search

traefik / traefik-helm-chart

Traefik Proxy Helm Chart
https://traefik.io
Apache License 2.0
1.08k stars 763 forks source link

Traefik and templating of pod annotations errors with Hashicorp Vault #1181

Open brow86 opened 2 months ago

brow86 commented 2 months ago

Welcome!

What version of the Traefik's Helm Chart are you using?

31.0.0

What version of Traefik are you using?

v3.1.2

What did you do?

I'm using Hashicorp Vault injection which uses annotations on pods to inject secrets into files on pod startup. The hope was to use this functionality via the _FILE env var in the credentials section as described in the lego docs. In other words, after putting the secret into Hashicorp Vault, I would like to annotate the traefik pod like so in the helm chart:

deployment:
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
    vault.hashicorp.com/agent-inject-template-cloudflare: |
      {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
      {{ index .Data.data "api-token" }}
      {{- end }}
    vault.hashicorp.com/role: traefik

This would inject a file into /vault/config/cloudflare that I could then reference via setting an env var, CF_DNS_API_TOKEN_FILE to that value and keep it up-to-date with Vault. The expectation, like other popular charts, is that the above values would render.

What did you see instead?

The chart errors out during templating:

Error: template: traefik/templates/_podtemplate.tpl:6:12: executing "traefik.podTemplate" at <tpl (toYaml .Values.deployment.podAnnotations) .>: error calling tpl: cannot parse template "vault.hashicorp.com/agent-inject: \"true\"\nvault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token\nvault.hashicorp.com/agent-inject-template-cloudflare: |\n {{- with secret \"kv/data/k8s/traefik/cloudflare_token\" -}}\n {{ index .Data.data \"api-token\" }}\n {{- end }}\nvault.hashicorp.com/role: traefik": template: gotpl:4: function "secret" not defined

To reproduce:

helm pull traefik/traefik --untar
cd traefik 
cat <<EOF>values-annotations.yaml
deployment:
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
    vault.hashicorp.com/agent-inject-template-cloudflare: |
      {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
      {{ index .Data.data "api-token" }}
      {{- end }}
    vault.hashicorp.com/role: traefik
> EOF
helm template . --values values.yaml --values values-annotations.yaml

What is your environment & configuration?

Platform: microk8s v1.27.16 Arguments: --values YAML: 

deployment:
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
    vault.hashicorp.com/agent-inject-template-cloudflare: |
      {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
      {{ index .Data.data "api-token" }}
      {{- end }}
    vault.hashicorp.com/role: traefik

Chart version: 31.0.0 appVersion: v3.1.2 helm version: v3.15.4

Additional Information

Right now I see two options: the clean option or the safe option. For the clean option, the tpl function here is removed entirely and swapped to with but that may have unintended consequences. For the safe option, there is a new boolean introduced and defaulted to current path of using the tpl function while providing a switch, templateAnnotations below, to disable it:

# templates/_podtemplate.tpl
  {{- $version := include "imageVersion" $ }}
    metadata:
      annotations:
      {{- if .Values.deployment.podAnnotations }}
        {{- if .Values.deployment.templateAnnotations }}
          {{- tpl (toYaml .Values.deployment.podAnnotations) . | nindent 8 }}
        {{- else }}
          {{- with .Values.deployment.podAnnotations }}
          {{- toYaml . | nindent 8 }}
          {{- end }}
        {{- end }}

With an the default set as the existing behavior:

# values.yaml
deployment:
   templateannotations: true

For the PR I would assume going with the safe option but I would defer to one of the traefik folks if there are opinions. Thanks in advance.

mloiseleur commented 1 month ago

We are interested in this issue, but we’re unsure about the use case and the traction it will receive. We are going to leave the status as kind/proposal to give the community time to let us know if they would like this idea.

We will reevaluate as people respond.