In the routes of a IngressRoute, how do I mask or put the Host(`my-awesome-host.io`) in a secret?

onedr0p · November 24, 2019, 4:44am

Hi, I am fairly new to Kubernetes and Traefik 2.0 so sorry if this is a particular edge-case.

I am working on creating a GitOps (w/ Flux) project using some RPis I have laying around. I've been playing around with Sealed Secrets from Bitnami. So far I've gotten a good grasp on how to handle things but I am stuck. I would like to basically put the hostname in the routes section of the IngressRoute object in a secret so I don't have to expose this on my public git repo. I know this is a little outside of the scope of just Traefik, but maybe I am missing something. For anyone interested in my project I'll leave a link here.

My deployment is as follows:

---

kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: homepage
  labels:
    app: homepage
spec:
  replicas: 3
  selector:
    matchLabels:
      app: homepage
  template:
    metadata:
      labels:
        app: homepage
    spec:
      containers:
        - name: homepage
          image: my-awesome-registry/homepage:latest-arm32
          ports:
            - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: homepage
spec:
  ports:
    - protocol: TCP
      port: 30684
      targetPort: 80
  selector:
    app: homepage

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: default
  name: homepage-ingressroute
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`my-awesome-host.io`) && PathPrefix(`/`)
    kind: Rule
    priority: 1
    services:
    - name: homepage
      port: 30684

Is there any method you would use to hide my-awesome-host.io from the yaml? Thanks for any insight, it's greatly appreciated.

zespri · November 24, 2019, 8:25am

You cannot.

Here are some options:

Write a script that substitutes my-awesome-host.io for the host name, and run it before applying IngressRoute
Use some tempating system for kubernetes manifest to parametrize some value. Helm and jsonnet come to mind.

I personally use my own templating system that integrates with Hashicorp Vault, so I store the secrets there and my tooling pull them out of there and merge them with kuberenetes templates before applying those.

onedr0p · November 24, 2019, 4:42pm

Option one I am a bit confused on. How can I in GitOps work flow accomplish that? The second option seems nice and I'll wait to see what their Helm chart is capable of handling. For now it looks like I might just need to go back to the nginx-ingress which supports what I am trying to do.

Topic		Replies	Views
IngressRoute without "secretName" field yields 404 response Traefik v2 kubernetes-crd	4	2032	July 24, 2019
A lot of host name, what the best way to manage it in Kubernetes environment Traefik v2 kubernetes-ingress , letsencrypt-acme	0	85	April 16, 2024
Using Host in ingress route as variable Traefik v2 cli	1	437	June 15, 2023
Can I set namespace for TLS secretName in IngressRoute? Traefik v2 kubernetes-crd	4	7659	October 29, 2019
Getting the actual request host for ingress routes Traefik v2 kubernetes-ingress	0	399	January 17, 2022

In the routes of a IngressRoute, how do I mask or put the Host(`my-awesome-host.io`) in a secret?

Related topics