Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik and templating of pod annotations errors with Hashicorp Vault #1181

Open
2 tasks done
brow86 opened this issue Sep 9, 2024 · 0 comments · May be fixed by #1182
Open
2 tasks done

Traefik and templating of pod annotations errors with Hashicorp Vault #1181

brow86 opened this issue Sep 9, 2024 · 0 comments · May be fixed by #1182
Labels
kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed.

Comments

@brow86
Copy link

brow86 commented Sep 9, 2024
edited
Loading

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

31.0.0

What version of Traefik are you using?

v3.1.2

What did you do?

I'm using Hashicorp Vault injection which uses annotations on pods to inject secrets into files on pod startup. The hope was to use this functionality via the _FILE env var in the credentials section as described in the lego docs. In other words, after putting the secret into Hashicorp Vault, I would like to annotate the traefik pod like so in the helm chart:

deployment:
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
    vault.hashicorp.com/agent-inject-template-cloudflare: |
      {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
      {{ index .Data.data "api-token" }}
      {{- end }}
    vault.hashicorp.com/role: traefik

This would inject a file into /vault/config/cloudflare that I could then reference via setting an env var, CF_DNS_API_TOKEN_FILE to that value and keep it up-to-date with Vault. The expectation, like other popular charts, is that the above values would render.

What did you see instead?

The chart errors out during templating:

Error: template: traefik/templates/_podtemplate.tpl:6:12: executing "traefik.podTemplate" at <tpl (toYaml .Values.deployment.podAnnotations) .>: error calling tpl: cannot parse template "vault.hashicorp.com/agent-inject: "true"\nvault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token\nvault.hashicorp.com/agent-inject-template-cloudflare: |\n {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}\n {{ index .Data.data "api-token" }}\n {{- end }}\nvault.hashicorp.com/role: traefik": template: gotpl:4: function "secret" not defined

To reproduce:

helm pull traefik/traefik --untar
cd traefik 
cat <<EOF>values-annotations.yaml
deployment:
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
    vault.hashicorp.com/agent-inject-template-cloudflare: |
      {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
      {{ index .Data.data "api-token" }}
      {{- end }}
    vault.hashicorp.com/role: traefik
> EOF
helm template . --values values.yaml --values values-annotations.yaml

What is your environment & configuration?

Platform: microk8s v1.27.16
Arguments: --values
YAML:

deployment:
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-cloudflare: kv/data/k8s/traefik/cloudflare_token
    vault.hashicorp.com/agent-inject-template-cloudflare: |
      {{- with secret "kv/data/k8s/traefik/cloudflare_token" -}}
      {{ index .Data.data "api-token" }}
      {{- end }}
    vault.hashicorp.com/role: traefik

Chart version: 31.0.0
appVersion: v3.1.2
helm version: v3.15.4

Additional Information

Right now I see two options: the clean option or the safe option. For the clean option, the tpl function here is removed entirely and swapped to with but that may have unintended consequences. For the safe option, there is a new boolean introduced and defaulted to current path of using the tpl function while providing a switch, templateAnnotations below, to disable it:

# templates/_podtemplate.tpl
 {{- $version := include "imageVersion" $ }}
   metadata:
     annotations:
     {{- if .Values.deployment.podAnnotations }}
       {{- if .Values.deployment.templateAnnotations }}
         {{- tpl (toYaml .Values.deployment.podAnnotations) . | nindent 8 }}
       {{- else }}
         {{- with .Values.deployment.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}

With an the default set as the existing behavior:

# values.yaml
deployment:
   templateannotations: true

For the PR I would assume going with the safe option but I would defer to one of the traefik folks if there are opinions. Thanks in advance.
@brow86 brow86 linked a pull request Sep 10, 2024 that will close this issue
Open
2 tasks
@mloiseleur mloiseleur added kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. and removed status/0-needs-triage labels Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Allow annotation templates for services that need them #1181 brow86/traefik-helm-chart
2 participants
@brow86 @mloiseleur