feat: TLSOption

traefik · Feb 9, 2024 · f95e9b4 · f95e9b4
1 parent 084b473
commit f95e9b4
Show file tree

Hide file tree

Showing 3 changed files with 202 additions and 0 deletions.
diff --git a/traefikee/templates/tlsoption.yaml b/traefikee/templates/tlsoption.yaml
@@ -0,0 +1,42 @@
+{{- range $name, $config := .Values.tlsOptions }}
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: {{ $name }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "common.labels" $ | nindent 4 }}
+    {{- with $config.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $config.alpnProtocols }}
+  alpnProtocols:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $config.cipherSuites }}
+  cipherSuites:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $config.clientAuth }}
+  clientAuth:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $config.curvePreferences }}
+  curvePreferences:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $config.maxVersion }}
+  maxVersion: {{ $config.maxVersion }}
+  {{- end }}
+  {{- if $config.minVersion }}
+  minVersion: {{ $config.minVersion }}
+  {{- end }}
+  {{- if $config.preferServerCipherSuites }}
+  preferServerCipherSuites: {{ $config.preferServerCipherSuites }}
+  {{- end }}
+  {{- if $config.sniStrict }}
+  sniStrict: {{ $config.sniStrict }}
+  {{- end }}
+---
+{{- end -}}
diff --git a/traefikee/tests/tlsoption_test.yaml b/traefikee/tests/tlsoption_test.yaml
@@ -0,0 +1,144 @@
+suite: TLSOption configuration
+templates:
+  - tlsoption.yaml
+tests:
+  - it: should use helm managed namespace as default behavior
+    set:
+      tlsOptions:
+        default:
+          labels:
+            foo: bar
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: NAMESPACE
+  - it: should set tlsoption name
+    set:
+      tlsOptions:
+        default:
+          labels:
+            foo: bar
+    asserts:
+      - equal:
+          path: metadata.name
+          value: default
+  - it: should set additional labels
+    set:
+      tlsOptions:
+        default:
+          labels:
+            label: label
+    asserts:
+      - equal:
+          path: metadata.labels.label
+          value: label
+  - it: should set cipherSuites
+    set:
+      tlsOptions:
+        default:
+          labels:
+          cipherSuites:
+            - cipherSuite
+    asserts:
+      - equal:
+          path: spec.cipherSuites[0]
+          value: cipherSuite
+  - it: should set alpnProtocols
+    set:
+      tlsOptions:
+        default:
+          labels:
+          alpnProtocols:
+            - alpnProtocol
+    asserts:
+      - equal:
+          path: spec.alpnProtocols[0]
+          value: alpnProtocol
+  - it: should set clientAuthConfig
+    set:
+      tlsOptions:
+        default:
+          labels:
+          clientAuth:
+            clientAuthType: clientAuthType
+    asserts:
+      - equal:
+          path: spec.clientAuth
+          value:
+            clientAuthType: clientAuthType
+  - it: should set curvePreferences
+    set:
+      tlsOptions:
+        default:
+          labels:
+          curvePreferences:
+            - curvePreference
+    asserts:
+      - equal:
+          path: spec.curvePreferences[0]
+          value: curvePreference
+  - it: should set minVersion
+    set:
+      tlsOptions:
+        default:
+          labels:
+          minVersion: minVersion
+    asserts:
+      - equal:
+          path: spec.minVersion
+          value: minVersion
+  - it: should set maxVersion
+    set:
+      tlsOptions:
+        default:
+          labels:
+          maxVersion: maxVersion
+    asserts:
+      - equal:
+          path: spec.maxVersion
+          value: maxVersion
+  - it: should set preferServerCipherSuites
+    set:
+      tlsOptions:
+        default:
+          labels:
+          preferServerCipherSuites: true
+    asserts:
+      - equal:
+          path: spec.preferServerCipherSuites
+          value: true
+  - it: should set sniStrict
+    set:
+      tlsOptions:
+        default:
+          labels:
+          sniStrict: true
+    asserts:
+      - equal:
+          path: spec.sniStrict
+          value: true
+  - it: should render config without labels
+    chart:
+      version: 1.0.0
+      appVersion: v2.10.0
+    set:
+      tlsOptions:
+        default:
+          minVersion: minVersion
+    asserts:
+      - equal:
+          path: metadata
+          value:
+            name: default
+            namespace: NAMESPACE
+            labels:
+              app: traefikee
+              app.kubernetes.io/instance: RELEASE-NAME
+              app.kubernetes.io/managed-by: Helm
+              app.kubernetes.io/version: v2.10.0
+              helm.sh/chart: traefikee-1.0.0
+              release: default
+      - equal:
+          path: spec
+          value:
+            minVersion: minVersion
diff --git a/traefikee/values.yaml b/traefikee/values.yaml
@@ -335,6 +335,22 @@ additionalProxies: {}
 # priorityClassName will be set on all pods.
 priorityClassName: ""
 
+# -- TLS Options are created as TLSOption CRDs
+# https://doc.traefik.io/traefik/https/tls/#tls-options
+# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
+# Example:
+# tlsOptions:
+#   default:
+#     labels: {}
+#     sniStrict: true
+#     preferServerCipherSuites: true
+#   customOptions:
+#     labels: {}
+#     curvePreferences:
+#       - CurveP521
+#       - CurveP384
+tlsOptions: {}
+
 mesh:
   enabled: false
   kubedns: false