feat: allow exposure of ports on internal service only

traefik · Jan 15, 2024 · d9f4731 · d9f4731
1 parent e7ce1b4
commit d9f4731
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 2 deletions.
diff --git a/traefik/templates/_service-internal.tpl b/traefik/templates/_service-internal.tpl
@@ -35,7 +35,7 @@
 
 {{- define "traefik.service-internal-ports" }}
   {{- range $name, $config := . }}
-  {{- if $config.expose }}
+  {{- if (or $config.expose $config.exposeInternal) }}
   - port: {{ default $config.port $config.exposedPort }}
     name: {{ $name | quote }}
     targetPort: {{ default $name $config.targetPort }}

diff --git a/traefik/tests/service-internal-config_test.yaml b/traefik/tests/service-internal-config_test.yaml
@@ -184,3 +184,22 @@ tests:
       - equal:
           path: metadata.namespace
           value: "traefik-ns-override"
+  - it: should expose ports that are exposed internally only
+    set:
+      service:
+        internal:
+          enabled: true
+      ports:
+        internal:
+          expose: false
+          exposeInternal: true
+          port: 3000
+          protocol: TCP
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: internal
+            port: 3000
+            protocol: TCP
+            targetPort: internal
diff --git a/traefik/values.yaml b/traefik/values.yaml
@@ -629,6 +629,10 @@ ports:
     exposedPort: 9000
     # -- The port protocol (TCP/UDP)
     protocol: TCP
+    # -- Defines whether the port is exposed on the internal service;
+    # note that ports exposed on the default service are exposed on the internal
+    # service by default as well.
+    exposeInternal: false
   web:
     ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
     # asDefault: true
@@ -644,6 +648,10 @@ ports:
     # -- Use nodeport if set. This is useful if you have configured Traefik in a
     # LoadBalancer.
     # nodePort: 32080
+    # -- Defines whether the port is exposed on the internal service;
+    # note that ports exposed on the default service are exposed on the internal
+    # service by default as well.
+    exposeInternal: false
     # Port Redirections
     # Added in 2.2, you can make permanent redirects via entrypoints.
     # https://docs.traefik.io/routing/entrypoints/#redirection
@@ -674,6 +682,10 @@ ports:
     ## -- The port protocol (TCP/UDP)
     protocol: TCP
     # nodePort: 32443
+    # -- Defines whether the port is exposed on the internal service;
+    # note that ports exposed on the default service are exposed on the internal
+    # service by default as well.
+    exposeInternal: false
     ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer.
     # appProtocol: https
     #
@@ -735,6 +747,10 @@ ports:
     exposedPort: 9100
     # -- The port protocol (TCP/UDP)
     protocol: TCP
+    # -- Defines whether the port is exposed on the internal service;
+    # note that ports exposed on the default service are exposed on the internal
+    # service by default as well.
+    exposeInternal: false
 
 # -- TLS Options are created as TLSOption CRDs
 # https://doc.traefik.io/traefik/https/tls/#tls-options
@@ -796,7 +812,7 @@ service:
   #   - IPv4
   #   - IPv6
   ##
-  ## -- An additionnal and optional internal Service.
+  ## -- An additional and optional internal Service.
   ## Same parameters as external Service
   # internal:
   #   type: ClusterIP