feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry

traefik · Jul 26, 2023 · 80b5c06 · 80b5c06
1 parent c42ec12
commit 80b5c06
Show file tree

Hide file tree

Showing 13 changed files with 298 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -8,6 +8,10 @@ microservices with ease.
 This chart bootstraps Traefik version 2 as a Kubernetes ingress controller,
 using Custom Resources `IngressRoute`: <https://docs.traefik.io/providers/kubernetes-crd/>.
 
+It's now possible to use this chart with Traefik v3 (current tested with beta3).
+Helm will auto detect which version is used based on image.tag. Set image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3".
+See [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) and upgrading section of this chart on CRDs.
+
 ### Philosophy
 
 The Traefik HelmChart is focused on Traefik deployment configuration.
@@ -71,6 +75,8 @@ New major version indicates that there is an incompatible breaking change.
 
 ### Upgrading CRDs
 
+🛂 **Warning**: Traefik v3 totally removes the crd support for traefik.containo.us CRDs. By default this helm installs the CRDs compatible with v2 also, but Traefik v3 will no longer monitor them. There is no support for deprecation errors, so your existing resources may silently fail to work after upgrade to Traefik v3. See [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) for more details.
+
 With Helm v3, CRDs created by this chart can not be updated, cf the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions). Please read carefully release notes of this chart before upgrading CRDs.
 
 ```bash

diff --git a/traefik/VALUES.md b/traefik/VALUES.md
@@ -56,7 +56,6 @@ Kubernetes: `>=1.16.0-0`
 | experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD |
 | experimental.kubernetesGateway.gateway.enabled | bool | `true` | Enable traefik regular kubernetes gateway |
 | experimental.plugins.enabled | bool | `false` | Enable traefik experimental plugins |
-| experimental.v3.enabled | bool | `false` | Enable traefik version 3 |
 | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template)  In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. |
 | globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods |
 | hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulabel pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. |

diff --git a/traefik/crds/kustomization.yaml b/traefik/crds/kustomization.yaml
@@ -17,6 +17,7 @@ resources:
   - traefik.io_middlewares.yaml
   - traefik.io_middlewaretcps.yaml
   - traefik.io_serverstransports.yaml
+  - traefik.io_serverstransporttcps.yaml
   - traefik.io_tlsoptions.yaml
   - traefik.io_tlsstores.yaml
   - traefik.io_traefikservices.yaml
diff --git a/traefik/crds/traefik.io_serverstransporttcps.yaml b/traefik/crds/traefik.io_serverstransporttcps.yaml
@@ -0,0 +1,120 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.2
+  creationTimestamp: null
+  name: serverstransporttcps.traefik.io
+spec:
+  group: traefik.io
+  names:
+    kind: ServersTransportTCP
+    listKind: ServersTransportTCPList
+    plural: serverstransporttcps
+    singular: serverstransporttcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'ServersTransportTCP is the CRD implementation of a TCPServersTransport.
+          If no tcpServersTransport is specified, a default one named default@internal
+          will be used. The default@internal tcpServersTransport can be configured
+          in the static configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_3'
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
+            properties:
+              dialKeepAlive:
+                anyOf:
+                - type: integer
+                - type: string
+                description: DialKeepAlive is the interval between keep-alive probes
+                  for an active network connection. If zero, keep-alive probes are
+                  sent with a default value (currently 15 seconds), if supported by
+                  the protocol and operating system. Network protocols or operating
+                  systems that do not support keep-alives ignore this field. If negative,
+                  keep-alive probes are disabled.
+                x-kubernetes-int-or-string: true
+              dialTimeout:
+                anyOf:
+                - type: integer
+                - type: string
+                description: DialTimeout is the amount of time to wait until a connection
+                  to a backend server can be established.
+                x-kubernetes-int-or-string: true
+              terminationDelay:
+                anyOf:
+                - type: integer
+                - type: string
+                description: TerminationDelay defines the delay to wait before fully
+                  terminating the connection, after one connected peer has closed
+                  its writing capability.
+                x-kubernetes-int-or-string: true
+              tls:
+                description: TLS defines the TLS configuration
+                properties:
+                  certificatesSecrets:
+                    description: CertificatesSecrets defines a list of secret storing
+                      client certificates for mTLS.
+                    items:
+                      type: string
+                    type: array
+                  insecureSkipVerify:
+                    description: InsecureSkipVerify disables TLS certificate verification.
+                    type: boolean
+                  peerCertURI:
+                    description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
+                      to keep per-host. PeerCertURI defines the peer cert URI used
+                      to match against SAN URI during the peer certificate verification.
+                    type: string
+                  rootCAsSecrets:
+                    description: RootCAsSecrets defines a list of CA secret used to
+                      validate self-signed certificates.
+                    items:
+                      type: string
+                    type: array
+                  serverName:
+                    description: ServerName defines the server name used to contact
+                      the server.
+                    type: string
+                  spiffe:
+                    description: Spiffe defines the SPIFFE configuration.
+                    properties:
+                      ids:
+                        description: IDs defines the allowed SPIFFE IDs (takes precedence
+                          over the SPIFFE TrustDomain).
+                        items:
+                          type: string
+                        type: array
+                      trustDomain:
+                        description: TrustDomain defines the allowed SPIFFE trust
+                          domain.
+                        type: string
+                    type: object
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/traefik/templates/_podtemplate.tpl b/traefik/templates/_podtemplate.tpl
@@ -143,8 +143,8 @@
           {{- if $config }}
           - "--entrypoints.{{$name}}.address=:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}"
           {{- with $config.asDefault }}
-          {{- if eq ($.Values.experimental.v3.enabled | toString) "false" }}
-            {{- fail "ERROR: Default entrypoints are only available on Traefik v3. Please set `experimental.v3.enabled` to true and update `image.tag` to `v3.0`." }}
+          {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }}
+            {{- fail "ERROR: Default entrypoints are only available on Traefik v3. Please set `image.tag` to `v3.x`." }}
           {{- end }}
           - "--entrypoints.{{$name}}.asDefault={{ . }}"
           {{- end }}
@@ -299,8 +299,8 @@
           {{- end }}
 
           {{- with .Values.metrics.openTelemetry }}
-           {{- if eq ($.Values.experimental.v3.enabled | toString) "false" }}
-             {{- fail "ERROR: OpenTelemetry features are only available on Traefik v3. Please set `experimental.v3.enabled` to true and update `image.tag` to `v3.0`." }}
+           {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }}
+             {{- fail "ERROR: OpenTelemetry features are only available on Traefik v3. Please set `image.tag` to `v3.x`." }}
            {{- end }}
           - "--metrics.openTelemetry=true"
           - "--metrics.openTelemetry.address={{ .address }}"
@@ -356,6 +356,41 @@
           {{- end }}
 
           {{- if .Values.tracing }}
+
+          {{- if .Values.tracing.openTelemetry }}
+           {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }}
+             {{- fail "ERROR: OpenTelemetry features are only available on Traefik v3. Please update `image.tag` to `v3.0`." }}
+           {{- end }}
+          - "--tracing.openTelemetry=true"
+          {{- if .Values.tracing.openTelemetry.address }}
+          - "--tracing.openTelemetry.address={{ .Values.tracing.openTelemetry.address }}"
+          {{- end }}
+          {{- range $key, $value := .Values.tracing.openTelemetry.headers }}
+          - "--tracing.openTelemetry.headers.{{ $key }}={{ $value }}"
+          {{- end }}
+          {{- if .Values.tracing.openTelemetry.insecure }}
+          - "--tracing.openTelemetry.insecure={{ .Values.tracing.openTelemetry.insecure }}"
+          {{- end }}
+          {{- if .Values.tracing.openTelemetry.path }}
+          - "--tracing.openTelemetry.path={{ .Values.tracing.openTelemetry.path }}"
+          {{- end }}
+          {{- if .Values.tracing.openTelemetry.tls.ca }}
+          - "--tracing.openTelemetry.tls.ca={{ .Values.tracing.openTelemetry.tls.ca }}"
+          {{- end }}
+          {{- if .Values.tracing.openTelemetry.tls.cert }}
+          - "--tracing.openTelemetry.tls.cert={{ .Values.tracing.openTelemetry.tls.cert }}"
+          {{- end }}
+          {{- if .Values.tracing.openTelemetry.tls.key }}
+          - "--tracing.openTelemetry.tls.key={{ .Values.tracing.openTelemetry.tls.key }}"
+          {{- end }}
+          {{- if .Values.tracing.openTelemetry.tls.insecureSkipVerify }}
+          - "--tracing.openTelemetry.tls.insecureSkipVerify={{ .Values.tracing.openTelemetry.tls.insecureSkipVerify }}"
+          {{- end }}
+          {{- if .Values.tracing.openTelemetry.grpc }}
+          - "--tracing.openTelemetry.grpc=true"
+          {{- end }}
+          {{- end }}
+
           {{- if .Values.tracing.instana }}
           - "--tracing.instana=true"
           {{- if .Values.tracing.instana.localAgentHost }}

diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -45,7 +45,9 @@ rules:
 {{- if .Values.providers.kubernetesCRD.enabled }}
   - apiGroups:
       - traefik.io
+      {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }}
       - traefik.containo.us
+      {{- end }}
     resources:
       - ingressroutes
       - ingressroutetcps
@@ -56,6 +58,9 @@ rules:
       - tlsstores
       - traefikservices
       - serverstransports
+      {{- if semverCompare ">=3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag)  }}
+      - serverstransporttcps
+      {{- end }}
     verbs:
       - get
       - list

diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
@@ -38,7 +38,9 @@ rules:
 {{- if .Values.providers.kubernetesCRD.enabled }}
   - apiGroups:
       - traefik.io
+      {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag)  }}
       - traefik.containo.us
+      {{- end }}
     resources:
       - ingressroutes
       - ingressroutetcps
@@ -49,6 +51,9 @@ rules:
       - tlsstores
       - traefikservices
       - serverstransports
+      {{- if semverCompare ">=3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }}
+      - serverstransporttcps
+      {{- end }}
     verbs:
       - get
       - list

diff --git a/traefik/tests/metrics-config_test.yaml b/traefik/tests/metrics-config_test.yaml
@@ -388,9 +388,8 @@ tests:
           content: "--metrics.statsd.addRoutersLabels=true"
   - it: should be possible to set specific parameters on openTelemetry
     set:
-      experimental:
-        v3:
-          enabled: true
+      image:
+        tag: v3.0.0-beta3
       metrics:
         openTelemetry:
           address: "localhost:4318"
@@ -441,9 +440,8 @@ tests:
           content: "--metrics.openTelemetry.headers.test=test"
   - it: should be possible to disable labels on openTelemetry
     set:
-      experimental:
-        v3:
-          enabled: true
+      image:
+        tag: v3.0.0-beta3
       metrics:
         openTelemetry:
           address: "localhost:4318"
@@ -462,13 +460,12 @@ tests:
           content: "--metrics.openTelemetry.addServicesLabels=false"
   - it: should throw and error when open telemetry is enabled without traefik v3
     set:
-      experimental:
-        v3:
-          enabled: false
+      image:
+        tag: v2.10.0
       metrics:
         openTelemetry:
           address: "localhost:4318"
           addEntryPointsLabels: true
     asserts:
       - failedTemplate:
-          errorMessage: "OpenTelemetry features are only available on Traefik v3. Please set `experimental.v3.enabled` to true and update `image.tag` to `v3.0`."
+          errorMessage: "OpenTelemetry features are only available on Traefik v3. Please set `image.tag` to `v3.x`."
diff --git a/traefik/tests/pod-config_test.yaml b/traefik/tests/pod-config_test.yaml
@@ -401,7 +401,7 @@ tests:
   - it: should use default entrypoint port without experimental flag when http3 enabled on v3
     set:
       image:
-        tag: v3.0.0-beta2
+        tag: v3.0.0-beta3
       ports:
         websecure:
           http3:

diff --git a/traefik/tests/ports-config_test.yaml b/traefik/tests/ports-config_test.yaml
@@ -151,9 +151,8 @@ tests:
   - it: should set entrypoint to default when configured
     template: deployment.yaml
     set:
-      experimental:
-        v3:
-          enabled: true
+      image:
+        tag: v3.0.0-beta3
       ports:
         web:
           asDefault: true
@@ -173,17 +172,16 @@ tests:
   - it: should throw and error when default entrypoint is enabled without traefik v3
     template: deployment.yaml
     set:
-      experimental:
-        v3:
-          enabled: false
+      image:
+        tag: v2.10.0
       ports:
         web:
           asDefault: true
         websecure:
           asDefault: false
     asserts:
       - failedTemplate:
-          errorMessage: "Default entrypoints are only available on Traefik v3. Please set `experimental.v3.enabled` to true and update `image.tag` to `v3.0`."
+          errorMessage: "Default entrypoints are only available on Traefik v3. Please set `image.tag` to `v3.x`."
 
   - it: should be possible to use a different containerPort
     set: