traefik-helm-chart
traefik-helm-chart copied to clipboard
traefik
Default Values on Traefik Proxy dashboard
Current Situation
By default in this Chart, Traefik Proxy local dashboard is deployed with those settings:
## Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
# -- Create an IngressRoute for the dashboard
enabled: true
# -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
# -- The router match rule used for the dashboard ingressRoute
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
# -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
# By default, it's using traefik entrypoint, which is not exposed.
# /!\ Do not expose your dashboard without any protection over the internet /!\
entryPoints: ["traefik"]
# -- Additional ingressRoute middlewares (e.g. for authentication)
middlewares: []
# -- TLS options (e.g. secret containing certificate)
tls: {}
It means that the API and the dashboard are enabled by default, on traefik entrypoint. By default, Traefik Proxy does not enable them. It's explained in upstream documentation why:
Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data.
It says also:
In production, it should be at least secured by authentication and authorizations.
It also means an Helm Chart user can miss that it's the default in the Chart, missed the fact that it's enabled and read what is required for production environment.
Proposal
Keeping the same setting and disable dashboard (and so API) by default.
So, the values would become:
## Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
# -- Create an IngressRoute for the dashboard
enabled: false
It comes with the following benefits:
- Secure by default
- Helm Chart User keep the capacity to configure it easily with values
- When Helm Chart has to enable it, it means he can be aware of impact and so, secure it properly
It has also some impact:
- It's a breaking change,
- It may break some tutorials
On the contrary, if enabled, there should be an option to configure the authentication(at least basic).
@mloiseleur almost, but the whole logic can be simplified for the basic auth case(middleware + secret could be created automatically):
ingressRoute:
dashboard:
basicAuth:
# according to the documentation https://doc.traefik.io/traefik/middlewares/http/basicauth/#usersfile
usersFile: ""
# from this array we could generate usersFile entry https://helm.sh/docs/chart_template_guide/function_list/#htpasswd
users:
- name: someuser
pass: somepass
Many people deploy Traefik using GitOps principles. It is not desirable to have secrets stored in a repository. An additional requirement would be to reference an existing secret here. It might even be feasible to include an OAuth2 proxy example instead of basic auth.
@oscrx, I agree with existingSecret but strongly disagree with OAuth2, it's an enterprise feature. Putting ForwardAuthentication is useless because it could be added via ingressRoute.dashboard.middlewares.
@oscrx @x0ddf Feel free to open a PR in order to improve authentication options / settings on dashboard, if you need it.
With PR #1111, dashboard is now disabled by default. => I close this issue.