Add chart for Traefik-based ingress controller #146
Conversation
|
Can a kubernetes member verify that this patch is reasonable to test? If so, please reply with "@k8s-bot ok to test" on its own line. Regular contributors should join the org to skip this step. |
|
Thanks @krancour! |
| ## Introduction | ||
|
|
||
| This chart bootstraps Traefik as a Kubernetes ingress controller with optional support for SSL and | ||
| Let's Encrypt. By default, Traefik will be installed into the `kube-system` namespace. |
There was a problem hiding this comment.
Is this a requirement? I think we generally prefer that Helm manages the namespace Charts get installed into with the --namespace flag.
There was a problem hiding this comment.
It's not a hard and fast requirement, however, since ingress controllers are frequently used to watch Ingress objects cluster-wide (i.e. in all namespaces), they often require the elevated permissions of the kube-system namespace's default service account.
When writing this chart, I assumed that for the less-frequent (or so I imagine) use case where someone does want to install this into some other namespace that --namespace would override the hard-coded default of kube-system. I've put that to the test now, however, and found it doesn't work that way!
cc @technosophos @michelleN isn't --namespace supposed to override whatever default is hard-coded in the chart's manifests? Or was it just wishful thinking on my part that it works that way?
At any rate, it does seem that what is best for now is that I omit this hard-coded default and instead document that this component would most often be installed into kube-system.
There was a problem hiding this comment.
@prydonius I've amended the PR as discussed above.
| @@ -0,0 +1,21 @@ | |||
| MIT License | |||
|
|
|||
| Copyright (c) 2016 Deis | |||
There was a problem hiding this comment.
Do we need this? This project is Apache 2 licensed and now we have MIT?
There was a problem hiding this comment.
Well, that's a tricky question. It seems individual charts are subject to their own license, no? What I opted to do here was use the same license that Traefik itself uses. If that's the wrong move, lmk.
There was a problem hiding this comment.
I think this code/repo can have a separate license from the source of traefik itself.
There was a problem hiding this comment.
Ok. I'll change it.
There was a problem hiding this comment.
I'm actually just going to remove the license from this chart altogether. It seems license is optional for charts and no other chart in this repo includes one. I'm going to follow that precedent.
| labels: | ||
| k8s-app: traefik-ingress-controller | ||
| version: {{ .Chart.Version }} | ||
| spec: |
There was a problem hiding this comment.
ready and lively probes please, as well as resource limits ;)
| {{- if .Values.acme.enabled }} | ||
| - name: acme | ||
| {{- if .Values.acme.persistence.enabled }} | ||
| persistentVolumeClaim: |
There was a problem hiding this comment.
It there value to have storage classes?
There was a problem hiding this comment.
I'm not sure what you're asking here. Can you clarify please?
This currently follows the exact pattern used by the stable MySQL chart for persistent storage.
There was a problem hiding this comment.
The storage class is defined in the PVC not the deployment. Nothing to see here.
| ssl: | ||
| enabled: false | ||
| enforced: false | ||
| defaultCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lKQUpBR1FsTW1DMGt5TUEwR0NTcUdTSWIzRFFFQkJRVUFNSUdQTVFzd0NRWUQKVlFRR0V3SlZVekVSTUE4R0ExVUVDQk1JUTI5c2IzSmhaRzh4RURBT0JnTlZCQWNUQjBKdmRXeGtaWEl4RkRBUwpCZ05WQkFvVEMwVjRZVzF3YkdWRGIzSndNUXN3Q1FZRFZRUUxFd0pKVkRFV01CUUdBMVVFQXhRTktpNWxlR0Z0CmNHeGxMbU52YlRFZ01CNEdDU3FHU0liM0RRRUpBUllSWVdSdGFXNUFaWGhoYlhCc1pTNWpiMjB3SGhjTk1UWXgKTURJME1qRXdPVFV5V2hjTk1UY3hNREkwTWpFd09UVXlXakNCanpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVgpCQWdUQ0VOdmJHOXlZV1J2TVJBd0RnWURWUVFIRXdkQ2IzVnNaR1Z5TVJRd0VnWURWUVFLRXd0RmVHRnRjR3hsClEyOXljREVMTUFrR0ExVUVDeE1DU1ZReEZqQVVCZ05WQkFNVURTb3VaWGhoYlhCc1pTNWpiMjB4SURBZUJna3EKaGtpRzl3MEJDUUVXRVdGa2JXbHVRR1Y0WVcxd2JHVXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBdHVKOW13dzlCYXA2SDROdUhYTFB6d1NVZFppNGJyYTFkN1ZiRUJaWWZDSStZNjRDCjJ1dThwdTNhVTVzYXVNYkQ5N2pRYW95VzZHOThPUHJlV284b3lmbmRJY3RFcmxueGpxelUyVVRWN3FEVHk0bkEKNU9aZW9SZUxmZXFSeGxsSjE0VmlhNVFkZ3l3R0xoRTlqZy9jN2U0WUp6bmg5S1dZMnFjVnhEdUdEM2llaHNEbgphTnpWNFdGOWNJZm1zOHp3UHZPTk5MZnNBbXc3dUhUKzNiSzEzSUloeDI3ZmV2cXVWcENzNDFQNnBzdStWTG4yCjVIRHk0MXRoQkN3T0wrTithbGJ0ZktTcXM3TEFzM25RTjFsdHpITHZ5MGE1RGhkakpUd2tQclQrVXhwb0tCOUgKNFpZazErRUR0N09QbGh5bzM3NDFRaE4vSkNZK2RKbkFMQnNValFJREFRQUJvNEgzTUlIME1CMEdBMVVkRGdRVwpCQlJwZVc1dFhMdHh3TXJvQXM5d2RNbTUzVVVJTERDQnhBWURWUjBqQklHOE1JRzVnQlJwZVc1dFhMdHh3TXJvCkFzOXdkTW01M1VVSUxLR0JsYVNCa2pDQmp6RUxNQWtHQTFVRUJoTUNWVk14RVRBUEJnTlZCQWdUQ0VOdmJHOXkKWVdSdk1SQXdEZ1lEVlFRSEV3ZENiM1ZzWkdWeU1SUXdFZ1lEVlFRS0V3dEZlR0Z0Y0d4bFEyOXljREVMTUFrRwpBMVVFQ3hNQ1NWUXhGakFVQmdOVkJBTVVEU291WlhoaGJYQnNaUzVqYjIweElEQWVCZ2txaGtpRzl3MEJDUUVXCkVXRmtiV2x1UUdWNFlXMXdiR1V1WTI5dGdna0FrQVpDVXlZTFNUSXdEQVlEVlIwVEJBVXdBd0VCL3pBTkJna3EKaGtpRzl3MEJBUVVGQUFPQ0FRRUFjR1hNZms4TlpzQit0OUtCemwxRmw2eUlqRWtqSE8wUFZVbEVjU0QyQjRiNwpQeG5NT2pkbWdQcmF1SGI5dW5YRWFMN3p5QXFhRDZ0YlhXVTZSeENBbWdMYWpWSk5aSE93NDVOMGhyRGtXZ0I4CkV2WnRRNTZhbW13QzFxSWhBaUE2MzkwRDNDc2V4N2dMNm5KbzdrYnIxWVdVRzN6SXZveGR6OFlEclpOZVdLTEQKcFJ2V2VuMGxNYnBqSVJQNFhac25DNDVDOWdWWGRoM0xSZTErd3lRcTZoOVFQaWxveG1ENk5wRTlpbVRPbjJBNQovYkozVktJekFNdWRlVTZrcHlZbEpCemRHMXVhSFRqUU9Xb3NHaXdlQ0tWVVhGNlV0aXNWZGRyeFF0aDZFTnlXCnZJRnFhWng4NCtEbFNDYzkzeWZrL0dsQnQrU0tHNDZ6RUhNQjlocVBiQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K |
There was a problem hiding this comment.
Can this be a secret name instead? Then the docs could outline how to create that secret (keys/values) such that it can be used here?
There was a problem hiding this comment.
If I can make an argument for keeping it as it is...
The base64 encoded cert and key you put here becomes a secret. This means that you provide customizations to this either through --set on the command line or in your own values.yaml. i.e. You can customize these through the usual Helm workflow for customizing a chart.
Compare that to some other approach that requires a careful reading of the documentation and an "out of band" effort to create the secrets... I don't believe that compares favorably to what's in place now.
There was a problem hiding this comment.
Fair. I'm fine as is. If users want something different, I'm sure they will chime in down the road.
Could I ask you to add instructions on getting those values? Also what do the default certs point to?
There was a problem hiding this comment.
The readme has a table describing the configuration options. It's clear that the cert and key should be base64 encoded. I can add more specific instructions if you like. lmk
The cert that's included is a self-signed cert for *.example.com-- so it's basically garbage. The benefit, however, is that it's enough to get people going.
I will update the table to reflect the details of this cert.
|
Awesome stuff @krancour! |
|
@k8s-bot ok to test |
|
@krancour Can you integrate HostPort option or I'll make a PR after merge |
|
@ekozan, did you mean That seems a reasonable option (but not a default). It would certainly be a benefit to anyone who wants to run this anywhere where the "cloud provider" no-ops provisioning of an external load balancer-- e.g. minikube or bare metal. I'd be happy to add that. |
| ``` | ||
|
|
||
| After installing the chart, create a DNS CNAME record for applicable domains to direct inbound | ||
| traffic the load balancer. You can you the command below to find the load balancer's DNS name: |
There was a problem hiding this comment.
a couple minor typos here; perhaps the following were intended: ... direct inbound traffic to the load balancer and You can use the command ...
There was a problem hiding this comment.
Nice eye, @vdice. Will fix.
|
Tested manually and all things seem to check out. Thanks again @krancour! Let me know when you've patched the README fixes. Also if you'd like to get this into stable, adding a NOTES.txt pointing people in the right direction for how to configure and use traefik would do the trick. |
|
@viglesiasce great. I will try and amend with all suggested fixes as soon as time permits-- a few hours off, for sure. |
| Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: | ||
|
|
||
| ```bash | ||
| $ helm install --name my-release --namespace kube-system --set dashboard.enabled=true,dashboard.domain=traefik.example.com stable/traefik |
There was a problem hiding this comment.
Actually it's incubator/traefik not stable/traefik
There was a problem hiding this comment.
If he adds a NOTES.txt it can be merged into stable directly
|
Yeap it's an alternative for barebone cluster ;) We need |
|
Just thought I'd report my successful testing of this chart, and Traefik's ability to issue certs from Let's Encrypt. |
|
It'll be tomorrow before I get to this. |
No other chart in this repo includes a license, so I am following that precedent.
|
@viglesiasce I've addressed comments apart from one. You indicated I should add a I'm unclear on what that should contain or what its purpose would be.
|
|
@ultimateboy offline you asked me to support LE staging to avoid rate limits when testing / experimenting. I've added that now and made it the default as well (when ACME is enabled). Check it out and lmk what you think. |
| @@ -8,7 +8,7 @@ microservices with ease. | |||
| This chart bootstraps Traefik as a Kubernetes ingress controller with optional support for SSL and | |||
| Let's Encrypt. | |||
There was a problem hiding this comment.
Can you a disclaimer about the state of Traefik?
There was a problem hiding this comment.
Yep. Meant to, as we'd discussed. Forgot. Coming atcha.
| @@ -8,7 +8,7 @@ microservices with ease. | |||
| This chart bootstraps Traefik as a Kubernetes ingress controller with optional support for SSL and | |||
There was a problem hiding this comment.
Looks great! Thanks for the updates!
|
@lachie83 @viglesiasce @krancour
Agreed, if the project itself is not production-ready then the package should be in incubator. |
| @@ -3,6 +3,9 @@ | |||
| [Traefik](http://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy | |||
| microservices with ease. | |||
|
|
|||
| __DISCLAIMER:__ While this chart has been well-tested, testers have encountered occasional issues | |||
|
To clarify, I believe Traefik regards itself as production ready and people certainly do use Traefik in production. Any assertion about production readiness here is purely based on @lachie83's and my own hesitation to endorse this as such. |
|
So I'm going to move this to incubator. Standby. |
|
Moved |
Agreed 👍 |
|
I dont know about that folks. Where is this production ready requirement coming from for stable? Its not listed anywhere and the other requirements are quite explicit. I don't want us to cross this line. |
|
So if the chart's own author(s) would hesitate to use it in production (depending on the use case), this can still qualify as "stable?" |
|
Maybe some clarification on what, precisely, is meant by "stable" is in order. I will acknowledge I made a pretty big (and perhaps incorrect) assumption that stability was equated with production readiness. |
Understood and I agree that it's not our position to decide whether something is production ready. I don't want to cross that line. Stable does not mean Prod Ready How about we approach this from a difference angle - putting this in the incubator is a great way for it to gather some miles |
|
Stable charts meet these requirements. If we cross the line of requiring things to be production ready then we need to define production ready in a way that is obvious otherwise we are going to end up with a lot of bikeshedding. For most packages (rpm and deb) the defaults are sane but not production ready. |
@viglesiasce is there any validity to that notion? That things are "promoted" so stable after proving themselves in the incubator? |
|
The only thing we say in the README.md is that stable charts meet the criteria in the technical requirements. If we want to change that policy then we need to update the documentation via a PR where we can hash out the why and how. |
|
Ok. I'm going to strike the last commit (the move to incubator) from this PR. |
|
Thanks for the great discussion and clarification. Given that this chart meets the requirements. My vote is on putting this in stable. |
|
All set. Back in stable. |
|
@viglesiasce you're right, for some reason I thought some level of 'production-readiness' was a requirement. I would argue for promoting the stable repo as a source of 'production-ready' charts, but it's a separate discussion to define what we could mean by that and whether it makes sense to enforce it. |
|
LGTM |
1 similar comment
|
LGTM |
|
@krancour lgtm, all good to merge? |
|
Yes |
|
Thanks all! Excited to have this chart! |
- add openebs operator 2.1.0-RC1 - add cstor operator 2.1.0-RC1 and dependents - add zfs localPV 1.0.0-RC1 operator - add openebs operator 2.1.0-RC2 - add cstor operator 2.1.0-RC2 and dependents - add zfs localPV 1.0.0-RC2 operator - add openebs operator 2.1.0 - add cstor operator 2.1.0 and dependents - add zfs localPV 1.0.0 operator - add openebs lite operator - add openebs operator for suse caas platform Signed-off-by: Akhil Mohan <[email protected]>
Current Todo: