Currently evaluating Traefik v2.1.1 in Kubernetes (v1.10.11). I have an internal whitelist that I have implemented in an IP Whitelist Middleware. However, I have some services that have additional IPs that need to be added to the whitelist. Is there any way to combine two whitelist middlewares? Applying both whitelists to a single router will cause only IPs on both whitelists to pass through instead of any IP on either whitelist.
Is there any way to combine two whitelist middlewares so I can maintain multiple whitelists separately?
I don't think this will work. Middleware basically is a filter in the pipeline. So if you told it to block everything but a and is trying to get though with b it won't work, even if there is an additional filter that allows b.
So you will need to modify create a filter to include both a and b and apply only that filter for this to work. There does not seem to be anything else that can be done.
That's what I was afraid of. I was hoping there was some clever workaround that I hadn't considered.
I wonder if others would find is useful to have an ipWhitelist middleware be able to reference and merge with another defined but unattached ipWhitelist? It may be that my use case is too unique to request it as an additional feature set.
Can you explain a bit more about your use case? May be post a config example. As far as I can see you define your middlewares when you define your ingress route, and most ofthen you will have a one-to-one between ingress route and the service. And that's exactly where you put your middleware.
So I'm not sure what you are wanting to merge. Can you explain that?
Sure thing.
So we have a ip whitelist middleware that contains all the ips and cidr blocks of our internal environments. We use this to protect services that are intended to be accessed internally. Occasionally this whitelist will change due to addition of new servers or the need for additional environments to access internal services.
We also have several services that need to whitelist additional whitelisted IPs from external clients that need access. These services need their custom whitelist to be merged with our internal whitelist. We want to be able to centrally manage the internal whitelist separately from the service-specific whitelist so that we don't have to modify every service-specific whitelist when the internal whitelist changes.
Hopefully that makes sense but if not feel free to ask more questions. Basically it's just a default whitelist that we want to overlay custom whitelist on top of.