Add chart for Traefik-based ingress controller

stable/traefik/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

stable/traefik/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+name: traefik
+version: 1.1.0-rc3-a
+description: A Traefik based Kubernetes ingress controller with Let's Encrypt support
+keywords:
+- traefik
+- ingress
+- acme
+- letsencrypt
+home: http://traefik.io/
+sources:
+- https://github.com/containous/traefik
+- https://github.com/krancour/charts/tree/master/traefik
+maintainers:
+- name: Deis
+  email: [email protected]
+engine: gotpl
+icon: http://traefik.io/traefik.logo.png

stable/traefik/README.md

@@ -0,0 +1,105 @@
+# Traefik
+
+[Traefik](http://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy
+microservices with ease.
+
+__DISCLAIMER:__ While this chart has been well-tested, testers have encountered occasional issues
+with the Traefik software itself. Be advised that your mileage may vary.
+
+## Introduction
+
+This chart bootstraps Traefik as a Kubernetes ingress controller with optional support for SSL and
+Let's Encrypt.
+
+__NOTE:__ Operators will typically wish to install this component into the `kube-system` namespace
+where that namespace's default service account will ensure adequate privileges to watch `Ingress`
+resources _cluster-wide_.
+
+## Prerequisites
+
+- Kubernetes 1.4+ with Beta APIs enabled
+- You are deploying the chart to a cluster with a cloud provider capable of provisioning an
+external load balancer (e.g. AWS or GKE)
+- You control DNS for the domain(s) you intend to route through Traefik
+- __Suggested:__ PV provisioner support in the underlying infrastructure
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```bash
+$ helm install stable/traefik --name my-release --namespace kube-system
+```
+
+After installing the chart, create DNS records for applicable domains to direct inbound traffic to
+the load balancer. You can use the commands below to find the load balancer's IP/hostname:
+
+__NOTE:__ It may take a few minutes for this to become available.
+
+You can watch the status by running:
+
+```bash
+$ kubectl get svc my-release-traefik --namespace kube-system -w
+```
+
+Once `EXTERNAL-IP` is no longer `<pending>`:
+
+```bash
+$ kubectl describe service my-release-traefik -n kube-system | grep Ingress | awk '{print $3}'
+```
+
+__NOTE:__ If ACME support is enabled, it is only _after_ this step is complete that Traefik will be
+able to successfully use the ACME protocol to obtain certificates from Let's Encrypt.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```bash
+$ helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the
+release.
+
+## Configuration
+
+The following tables lists the configurable parameters of the Traefik chart and their default values.
+
+| Parameter                       | Description                                                          | Default                                   |
+| ------------------------------- | -------------------------------------------------------------------- | ----------------------------------------- |
+| `imageTag`                      | The version of the official Traefik image to use                     | `v1.1.0-rc3`                              |
+| `serviceType`                   | A valid Kubernetes service type                                      | `LoadBalancer`                            |
+| `cpuRequest`                    | Initial share of CPU requested per Traefik pod                       | `100m`                                    |
+| `memoryRequest`                 | Initial share of memory requested per Traefik pod                    | `20Mi`                                    |
+| `cpuLimit`                      | CPU limit per Traefik pod                                            | `200m`                                    |
+| `memoryLimit`                   | Memory limit per Traefik pod                                         | `30Mi`                                    |
+| `ssl.enabled`                   | Whether to enable HTTPS                                              | `false`                                   |
+| `ssl.enforced`                  | Whether to redirect HTTP requests to HTTPS                           | `false`                                   |
+| `ssl.defaultCert`               | Base64 encoded default certficate                                    | A self-signed certificate                 |
+| `ssl.defaultKey`                | Base64 encoded private key for the certificate above                 | The private key for the certificate above |
+| `acme.enabled`                  | Whether to use Let's Encrypt to obtain certificates                  | `false`                                   |
+| `acme.email`                    | Email address to be used in certificates obtained from Let's Encrypt | `[email protected]`                       |
+| `acme.staging`                  | Whether to get certs from Let's Encrypt's staging environment        | `true`                                    |
+| `acme.persistence.enabled`      | Create a volume to store ACME certs (if ACME is enabled)             | `true`                                    |
+| `acme.persistence.storageClass` | Type of `StorageClass` to request-- will be cluster-specific         | `generic`                                 |
+| `acme.persistence.accessMode`   | `ReadWriteOnce` or `ReadOnly`                                        | `ReadWriteOnce`                           |
+| `acme.persistence.size`         | Minimum size of the volume requested                                 | `1Gi`                                     |
+| `dashboard.enabled`             | Whether to enable the Traefik dashboard                              | `false`                                   |
+| `dashboard.domain`              | Domain for the Traefik dashboard                                     | `traefik.example.com`                     |
+| `gzip.enabled`                  | Whether to use gzip compression                                      | `true`                     |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
+
+```bash
+$ helm install --name my-release --namespace kube-system --set dashboard.enabled=true,dashboard.domain=traefik.example.com stable/traefik
+```
+
+The above command enables the Traefik dashboard on the domain `traefik.example.com`.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while
+installing the chart. For example:
+
+```bash
+$ helm install --name my-release --namespace kube-system --values values.yaml stable/traefik
+```

stable/traefik/templates/NOTES.txt

@@ -0,0 +1,15 @@
+Getting Started:
+
+1. Get Traefik's load balancer IP/hostname:
+
+     NOTE: It may take a few minutes for this to become available.
+
+     You can watch the status by running:
+
+         $ kubectl get svc {{ template "fullname" . }} --namespace {{ .Release.Namespace }} -w
+
+     Once 'EXTERNAL-IP' is no longer '<pending>':
+
+         $ kubectl describe svc {{ template "fullname" . }} --namespace {{ .Release.Namespace }} | grep Ingress | awk '{print $3}'
+
+2. Configure DNS records corresponding to Kubernetes ingress resources to point to the load balancer IP/hostname found in step 1

stable/traefik/templates/_helpers.tpl

@@ -0,0 +1,9 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "fullname" -}}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 24 -}}
+{{- end -}}

stable/traefik/templates/acme-pvc.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.acme.enabled .Values.acme.persistence.enabled }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "fullname" . }}-acme
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations:
+    volume.alpha.kubernetes.io/storage-class: {{ .Values.acme.persistence.storageClass | quote }}
+spec:
+  accessModes:
+    - {{ .Values.acme.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.acme.persistence.size | quote }}
+{{- end }}

stable/traefik/templates/configmap.yaml

@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  traefik.toml: |
+    # traefik.toml
+    logLevel = "INFO"
+    {{- if .Values.ssl.enabled }}
+    defaultEntryPoints = ["http","https"]
+    {{- else }}
+    defaultEntryPoints = ["http"]
+    {{- end }}
+    [entryPoints]
+      [entryPoints.http]
+      address = ":80"
+      compress = {{ .Values.gzip.enabled }}
+        {{- if and .Values.ssl.enabled .Values.ssl.enforced }}
+        [entryPoints.http.redirect]
+          entryPoint = "https"
+        {{- end }}
+      {{- if .Values.ssl.enabled }}
+      [entryPoints.https]
+      address = ":443"
+      compress = {{ .Values.gzip.enabled }}
+        [entryPoints.https.tls]
+          [[entryPoints.https.tls.certificates]]
+          CertFile = "/ssl/tls.crt"
+          KeyFile = "/ssl/tls.key"
+      {{- end }}
+    [kubernetes]
+    {{- if .Values.acme.enabled }}
+    [acme]
+    email = "{{ .Values.acme.email }}"
+    storage = "/acme/acme.json"
+    entryPoint = "https"
+    onHostRule = true
+    {{- if .Values.acme.staging }}
+    caServer = "https://acme-staging.api.letsencrypt.org/directory"
+    {{- end }}
+    {{- end }}
+    {{- if .Values.dashboard.enabled }}
+    [web]
+    address = ":8080"
+    {{- end }}

stable/traefik/templates/dashboard-ingress.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.dashboard.enabled }}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ template "fullname" . }}-dashboard
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  rules:
+  - host: {{ .Values.dashboard.domain }}
+    http:
+      paths:
+      - backend:
+          serviceName: {{ template "fullname" . }}-dashboard
+          servicePort: 80
+{{- end }}

stable/traefik/templates/dashboard-service.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.dashboard.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "fullname" . }}-dashboard
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  selector:
+    app: {{ template "fullname" . }}
+  ports:
+  - port: 80
+    targetPort: 8080
+{{- end }}

stable/traefik/templates/default-cert-secret.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.ssl.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "fullname" . }}-default-cert
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  tls.crt: {{ .Values.ssl.defaultCert }}
+  tls.key: {{ .Values.ssl.defaultKey }}
+{{- end }}

stable/traefik/templates/deployment.yaml

@@ -0,0 +1,86 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ template "fullname" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "fullname" . }}
+        chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+        release: "{{ .Release.Name }}"
+        heritage: "{{ .Release.Service }}"
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: traefik:{{ .Values.imageTag }}
+        name: {{ template "fullname" . }}
+        resources:
+          requests:
+            cpu: "{{.Values.cpuRequest}}"
+            memory: "{{.Values.memoryRequest}}"
+          limits:
+            cpu: "{{.Values.cpuLimit}}"
+            memory: "{{.Values.memoryLimit}}"
+        readinessProbe:
+          tcpSocket:
+            port: 80
+          failureThreshold: 1
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 2
+        livenessProbe:
+          tcpSocket:
+            port: 80
+          failureThreshold: 3
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 2
+        volumeMounts:
+        - mountPath: /config
+          name: config
+        {{- if .Values.ssl.enabled }}
+        - mountPath: /ssl
+          name: ssl
+        {{- end }}
+        {{- if .Values.acme.enabled }}
+        - mountPath: /acme
+          name: acme
+        {{- end }}
+        ports:
+        - containerPort: 80
+        - containerPort: 443
+        {{- if .Values.dashboard.enabled }}
+        - containerPort: 8080
+        {{- end }}
+        args:
+        - --configfile=/config/traefik.toml
+      volumes:
+      - name: config
+        configMap:
+          name: {{ template "fullname" . }}
+      {{- if .Values.ssl.enabled }}
+      - name: ssl
+        secret:
+          secretName: {{ template "fullname" . }}-default-cert
+      {{- end }}
+      {{- if .Values.acme.enabled }}
+      - name: acme
+      {{- if .Values.acme.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ template "fullname" . }}-acme
+      {{- else }}
+        emptyDir: {}
+      {{- end }}
+      {{- end }}