forked from helm/charts
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ability to add arbitrary Secrets and ConfigMaps (helm#5618)
Google Cloud DNS is configured differently from all other ACME DNS providers in that it expects a file to be available inside the container (because of how the underlying lego library is set up). This didn’t map well to how helm packages are expected to be provided with configuration/secrets. To support this the ability to specify any number of Secrets and ConfigMaps from the values.yaml file has been added. Signed-off-by: Jacob Magnusson <[email protected]>
- Loading branch information
1 parent
a0b94a4
commit 128b81e
Showing
6 changed files
with
94 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -133,7 +133,7 @@ The following table lists the configurable parameters of the Traefik chart and t | |
| | `acme.challengeType` | Type of ACME challenge to perform domain validation. `tls-sni-01` (deprecated), `tls-alpn-01` (recommended), `http-01` or `dns-01` | `tls-sni-01` | | ||
| | `acme.delayBeforeCheck` | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds. Useful when Traefik cannot resolve external DNS queries. | `0` | | ||
| | `acme.dnsProvider.name` | Which DNS provider to use. See [here](https://github.com/xenolf/lego/tree/master/providers/dns) for the list of possible values. | `nil` | | ||
| | `acme.dnsProvider.$name` | The configuration environment variables (encoded as a secret) needed for the DNS provider to do DNS challenge. See [here](#example-aws-route-53). | `{}` | | ||
| | `acme.dnsProvider.$name` | The configuration environment variables (encoded as a secret) needed for the DNS provider to do DNS challenge. Example configuration: [AWS Route 53](#example-aws-route-53), [Google Cloud DNS](#example-gcloud). | `{}` | | ||
| | `acme.email` | Email address to be used in certificates obtained from Let's Encrypt | `[email protected]` | | ||
| | `acme.onHostRule` | Whether to generate a certificate for each frontend with Host rule | `true` | | ||
| | `acme.staging` | Whether to get certs from Let's Encrypt's staging environment | `true` | | ||
|
|
@@ -219,6 +219,8 @@ The following table lists the configurable parameters of the Traefik chart and t | |
| | `tracing.datadog.debug` | Enables Datadog debugging | `false` | | ||
| | `tracing.datadog.globalTag` | Apply shared tag in a form of Key:Value to all the traces | `""` | | ||
| | `autoscaling` | HorizontalPodAutoscaler for the traefik Deployment | `{}` | | ||
| | `configFiles` | Config files to make available in the deployment. key=filename, value=file contents | `{}` | | ||
| | `secretFiles` | Secret files to make available in the deployment. key=filename, value=file contents | `{}` | | ||
|
|
||
| Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: | ||
|
|
||
|
|
@@ -354,12 +356,12 @@ acme: | |
| #### Example: AWS Route 53 | ||
| Route 53 requires the [following configuration variables to be set](values.yaml#L98-L101): | ||
| Using `route53` as DNS provider requires the following configuration variables to be set: | ||
| - `AWS_ACCESS_KEY_ID` | ||
| - `AWS_SECRET_ACCESS_KEY` | ||
| - `AWS_REGION` | ||
|
|
||
| The configuration for the DNS provider would look like this: | ||
| The configuration would look like this: | ||
|
|
||
| ```yaml | ||
| acme: | ||
|
|
@@ -372,6 +374,28 @@ acme: | |
| AWS_REGION: us-east-1 | ||
| ``` | ||
|
|
||
| #### Example: Google Cloud DNS | ||
|
|
||
| Using `gcloud` as DNS provider requires the following configuration variables to be set: | ||
| - `GCE_PROJECT` | ||
| - `GCE_SERVICE_ACCOUNT_FILE` | ||
|
|
||
| The configuration would look like this: | ||
|
|
||
| ```yaml | ||
| secretFiles: | ||
| gcloud-credentials.json: '{"type":"service_account","project_id":"<projectName>","private_key_id":"<hash>",...}' | ||
| acme: | ||
| enabled: true | ||
| dnsProvider: | ||
| name: gcloud | ||
| gcloud: | ||
| GCE_PROJECT: <projectName> | ||
| GCE_SERVICE_ACCOUNT_FILE: /secrets/gcloud-credentials.json | ||
| ``` | ||
|
|
||
| ### Proxy Protocol | ||
|
|
||
| In situations where Traefik lives behind an Internet-facing loadbalancer (like an AWS ELB) and you still want it to see the actual source IP of the visitor instead of the internal IP of the loadbalancer, you can enable the loadbalancer to use the Proxy protocol to talk to Traefik. This effectively makes the loadbalancer transparent, as Traefik will still get the actual visitor IP address for each request. This only works if Traefik knows it's receiving traffic via the Proxy Protocol and the loadbalancer IP addresses need to be whitelisted as well. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| {{- if .Values.configFiles }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: {{ template "traefik.fullname" . }}-configs | ||
| labels: | ||
| app: {{ template "traefik.name" . }} | ||
| chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
| release: "{{ .Release.Name }}" | ||
| heritage: "{{ .Release.Service }}" | ||
| data: | ||
| {{- range $filename, $fileContents := .Values.configFiles }} | ||
| {{ $filename }}: |- | ||
| {{ $fileContents | indent 4 }} | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| {{- if .Values.secretFiles }} | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: {{ template "traefik.fullname" . }}-secrets | ||
| labels: | ||
| app: {{ template "traefik.name" . }} | ||
| chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
| release: "{{ .Release.Name }}" | ||
| heritage: "{{ .Release.Service }}" | ||
| type: Opaque | ||
| data: | ||
| {{- range $filename, $fileContents := .Values.secretFiles }} | ||
| {{ $filename }}: {{ $fileContents | b64enc | quote }} | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters