Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document the TLS with ACME case #4654

Merged
merged 1 commit into from Mar 26, 2019
Merged

Document the TLS with ACME case #4654

merged 1 commit into from Mar 26, 2019

Conversation

mpl
Copy link
Collaborator

@mpl mpl commented Mar 22, 2019

What does this PR do?

When we did the kubernetes crd implementation, we forgot to test the
case for when one wants TLS, but handled with Let's Encrypt, i.e.
without having to provide a Kubernetes Secret. We assumed it would be
enough to provide (in YAML) a tls object with no field set, which would
get us a non-nil IngressRouteSpec.TLS, allowing us to use
IngressRouteSpec.TLS as the sentinel for whether TLS should be enabled.

However, as IngressRouteSpec.TLS is a pointer, a tls object with no
fields set will actually result in IngressRouteSpec.TLS being nil. This
means at least one of the fields of the YAML tls object must exist.
Therefore, we now use the secretName field value (for now, as it is
the only field anyway) as the sentinel for whether Let's Encrypt should
be used.

This PR documents the above behaviour, and adds a unit test for it.

In addition, this PR fixes a related bug in the ACME provider: when a
router is not configured with TLS enabled, the ACME provider does not
try anymore to generate a (useless) certificate for the corresponding
domain.

Motivation

As described above, documenting this common case was needed.

More

  • Added/updated tests
  • Added/updated documentation

Additional Notes

Co-authored-by: Julien Salleyron julien.salleyron@gmail.com

@traefiker traefiker added this to the 2.0 milestone Mar 22, 2019
@dtomcej
Copy link
Contributor

dtomcej commented Mar 22, 2019

Oof this feels bad, perhaps a new boolean instead? Idk. This will work short term, but I think we should come up with a better way to do this before GA 😅

@ldez ldez changed the title kubernetes: document the TLS with ACME case Ddocument the TLS with ACME case Mar 22, 2019
@ldez ldez changed the title Ddocument the TLS with ACME case Document the TLS with ACME case Mar 22, 2019
@mpl
Copy link
Collaborator Author

mpl commented Mar 22, 2019

Oof this feels bad, perhaps a new boolean instead? Idk. This will work short term, but I think we should come up with a better way to do this before GA 😅

yeah, it's far from ideal.

dtomcej
dtomcej approved these changes Mar 22, 2019
View reviewed changes
Copy link
Contributor

@dtomcej dtomcej left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
:shipit:

@mpl mpl mentioned this pull request Mar 22, 2019
Merged
1 task
juliens
juliens approved these changes Mar 22, 2019
View reviewed changes
Copy link
Member

@juliens juliens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jbdoumenjou
jbdoumenjou approved these changes Mar 26, 2019
View reviewed changes
Copy link
Member

@jbdoumenjou jbdoumenjou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mpl @traefiker
kubernetes: document the TLS with ACME case
b036a94 
When we did the kubernetes crd implementation, we forgot to test the
case for when one wants TLS, but handled with Let's Encrypt, i.e.
without having to provide a Kubernetes Secret. We assumed it would be
enough to provide (in YAML) a tls object with no field set, which would
get us a non-nil IngressRouteSpec.TLS, allowing us to use
IngressRouteSpec.TLS as the sentinel for whether TLS should be enabled.

However, as IngressRouteSpec.TLS is a pointer, a tls object with no
fields set will actually result in IngressRouteSpec.TLS being nil. This
means at least one of the fields of the YAML tls object must exist.
Therefore, we now use the secretName field value (for now, as it is
the only field anyway) as the sentinel for whether Let's Encrypt should
be used.

This PR documents the above behavior, and adds a unit test for it.

In addition, this PR fixes a related bug in the ACME provider: when a
router is not configured with TLS enabled, the ACME provider does not
try anymore to generate a (useless) certificate for the corresponding
domain.
@traefiker traefiker merged commit 3e76c25 into traefik:v2.0 Mar 26, 2019
@mpl mpl deleted the skipnotls branch March 26, 2019 16:48
@raelga
Copy link

raelga commented Mar 27, 2019

Maybe is just a visualisation issue, but the raw dashboard api seems to expect entryPoints in snakeCase in the IngressRoute manifest, otherwise the api shows "null"as endpoint:

❯ curl -sSL http://traefik-v2:8080/api/rawdata | jq .

{
  "ACME": {
    "HTTP": {},
    "TCP": {},
    "TLSOptions": null,
    "TLSStores": null
  },
  "kubernetescrd": {
    "HTTP": {
      "routers": {
        "default/cats-fe7c78d104ccea9b6f28": {
          "entryPoints": [
            "web"
          ],
          "middlewares": [
            "default/rmpath"
          ],
          "service": "default/cats-fe7c78d104ccea9b6f28",
          "rule": "Path(`/cache`)"
        },
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliens juliens juliens approved these changes

@jbdoumenjou jbdoumenjou jbdoumenjou approved these changes

@dtomcej dtomcej dtomcej approved these changes

Assignees
No one assigned
Labels
area/acme area/provider/k8s/crd area/provider/k8s kind/enhancement a new or improved feature. size/S
Projects
None yet
Milestone
2.0
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@mpl @dtomcej @raelga @juliens @jbdoumenjou @ldez @traefiker