traefik-helm-chart
traefik-helm-chart copied to clipboard
traefik
Traefik and templating of pod annotations errors with Hashicorp Vault
Welcome!
- [X] Yes, I've searched similar issues on GitHub and didn't find any.
- [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.
What version of the Traefik's Helm Chart are you using?
31.0.0
What version of Traefik are you using?
v3.1.2
What did you do?
I'm using Hashicorp Vault injection which uses annotations on pods to inject secrets into files on pod startup. The hope was to use this functionality via the _FILE env var in the credentials section as described in the lego docs. In other words, after putting the secret into Hashicorp Vault, I would like to annotate the traefik pod like so in the helm chart:
deployment:
podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
vault.hashicorp.com/agent-inject-template-cloudflare: |
{{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
{{ index .Data.data "api-token" }}
{{- end }}
vault.hashicorp.com/role: traefik
This would inject a file into /vault/config/cloudflare that I could then reference via setting an env var, CF_DNS_API_TOKEN_FILE to that value and keep it up-to-date with Vault. The expectation, like other popular charts, is that the above values would render.
What did you see instead?
The chart errors out during templating:
Error: template: traefik/templates/_podtemplate.tpl:6:12: executing "traefik.podTemplate" at <tpl (toYaml .Values.deployment.podAnnotations) .>: error calling tpl: cannot parse template "vault.hashicorp.com/agent-inject: "true"\nvault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token\nvault.hashicorp.com/agent-inject-template-cloudflare: |\n {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}\n {{ index .Data.data "api-token" }}\n {{- end }}\nvault.hashicorp.com/role: traefik": template: gotpl:4: function "secret" not defined
To reproduce:
helm pull traefik/traefik --untar
cd traefik
cat <<EOF>values-annotations.yaml
deployment:
podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
vault.hashicorp.com/agent-inject-template-cloudflare: |
{{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
{{ index .Data.data "api-token" }}
{{- end }}
vault.hashicorp.com/role: traefik
> EOF
helm template . --values values.yaml --values values-annotations.yaml
What is your environment & configuration?
Platform: microk8s v1.27.16 Arguments: --values YAML:
deployment:
podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
vault.hashicorp.com/agent-inject-template-cloudflare: |
{{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
{{ index .Data.data "api-token" }}
{{- end }}
vault.hashicorp.com/role: traefik
Chart version: 31.0.0 appVersion: v3.1.2 helm version: v3.15.4
Additional Information
Right now I see two options: the clean option or the safe option. For the clean option, the tpl function here is removed entirely and swapped to with but that may have unintended consequences. For the safe option, there is a new boolean introduced and defaulted to current path of using the tpl function while providing a switch, templateAnnotations below, to disable it:
# templates/_podtemplate.tpl
{{- $version := include "imageVersion" $ }}
metadata:
annotations:
{{- if .Values.deployment.podAnnotations }}
{{- if .Values.deployment.templateAnnotations }}
{{- tpl (toYaml .Values.deployment.podAnnotations) . | nindent 8 }}
{{- else }}
{{- with .Values.deployment.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
With an the default set as the existing behavior:
# values.yaml
deployment:
templateannotations: true
For the PR I would assume going with the safe option but I would defer to one of the traefik folks if there are opinions. Thanks in advance.
We are interested in this issue, but we’re unsure about the use case and the traction it will receive. We are going to leave the status as kind/proposal to give the community time to let us know if they would like this idea.
We will reevaluate as people respond.
There has been no interest from other community members on this feature since last year, so I close this issue. Feel free to re-open it or open a new one if needed.