search

traefik / traefik-helm-chart

Traefik Proxy Helm Chart
https://traefik.io
Apache License 2.0
1.01k stars 744 forks source link

Default Values on Traefik Proxy dashboard #1078

Open mloiseleur opened 1 month ago

mloiseleur commented 1 month ago

Current Situation

By default in this Chart, Traefik Proxy local dashboard is deployed with those settings:

## Create an IngressRoute for the dashboard
ingressRoute:
  dashboard:
    # -- Create an IngressRoute for the dashboard
    enabled: true
    # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
    annotations: {}
    # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
    labels: {}
    # -- The router match rule used for the dashboard ingressRoute
    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
    # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
    # By default, it's using traefik entrypoint, which is not exposed.
    # /!\ Do not expose your dashboard without any protection over the internet /!\
    entryPoints: ["traefik"]
    # -- Additional ingressRoute middlewares (e.g. for authentication)
    middlewares: []
    # -- TLS options (e.g. secret containing certificate)
    tls: {}

It means that the API and the dashboard are enabled by default, on traefik entrypoint. By default, Traefik Proxy does not enable them. It's explained in upstream documentation why:

Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data.

It says also:

In production, it should be at least secured by authentication and authorizations.

It also means an Helm Chart user can miss that it's the default in the Chart, missed the fact that it's enabled and read what is required for production environment.

Proposal

Keeping the same setting and disable dashboard (and so API) by default.

So, the values would become:

## Create an IngressRoute for the dashboard
ingressRoute:
  dashboard:
    # -- Create an IngressRoute for the dashboard
    enabled: false

It comes with the following benefits:

  1. Secure by default
  2. Helm Chart User keep the capacity to configure it easily with values
  3. When Helm Chart has to enable it, it means he can be aware of impact and so, secure it properly

It has also some impact:

  1. It's a breaking change,
  2. It may break some tutorials
x0ddf commented 2 weeks ago

On the contrary, if enabled, there should be an option to configure the authentication(at least basic).

mloiseleur commented 1 week ago

@x0ddf There is a complete example on basic auth. Is this what you have in mind ?

x0ddf commented 1 week ago

@mloiseleur almost, but the whole logic can be simplified for the basic auth case(middleware + secret could be created automatically):

ingressRoute:
  dashboard:
    basicAuth:
      # according to the documentation https://doc.traefik.io/traefik/middlewares/http/basicauth/#usersfile
      usersFile: ""
      # from this array we could generate usersFile entry https://helm.sh/docs/chart_template_guide/function_list/#htpasswd
      users:
        - name: someuser
          pass: somepass
oscrx commented 1 week ago

Many people deploy Traefik using GitOps principles. It is not desirable to have secrets stored in a repository. An additional requirement would be to reference an existing secret here. It might even be feasible to include an OAuth2 proxy example instead of basic auth.

x0ddf commented 1 week ago

@oscrx, I agree with existingSecret but strongly disagree with OAuth2, it's an enterprise feature. Putting ForwardAuthentication is useless because it could be added via ingressRoute.dashboard.middlewares.