocol
}
func loadRouter(ingress *v1beta1.Ingress, rule v1beta1.IngressRule, pa v1beta1.HTTPIngressPath, rtConfig *RouterConfig, serviceName string) *dynamic.Router {
var rules []string
if len(rule.Host) > 0 {
rules = []string{"Host(`" + rule.Host + "`)"}
}
if len(pa.Path) > 0 {
matcher := defaultPathMatcher
if rtConfig != nil && rtConfig.Router != nil && rtConfig.Router.PathMatcher != "" {
matcher = rtConfig.Router.PathMatcher
}
rules = append(rules, fmt.Sprintf("%s(`%s`)", matcher, pa.Path))
}
rt := &dynamic.Router{
Rule: strings.Join(rules, " && "),
Service: serviceName,
}
if len(ingress.Spec.TLS) > 0 {
// TLS enabled for this ingress, add TLS router
rt.TLS = &dynamic.RouterTLSConfig{}
}
if rtConfig != nil && rtConfig.Router != nil {
rt.Priority = rtConfig.Router.Priority
rt.EntryPoints = rtConfig.Router.EntryPoints
rt.Middlewares = rtConfig.Router.Middlewares
if rtConfig.Router.TLS != nil {
rt.TLS = rtConfig.Router.TLS
}
}
return rt
}
func checkStringQuoteValidity(value string) error {
_, err := strconv.Unquote(`"` + value + `"`)
return err
}
func throttleEvents(ctx context.Context, throttleDuration time.Duration, stop chan bool, eventsChan <-chan interface{}) chan interface{} {
if throttleDuration == 0 {
return nil

66
pkg/provider/kubernetes/ingress/kubernetes_test.go
View file

@ -11,6 +11,7 @@ import (
"github.com/containous/traefik/v2/pkg/config/dynamic"
"github.com/containous/traefik/v2/pkg/provider"
"github.com/containous/traefik/v2/pkg/tls"
"github.com/containous/traefik/v2/pkg/types"
"github.com/stretchr/testify/assert"
corev1 "k8s.io/api/core/v1"
"k8s.io/api/extensions/v1beta1"
@ -79,6 +80,60 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
},
},
},
{
desc: "Ingress with annotations",
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
HTTP: &dynamic.HTTPConfiguration{
Middlewares: map[string]*dynamic.Middleware{},
Routers: map[string]*dynamic.Router{
"bar": {
Rule: "Path(`/bar`)",
EntryPoints: []string{"ep1", "ep2"},
Service: "testing-service1-80",
Middlewares: []string{"md1", "md2"},
Priority: 42,
TLS: &dynamic.RouterTLSConfig{
CertResolver: "foobar",
Domains: []types.Domain{
{
Main: "domain.com",
SANs: []string{"one.domain.com", "two.domain.com"},
},
{
Main: "example.com",
SANs: []string{"one.example.com", "two.example.com"},
},
},
Options: "foobar",
},
},
},
Services: map[string]*dynamic.Service{
"testing-service1-80": {
LoadBalancer: &dynamic.ServersLoadBalancer{
PassHostHeader: Bool(true),
Sticky: &dynamic.Sticky{
Cookie: &dynamic.Cookie{
Name: "foobar",
Secure: true,
HTTPOnly: true,
},
},
Servers: []dynamic.Server{
{
URL: "protocol://10.10.0.1:8080",
},
{
URL: "protocol://10.21.0.1:8080",
},
},
},
},
},
},
},
},
{
desc: "Ingress with two different rules with one path",
expected: &dynamic.Configuration{
@ -176,7 +231,8 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
},
},
},
}, {
},
{
desc: "Ingress with one host without path",
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
@ -700,10 +756,6 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
"example-com": {
Rule: "Host(`example.com`)",
Service: "testing-example-com-80",
},
"example-com-tls": {
Rule: "Host(`example.com`)",
Service: "testing-example-com-80",
TLS: &dynamic.RouterTLSConfig{},
},
},
@ -967,7 +1019,7 @@ func generateTestFilename(suffix, desc string) string {
return "./fixtures/" + strings.ReplaceAll(desc, " ", "-") + suffix + ".yml"
}
func TestGetTLS(t *testing.T) {
func TestGetCertificates(t *testing.T) {
testIngressWithoutHostname := buildIngress(
iNamespace("testing"),
iRules(
@ -1129,7 +1181,7 @@ func TestGetTLS(t *testing.T) {
t.Parallel()
tlsConfigs := map[string]*tls.CertAndStores{}
err := getTLS(context.Background(), test.ingress, test.client, tlsConfigs)
err := getCertificates(context.Background(), test.ingress, test.client, tlsConfigs)
if test.errResult != "" {
assert.EqualError(t, err, test.errResult)