Integrating traefik

2024-11-28 11:09:51 +01:00
parent 086161d0ad
commit e86898eb44
69 changed files with 32483 additions and 0 deletions
--- a/opencloud/charts/traefik/templates/rbac/clusterrole.yaml
+++ b/opencloud/charts/traefik/templates/rbac/clusterrole.yaml
@@ -0,0 +1,271 @@
+{{- $version := include "imageVersion" $ }}
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.clusterRoleName" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+    {{- range .Values.rbac.aggregateTo }}
+    rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
+    {{- end }}
+rules:
+  {{- if semverCompare ">=v3.1.0-0" $version }}
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+  {{- if (semverCompare "<v3.1.0-0" $version) }}
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+    {{- if $.Values.hub.token }}
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+    {{- end }}
+  {{- else }}
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  {{- end }}
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    {{- with .Values.rbac.secretResourceNames }}
+    resourceNames: {{ toYaml . | nindent 6 }}
+    {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+    {{- if and .Values.hub.token }}
+      - update
+      - create
+      - delete
+      - deletecollection
+    {{- end }}
+  {{- if .Values.podSecurityPolicy.enabled }}
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ template "traefik.fullname" . }}
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+  {{- end -}}
+  {{- if .Values.providers.kubernetesIngress.enabled }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  {{- end -}}
+  {{- if .Values.providers.kubernetesCRD.enabled }}
+  - apiGroups:
+      - traefik.io
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - serverstransports
+      - serverstransporttcps
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end -}}
+  {{- if (.Values.providers.kubernetesGateway).enabled }}
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    {{- if (semverCompare "<v3.1.0-0" $version) }}
+      - endpoints
+    {{- end }}
+      - secrets
+      - services
+    {{- if semverCompare ">=v3.2.0-0" $version }}
+      - configmaps
+    {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+    {{- if (semverCompare ">=v3.1.0-0" $version) }}
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+    {{- end }}
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies
+      {{- end }}
+      - gatewayclasses
+      - gateways
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes
+      {{- end }}
+      - httproutes
+      - referencegrants
+      - tcproutes
+      - tlsroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies/status
+      {{- end }}
+      - gatewayclasses/status
+      - gateways/status
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes/status
+      {{- end }}
+      - httproutes/status
+      - tcproutes/status
+      - tlsroutes/status
+    verbs:
+      - update
+  {{- end }}
+  {{- if .Values.hub.token }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  {{- end }}
+  {{- if .Values.hub.token }}
+    {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - list
+      - watch
+    {{- end }}
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    {{- if .Values.hub.apimanagement.enabled }}
+      - pods
+    {{- end }}
+    verbs:
+      - get
+      - list
+    {{- if .Values.hub.apimanagement.enabled }}
+      - watch
+    {{- end }}
+    {{- if .Values.hub.apimanagement.enabled }}
+  - apiGroups:
+      - hub.traefik.io
+    resources:
+      - accesscontrolpolicies
+      - apiaccesses
+      - apiportals
+      - apiratelimits
+      - apis
+      - apiversions
+      - apibundles
+      - apiplans
+    verbs:
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get
+      - list
+      - watch
+      {{- if (semverCompare "<v3.1.0-0" $version) }}
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+      {{- end -}}
+    {{- end -}}
+  {{- end }}
+{{- end }}
--- a/opencloud/charts/traefik/templates/rbac/clusterrolebinding.yaml
+++ b/opencloud/charts/traefik/templates/rbac/clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.clusterRoleName" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "traefik.clusterRoleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "traefik.serviceAccountName" . }}
+    namespace: {{ template "traefik.namespace" . }}
+{{- end -}}
--- a/opencloud/charts/traefik/templates/rbac/podsecuritypolicy.yaml
+++ b/opencloud/charts/traefik/templates/rbac/podsecuritypolicy.yaml
@@ -0,0 +1,68 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+{{- if semverCompare ">=1.25.0-0" .Capabilities.KubeVersion.Version }}
+  {{- fail "ERROR: PodSecurityPolicy has been removed in Kubernetes v1.25+" }}
+{{- end }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+  name: {{ template "traefik.fullname" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+{{- if not .Values.securityContext.runAsNonRoot }}
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+{{- end }}
+  hostNetwork: {{ .Values.hostNetwork }}
+  hostIPC: false
+  hostPID: false
+  fsGroup:
+{{- if .Values.securityContext.runAsNonRoot }}
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+{{- else }}
+    rule: RunAsAny
+{{- end }}
+{{- if .Values.hostNetwork }}
+  hostPorts:
+  - max: 65535
+    min: 1
+{{- end }}
+  readOnlyRootFilesystem: true
+  runAsUser:
+{{- if .Values.securityContext.runAsNonRoot }}
+    rule: MustRunAsNonRoot
+{{- else }}
+    rule: RunAsAny
+{{- end }}
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+{{- if .Values.securityContext.runAsNonRoot }}
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+{{- else }}
+    rule: RunAsAny
+{{- end }}
+  volumes:
+  - configMap
+  - downwardAPI
+  - secret
+  - emptyDir
+  - projected
+{{- if .Values.persistence.enabled }}
+  - persistentVolumeClaim
+{{- end -}}
+{{- end -}}
--- a/opencloud/charts/traefik/templates/rbac/role.yaml
+++ b/opencloud/charts/traefik/templates/rbac/role.yaml
@@ -0,0 +1,143 @@
+{{- $version := include "imageVersion" $ }}
+{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
+{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
+{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}}
+
+{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
+{{- range $allNamespaces }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.fullname" $ }}
+  namespace: {{ . }}
+  labels:
+    {{- include "traefik.labels" $ | nindent 4 }}
+rules:
+  {{- if (semverCompare "<v3.1.0-0" $version) }}
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  {{- else }}
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  {{- end }}
+  # Required while https://github.com/traefik/traefik/issues/7097#issuecomment-1983581843
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    {{- if gt (len $.Values.rbac.secretResourceNames) 0 }}
+    resourceNames: {{ $.Values.rbac.secretResourceNames }}
+    {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+{{- end -}}
+{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }}
+  - apiGroups:
+      - traefik.io
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+      - serverstransports
+      - serverstransporttcps
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
+{{- if $.Values.podSecurityPolicy.enabled }}
+  - apiGroups:
+      - extensions
+    resourceNames:
+      - {{ template "traefik.fullname" $ }}
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+{{- end -}}
+{{- if $.Values.hub.token }}
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - namespaces
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+{{- end }}
+{{- end -}}
+{{- end -}}
--- a/opencloud/charts/traefik/templates/rbac/rolebinding.yaml
+++ b/opencloud/charts/traefik/templates/rbac/rolebinding.yaml
@@ -0,0 +1,25 @@
+{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
+{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
+{{- $gatewayNamespaces := concat (include "traefik.namespace" . | list) ((.Values.providers.kubernetesGateway).namespaces) -}}
+{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces $gatewayNamespaces)) -}}
+
+{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
+{{- range $allNamespaces }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.fullname" $ }}
+  namespace: {{ . }}
+  labels:
+    {{- include "traefik.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "traefik.fullname" $ }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "traefik.serviceAccountName" $ }}
+    namespace: {{ template "traefik.namespace" $ }}
+{{- end -}}
+{{- end -}}
--- a/opencloud/charts/traefik/templates/rbac/serviceaccount.yaml
+++ b/opencloud/charts/traefik/templates/rbac/serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- if not .Values.serviceAccount.name -}}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ include "traefik.serviceAccountName" . }}
+  namespace: {{ template "traefik.namespace" . }}
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.serviceAccountAnnotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: false
+{{- end -}}