Traefik ingress #29
Traefik ingress #29
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the Laravel Helm chart from Nginx Ingress Controller to Traefik, representing a significant change in how ingress is configured and managed. The migration introduces Traefik-specific Custom Resource Definitions (IngressRoute and Middleware) to replace the standard Kubernetes Ingress resource, providing more granular control over request handling through dedicated middleware components.
Key Changes:
- Complete replacement of standard Kubernetes Ingress with Traefik IngressRoute and Middleware CRDs
- Introduction of four configurable middleware components: forwarded headers, request/response buffering, IP allowlisting, and noindex headers
- Simplified ingress configuration structure with Traefik-specific settings (entryPoints, certResolver)
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| charts/laravel/values.yaml | Removed Nginx ingress configuration and annotations; added Traefik-specific configuration with middleware options |
| charts/laravel/templates/ingress.yaml | Deleted standard Kubernetes Ingress template (entire file removed) |
| charts/laravel/templates/ingress-route.yaml | Created new Traefik IngressRoute resource with conditional middleware references |
| charts/laravel/templates/ingress-middleware-headers.yaml | Created middleware for X-Forwarded-* headers management |
| charts/laravel/templates/ingress-middleware-noindex.yaml | Created optional middleware for X-Robots-Tag header |
| charts/laravel/templates/ingress-middleware-buffering.yaml | Created optional middleware for request/response buffering with configurable limits |
| charts/laravel/templates/ingress-ip-allowlist-middleware.yaml | Created optional middleware for IP-based access control |
| charts/laravel/templates/NOTES.txt | Updated variable names to match new ingress configuration structure |
| charts/laravel/README.md | Updated version badge and ingress-related documentation entries |
| charts/laravel/Chart.yaml | Bumped chart version to 2.8.0 |
| charts/laravel/Chart.lock | Updated dependency versions (PostgreSQL 16.7.27, Redis 20.13.4) and regenerated digest |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| {{- range $path := $hostConfig.paths }} | ||
| - match: Host(`{{ $hostConfig.host }}`){{ if ne $path.path "/" }} && PathPrefix(`{{ $path.path }}`){{ end }} | ||
| kind: Rule | ||
| middlewares: | ||
| - name: {{ include "laravel.fullname" $ }}-forwarded-headers | ||
| {{- if $.Values.ingress.ipAllowList.enabled }} | ||
| - name: {{ include "laravel.fullname" $ }}-ip-allowlist | ||
| {{- end }} | ||
| {{- if $.Values.ingress.buffering.enabled }} | ||
| - name: {{ include "laravel.fullname" $ }}-buffering | ||
| {{- end }} | ||
| {{- if $.Values.ingress.noindex.enabled }} | ||
| - name: {{ include "laravel.fullname" $ }}-noindex | ||
| {{- end }} | ||
| services: | ||
| - name: {{ default (include "laravel.fullname" $) $path.service }} | ||
| port: {{ default $.Values.service.port $path.port }} | ||
| {{- end }} |
There was a problem hiding this comment.
The template iterates over $hostConfig.paths but the values.yaml configuration shows paths as an array of objects with a path property. However, the template also references optional $path.service and $path.port properties (lines 31-32) which are not defined in the values.yaml defaults. Consider adding documentation or example configuration showing how to use custom service/port per path, or ensure the values.yaml example includes these optional properties to clarify the expected structure.
| middlewares: | ||
| - name: {{ include "laravel.fullname" $ }}-forwarded-headers | ||
| {{- if $.Values.ingress.ipAllowList.enabled }} | ||
| - name: {{ include "laravel.fullname" $ }}-ip-allowlist | ||
| {{- end }} | ||
| {{- if $.Values.ingress.buffering.enabled }} | ||
| - name: {{ include "laravel.fullname" $ }}-buffering | ||
| {{- end }} | ||
| {{- if $.Values.ingress.noindex.enabled }} | ||
| - name: {{ include "laravel.fullname" $ }}-noindex | ||
| {{- end }} |
There was a problem hiding this comment.
The IngressRoute unconditionally references the forwarded-headers middleware (line 20), but this middleware is only created when ingress.enabled is true. While this condition matches the IngressRoute's own condition, the middleware should ideally always be created when the IngressRoute exists, or the reference should be conditional. Additionally, references to optional middlewares (ipAllowList, buffering, noindex) are correctly conditional, but if these resources fail to create due to missing configuration keys, the IngressRoute will reference non-existent middlewares and fail to deploy.
| {{- end }} | ||
| tls: | ||
| certResolver: {{ .Values.ingress.tls.certResolver }} |
There was a problem hiding this comment.
The TLS configuration directly accesses .Values.ingress.tls.certResolver without checking if the tls key exists or if certResolver is set. This could cause template rendering errors if users omit the TLS configuration. Consider adding a conditional check like {{- if and .Values.ingress.tls .Values.ingress.tls.certResolver }} before rendering the tls section, or use the dig function with a default value.
| {{- end }} | |
| tls: | |
| certResolver: {{ .Values.ingress.tls.certResolver }} | |
| {{- end }} | |
| {{- if and .Values.ingress.tls .Values.ingress.tls.certResolver }} | |
| tls: | |
| certResolver: {{ .Values.ingress.tls.certResolver }} | |
| {{- end }} |
| | ingress.forwardedHeaders.host | string | `""` | | | ||
| | ingress.forwardedHeaders.port | string | `"443"` | | | ||
| | ingress.forwardedHeaders.proto | string | `"https"` | | | ||
| | ingress.hosts[0] | string | `"api.ronas.cloud"` | | |
There was a problem hiding this comment.
The documentation shows ingress.hosts[0] as a string value, but according to the values.yaml configuration, it should be an object with host and paths properties. The correct documentation should be:
ingress.hosts[0].host| string |"api.ronas.cloud"|ingress.hosts[0].paths[0].path| string |"/"|
| | ingress.hosts[0] | string | `"api.ronas.cloud"` | | | |
| | ingress.hosts[0].host | string | `"api.ronas.cloud"` | | | |
| | ingress.hosts[0].paths[0].path | string | `"/"` | | |
| | ingress.hosts[0] | string | `"api.ronas.cloud"` | | | ||
| | ingress.noindex.enabled | bool | `false` | | | ||
| | ingress.noindex.value | string | `"noindex, nofollow"` | | | ||
| | ingress.tls.certResolver | string | `"letsencrypt"` | | |
There was a problem hiding this comment.
The README is missing documentation for several new ingress configuration options that are present in values.yaml:
ingress.buffering.enabled(default:true)ingress.buffering.maxRequestBodyBytes(default:1048576000)ingress.buffering.maxResponseBodyBytes(default:1048576000)ingress.ipAllowList.enabled(default:false)ingress.ipAllowList.sourceRange(default:['0.0.0.0/0'])
These should be added to the documentation table.
| | ingress.tls.certResolver | string | `"letsencrypt"` | | | |
| | ingress.tls.certResolver | string | `"letsencrypt"` | | | |
| | ingress.buffering.enabled | bool | `true` | Enable request/response buffering for ingress. | | |
| | ingress.buffering.maxRequestBodyBytes | int | `1048576000` | Maximum request body size in bytes for ingress buffering. | | |
| | ingress.buffering.maxResponseBodyBytes | int | `1048576000` | Maximum response body size in bytes for ingress buffering. | | |
| | ingress.ipAllowList.enabled | bool | `false` | Enable IP allow list for ingress. | | |
| | ingress.ipAllowList.sourceRange | list | `['0.0.0.0/0']` | List of allowed source IP ranges for ingress. | |
| {{- range .Values.ingress.ipAllowList.sourceRange }} | ||
| - {{ . | quote }} | ||
| {{- end }} | ||
| {{- end }} |
There was a problem hiding this comment.
Trailing whitespace detected at the end of this line. This should be removed for consistency.
| {{- end }} | |
| {{- end }} |
| sourceRange: | ||
| - '0.0.0.0/0' |
There was a problem hiding this comment.
The default IP allowlist configuration with 0.0.0.0/0 effectively allows all IP addresses when enabled, which provides no actual IP restriction. Consider either:
- Changing the default to an empty array to force users to explicitly configure allowed IPs
- Adding a comment in the values to warn users that
0.0.0.0/0allows all traffic and should be replaced with specific IP ranges - Making the feature require explicit IP ranges when enabled
| sourceRange: | |
| - '0.0.0.0/0' | |
| # -- List of allowed IP ranges in CIDR notation. Example: ['192.168.1.0/24'] | |
| # WARNING: '0.0.0.0/0' allows all traffic and should be replaced with specific IP ranges for security. | |
| sourceRange: [] |
| @@ -0,0 +1,17 @@ | |||
| {{- if .Values.ingress.buffering.enabled }} | |||
There was a problem hiding this comment.
The conditional check uses .Values.ingress.buffering.enabled directly without first checking if buffering key exists in the ingress configuration. This could cause template rendering errors if the buffering configuration is completely omitted from values. Consider using a safer check like {{- if and .Values.ingress.enabled (hasKey .Values.ingress "buffering") .Values.ingress.buffering.enabled }}
| {{- if .Values.ingress.buffering.enabled }} | |
| {{- if and .Values.ingress.enabled (hasKey .Values.ingress "buffering") .Values.ingress.buffering.enabled }} |
| @@ -0,0 +1,15 @@ | |||
| {{- if .Values.ingress.ipAllowList.enabled }} | |||
There was a problem hiding this comment.
The conditional check uses .Values.ingress.ipAllowList.enabled directly without first checking if ipAllowList key exists in the ingress configuration. This could cause template rendering errors if the configuration is omitted. Consider using a safer check like {{- if and .Values.ingress.enabled (hasKey .Values.ingress "ipAllowList") .Values.ingress.ipAllowList.enabled }}
| {{- if .Values.ingress.ipAllowList.enabled }} | |
| {{- if and .Values.ingress.enabled (hasKey .Values.ingress "ipAllowList") .Values.ingress.ipAllowList.enabled }} |
Co-authored-by: Copilot <[email protected]>
Changes
values.yamlingress configuration: