Improve documentation about Kubernetes IngressRoute
This commit is contained in:
parent
7283d7eb2f
commit
d3977ce40e
|
@ -40,7 +40,7 @@ tls:
|
|||
|
||||
In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
|
||||
It is the only available method to configure the certificates (as well as the options and the stores).
|
||||
However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls).
|
||||
However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
|
||||
|
||||
## Certificates Stores
|
||||
|
||||
|
|
|
@ -104,7 +104,7 @@ Then any router can refer to an instance of the wanted middleware.
|
|||
|
||||
```yaml tab="K8s IngressRoute"
|
||||
# The definitions below require the definitions for the Middleware and IngressRoute kinds.
|
||||
# https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
|
||||
# https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
|
@ -278,7 +278,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
|
|||
|
||||
```yaml tab="K8s IngressRoute"
|
||||
# The definitions below require the definitions for the TLSOption and IngressRoute kinds.
|
||||
# https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
|
||||
# https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
|
|
|
@ -86,7 +86,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
|
|||
## Routing Configuration
|
||||
|
||||
When using Docker as a [provider](https://docs.traefik.io/providers/overview/),
|
||||
Trafik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
|
||||
Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
|
||||
|
||||
See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
|
||||
|
||||
|
|
|
@ -8,9 +8,43 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider
|
|||
However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
|
||||
we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
|
||||
|
||||
## Configuration Requirements
|
||||
|
||||
!!! tip "All Steps for a Successful Deployment"
|
||||
|
||||
* Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
|
||||
* Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
|
||||
* Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment
|
||||
* Enable the kubernetesCRD provider
|
||||
* Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
|
||||
* Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
|
||||
|
||||
??? example "Initializing Resource Definition and RBAC"
|
||||
|
||||
```yaml tab="Traefik Resource Definition"
|
||||
# All resources definition must be declared
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
|
||||
```
|
||||
|
||||
```yaml tab="RBAC for Traefik CRD"
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
|
||||
```
|
||||
|
||||
## Resource Configuration
|
||||
|
||||
See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
|
||||
When using KubernetesCRD as a provider,
|
||||
Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
|
||||
Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
|
||||
|
||||
* The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
|
||||
* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
|
||||
* TLS certificate.
|
||||
* Authentication data.
|
||||
* The structure of the configuration.
|
||||
* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
|
||||
|
||||
The Traefik CRD are building blocks which you can assemble according to your needs.
|
||||
See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
|
||||
|
||||
## LetsEncrypt Support with the Custom Resource Definition Provider
|
||||
|
||||
|
|
|
@ -0,0 +1,73 @@
|
|||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressroutes.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRoute
|
||||
plural: ingressroutes
|
||||
singular: ingressroute
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: middlewares.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: Middleware
|
||||
plural: middlewares
|
||||
singular: middleware
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressroutetcps.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRouteTCP
|
||||
plural: ingressroutetcps
|
||||
singular: ingressroutetcp
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tlsoptions.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TLSOption
|
||||
plural: tlsoptions
|
||||
singular: tlsoption
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: traefikservices.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TraefikService
|
||||
plural: traefikservices
|
||||
singular: traefikservice
|
||||
scope: Namespaced
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressroutetcps.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRouteTCP
|
||||
plural: ingressroutetcps
|
||||
singular: ingressroutetcp
|
||||
scope: Namespaced
|
|
@ -0,0 +1,57 @@
|
|||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- traefik.containo.us
|
||||
resources:
|
||||
- middlewares
|
||||
- ingressroutes
|
||||
- traefikservices
|
||||
- ingressroutetcps
|
||||
- tlsoptions
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: traefik-ingress-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: traefik-ingress-controller
|
||||
namespace: default
|
|
@ -0,0 +1,157 @@
|
|||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
name: wrr2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
weighted:
|
||||
services:
|
||||
- name: s1
|
||||
weight: 1
|
||||
port: 80
|
||||
# Optional, as it is the default value
|
||||
kind: Service
|
||||
- name: s3
|
||||
weight: 1
|
||||
port: 80
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
name: wrr1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
weighted:
|
||||
services:
|
||||
- name: wrr2
|
||||
kind: TraefikService
|
||||
weight: 1
|
||||
- name: s3
|
||||
weight: 1
|
||||
port: 80
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
name: mirror1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
mirroring:
|
||||
name: s1
|
||||
port: 80
|
||||
mirrors:
|
||||
- name: s3
|
||||
percent: 20
|
||||
port: 80
|
||||
- name: mirror2
|
||||
kind: TraefikService
|
||||
percent: 20
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
name: mirror2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
mirroring:
|
||||
name: wrr2
|
||||
kind: TraefikService
|
||||
mirrors:
|
||||
- name: s2
|
||||
# Optional, as it is the default value
|
||||
kind: Service
|
||||
percent: 20
|
||||
port: 80
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroute
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
- web-secure
|
||||
routes:
|
||||
- match: Host(`foo.com`) && PathPrefix(`/bar`)
|
||||
kind: Rule
|
||||
priority: 12
|
||||
# defining several services is possible and allowed, but for now the servers of
|
||||
# all the services (for a given route) get merged altogether under the same
|
||||
# load-balancing strategy.
|
||||
services:
|
||||
- name: s1
|
||||
port: 80
|
||||
healthCheck:
|
||||
path: /health
|
||||
host: baz.com
|
||||
intervalSeconds: 7
|
||||
timeoutSeconds: 60
|
||||
# strategy defines the load balancing strategy between the servers. It defaults
|
||||
# to Round Robin, and for now only Round Robin is supported anyway.
|
||||
strategy: RoundRobin
|
||||
- name: s2
|
||||
port: 433
|
||||
healthCheck:
|
||||
path: /health
|
||||
host: baz.com
|
||||
intervalSeconds: 7
|
||||
timeoutSeconds: 60
|
||||
- match: PathPrefix(`/misc`)
|
||||
services:
|
||||
- name: s3
|
||||
port: 80
|
||||
middlewares:
|
||||
- name: stripprefix
|
||||
- name: addprefix
|
||||
- match: PathPrefix(`/misc`)
|
||||
services:
|
||||
- name: s3
|
||||
# Optional, as it is the default value
|
||||
kind: Service
|
||||
port: 8443
|
||||
# scheme allow to override the scheme for the service. (ex: https or h2c)
|
||||
scheme: https
|
||||
- match: PathPrefix(`/lb`)
|
||||
services:
|
||||
- name: wrr1
|
||||
kind: TraefikService
|
||||
- match: PathPrefix(`/mirrored`)
|
||||
services:
|
||||
- name: mirror1
|
||||
kind: TraefikService
|
||||
# use an empty tls object for TLS with Let's Encrypt
|
||||
tls:
|
||||
secretName: supersecret
|
||||
options:
|
||||
name: myTLSOption
|
||||
namespace: default
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
metadata:
|
||||
name: ingressroutetcp.crd
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- footcp
|
||||
routes:
|
||||
- match: HostSNI(`bar.com`)
|
||||
services:
|
||||
- name: whoamitcp
|
||||
port: 8080
|
||||
tls:
|
||||
secretName: foosecret
|
||||
passthrough: false
|
||||
options:
|
||||
name: myTLSOption
|
||||
namespace: default
|
|
@ -3,6 +3,20 @@
|
|||
Dynamic configuration with Kubernetes Custom Resource
|
||||
{: .subtitle }
|
||||
|
||||
## Definitions
|
||||
|
||||
```yaml
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd.yml"
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
|
||||
```
|
||||
|
||||
## Resources
|
||||
|
||||
```yaml
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-resource.yml"
|
||||
```
|
||||
|
||||
## RBAC
|
||||
|
||||
```yaml
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
|
||||
```
|
||||
|
|
|
@ -3,79 +3,325 @@
|
|||
The Kubernetes Ingress Controller, The Custom Resource Way.
|
||||
{: .subtitle }
|
||||
|
||||
## Resource Configuration
|
||||
## Configuration Examples
|
||||
|
||||
If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../../reference/dynamic-configuration/kubernetes-crd.md) reference.
|
||||
??? example "Configuring KubernetesCRD and Deploying/Exposing Services"
|
||||
|
||||
### Traefik IngressRoute definition
|
||||
|
||||
```yaml
|
||||
--8<-- "content/routing/providers/crd_ingress_route.yml"
|
||||
```yaml tab="Resource Definition"
|
||||
# All resources definition must be declared
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
|
||||
```
|
||||
|
||||
That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as in:
|
||||
```yaml tab="RBAC"
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
|
||||
```
|
||||
|
||||
```yaml tab="Traefik"
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
|
||||
---
|
||||
kind: Deployment
|
||||
apiVersion: extensions/v1beta1
|
||||
metadata:
|
||||
name: traefik
|
||||
labels:
|
||||
app: traefik
|
||||
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: traefik
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: traefik
|
||||
spec:
|
||||
serviceAccountName: traefik-ingress-controller
|
||||
containers:
|
||||
- name: traefik
|
||||
image: traefik:v2.1
|
||||
args:
|
||||
- --log.level=DEBUG
|
||||
- --api
|
||||
- --api.insecure
|
||||
- --entrypoints.web.address=:80
|
||||
- --providers.kubernetescrd
|
||||
ports:
|
||||
- name: web
|
||||
containerPort: 80
|
||||
- name: admin
|
||||
containerPort: 8080
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: traefik
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
selector:
|
||||
app: traefik
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
name: web
|
||||
targetPort: 80
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
name: admin
|
||||
targetPort: 8080
|
||||
```
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: myingressroute
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
|
||||
routes:
|
||||
- match: Host(`foo`) && PathPrefix(`/bar`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: whoami
|
||||
port: 80
|
||||
```
|
||||
|
||||
```yaml tab="Whoami"
|
||||
kind: Deployment
|
||||
apiVersion: extensions/v1beta1
|
||||
metadata:
|
||||
name: whoami
|
||||
namespace: default
|
||||
labels:
|
||||
app: containous
|
||||
name: whoami
|
||||
|
||||
spec:
|
||||
replicas: 2
|
||||
selector:
|
||||
matchLabels:
|
||||
app: containous
|
||||
task: whoami
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: containous
|
||||
task: whoami
|
||||
spec:
|
||||
containers:
|
||||
- name: containouswhoami
|
||||
image: containous/whoami
|
||||
ports:
|
||||
- containerPort: 80
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: whoami
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: whoami
|
||||
```
|
||||
|
||||
## Routing Configuration
|
||||
|
||||
### Custom Resource Definition (CRD)
|
||||
|
||||
* You can find an exhaustive list, generated from Traefik's source code, of the custom resources and their attributes in [the reference page](../../reference/dynamic-configuration/kubernetes-crd.md).
|
||||
* Validate that [the prerequisites](../../providers/kubernetes-crd.md#configuration-requirements) are fulfilled before using the Traefik custom resources.
|
||||
* Traefik CRDs are building blocks that you can assemble according to your needs.
|
||||
|
||||
You can find an excerpt of the available custom resources in the table below:
|
||||
|
||||
| Kind | Purpose | Concept Behind |
|
||||
|------------------------------------------|---------------------------------------------------------------|----------------------------------------------------------------|
|
||||
| [IngressRoute](#kind-ingressroute) | HTTP Routing | [HTTP router](../routers/index.md#configuring-http-routers) |
|
||||
| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/overview.md) |
|
||||
| [TraefikService](#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring | [HTTP service](../services/index.md#configuring-http-services) |
|
||||
| [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) |
|
||||
| [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) |
|
||||
|
||||
### Kind: `IngressRoute`
|
||||
|
||||
`IngressRoute` is the CRD implementation of a [Traefik HTTP router](../routers/index.md#configuring-http-routers).
|
||||
|
||||
Register the `IngressRoute` kind in the Kubernetes cluster before creating `IngressRoute` objects.
|
||||
|
||||
!!! info "IngressRoute Attributes"
|
||||
|
||||
```yaml
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroutefoo
|
||||
name: foo
|
||||
namespace: bar
|
||||
spec:
|
||||
entryPoints: # [1]
|
||||
- foo
|
||||
routes: # [2]
|
||||
- kind: Rule
|
||||
match: Host(`test.domain.com`) # [3]
|
||||
priority: 10 # [4]
|
||||
middlewares: # [5]
|
||||
- name: middleware1 # [6]
|
||||
namespace: default # [7]
|
||||
services: # [8]
|
||||
- kind: Service
|
||||
name: foo
|
||||
namespace: default
|
||||
passHostHeader: true
|
||||
port: 80
|
||||
responseForwarding:
|
||||
flushInterval: 1ms
|
||||
scheme: https
|
||||
sticky:
|
||||
cookie:
|
||||
httpOnly: true
|
||||
name: cookie
|
||||
secure: true
|
||||
strategy: RoundRobin
|
||||
weight: 10
|
||||
tls: # [9]
|
||||
secretName: supersecret # [10]
|
||||
options: # [11]
|
||||
name: opt # [12]
|
||||
namespace: default # [13]
|
||||
certResolver: foo # [14]
|
||||
domains: # [15]
|
||||
- main: foo.com # [16]
|
||||
sans: # [17]
|
||||
- a.foo.com
|
||||
- b.foo.com
|
||||
```
|
||||
|
||||
| Ref | Attribute | Purpose |
|
||||
|------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| [1] | `entryPoints` | List of [entry points](../routers/index.md#entrypoints) name |
|
||||
| [2] | `routes` | List of route |
|
||||
| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule) corresponding to an underlying router. |
|
||||
| [4] | `routes[n].priority` | [Disambiguate](../routers/index.md#priority) rules of the same length, for route matching |
|
||||
| [5] | `routes[n].middlewares` | List of reference to [Middleware](#kind-middleware) |
|
||||
| [6] | `middlewares[n].name` | Defines the [Middleware](#kind-middleware) name |
|
||||
| [7] | `middlewares[n].namespace` | Defines the [Middleware](#kind-middleware) namespace |
|
||||
| [8] | `routes[n].services` | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
|
||||
| [9] | `tls` | Defines [TLS](../routers/index.md#tls) certificate configuration |
|
||||
| [10] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) |
|
||||
| [11] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) |
|
||||
| [12] | `options.name` | Defines the [TLSOption](#kind-tlsoption) name |
|
||||
| [13] | `options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace |
|
||||
| [14] | `tls.cetResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver) |
|
||||
| [15] | `tls.domains` | List of [domains](../routers/index.md#domains) |
|
||||
| [16] | `domains[n].main` | Defines the main domain name |
|
||||
| [17] | `domains[n].sans` | List of SANs (alternative domains) |
|
||||
|
||||
??? example "Declaring an IngressRoute"
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
# All resources definition must be declared
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: testName
|
||||
namespace: default
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
# Match is the rule corresponding to an underlying router.
|
||||
# Later on, match could be the simple form of a path prefix, e.g. just "/bar",
|
||||
# but for now we only support a traefik style matching rule.
|
||||
- match: Host(`foo.com`) && PathPrefix(`/bar`)
|
||||
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
|
||||
# "Parameter", etc, to support simpler forms of rule matching, but for now we
|
||||
# only support "Rule".
|
||||
kind: Rule
|
||||
# (optional) Priority disambiguates rules of the same length, for route matching.
|
||||
priority: 12
|
||||
- kind: Rule
|
||||
match: Host(`test.domain.com`)
|
||||
middlewares:
|
||||
- name: middleware1
|
||||
namespace: default
|
||||
priority: 10
|
||||
services:
|
||||
- name: whoami
|
||||
port: 80
|
||||
# (default 1) A weight used by the weighted round-robin strategy (WRR).
|
||||
weight: 1
|
||||
# (default true) PassHostHeader controls whether to leave the request's Host
|
||||
# Header as it was before it reached the proxy, or whether to let the proxy set it
|
||||
# to the destination (backend) host.
|
||||
- kind: Service
|
||||
name: foo
|
||||
namespace: default
|
||||
passHostHeader: true
|
||||
port: 80
|
||||
responseForwarding:
|
||||
# (default 100ms) Interval between flushes of the buffered response body to the client.
|
||||
flushInterval: 100ms
|
||||
flushInterval: 1ms
|
||||
scheme: https
|
||||
sticky:
|
||||
cookie:
|
||||
httpOnly: true
|
||||
name: cookie
|
||||
secure: true
|
||||
strategy: RoundRobin
|
||||
weight: 10
|
||||
tls:
|
||||
certResolver: foo
|
||||
domains:
|
||||
- main: foo.com
|
||||
sans:
|
||||
- a.foo.com
|
||||
- b.foo.com
|
||||
options:
|
||||
name: opt
|
||||
namespace: default
|
||||
secretName: supersecret
|
||||
```
|
||||
|
||||
---
|
||||
```yaml tab="Middlewares"
|
||||
# All resources definition must be declared
|
||||
# Prefixing with /foo
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: ingressroutetcpfoo.crd
|
||||
name: middleware1
|
||||
namespace: default
|
||||
spec:
|
||||
addPrefix:
|
||||
prefix: /foo
|
||||
```
|
||||
|
||||
```yaml tab="TLSOption"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: opt
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- footcp
|
||||
routes:
|
||||
# Match is the rule corresponding to an underlying router.
|
||||
- match: HostSNI(`*`)
|
||||
services:
|
||||
- name: whoamitcp
|
||||
port: 8080
|
||||
minVersion: VersionTLS12
|
||||
```
|
||||
|
||||
### Middleware
|
||||
```yaml tab="Secret"
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: supersecret
|
||||
|
||||
Additionally, to allow for the use of middlewares in an `IngressRoute`, we defined the CRD below for the `Middleware` kind.
|
||||
|
||||
```yaml
|
||||
--8<-- "content/routing/providers/crd_middlewares.yml"
|
||||
data:
|
||||
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
|
||||
```
|
||||
|
||||
Once the `Middleware` kind has been registered with the Kubernetes cluster, it can then be used in `IngressRoute` definitions, such as:
|
||||
### Kind: `Middleware`
|
||||
|
||||
```yaml
|
||||
`Middleware` is the CRD implementation of a [Traefik middleware](../../middlewares/overview.md).
|
||||
|
||||
Register the `Middleware` kind in the Kubernetes cluster before creating `Middleware` objects or referencing middlewares in the [`IngressRoute`](#kind-ingressroute) objects.
|
||||
|
||||
??? "Declaring and Referencing a Middleware"
|
||||
|
||||
```yaml tab="Middleware"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
|
@ -86,8 +332,9 @@ spec:
|
|||
stripPrefix:
|
||||
prefixes:
|
||||
- /stripit
|
||||
```
|
||||
|
||||
---
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
|
@ -111,28 +358,116 @@ spec:
|
|||
|
||||
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource
|
||||
(in the reference to the middleware) with the [provider namespace](../../middlewares/overview.md#provider-namespace),
|
||||
when the definition of the middleware is from another provider.
|
||||
when the definition of the middleware comes from another provider.
|
||||
In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored.
|
||||
|
||||
More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
|
||||
|
||||
### Services
|
||||
### Kind: `TraefikService`
|
||||
|
||||
If one needs a setup more sophisticated than a load-balancer of servers (which is a Kubernetes Service kind behind the scenes),
|
||||
one can define and use additional service objects specific to Traefik, based on the `TraefikService` kind defined in the CRD below.
|
||||
`TraefikService` is the CRD implementation of a ["Traefik Service"](../services/index.md).
|
||||
|
||||
```yaml
|
||||
--8<-- "content/routing/providers/crd_traefikservice.yml"
|
||||
Register the `TraefikService` kind in the Kubernetes cluster before creating `TraefikService` objects,
|
||||
referencing services in the [`IngressRoute`](#kind-ingressroute)/[`IngressRouteTCP`](#kind-ingressroutetcp) objects or recursively in others `TraefikService` objects.
|
||||
|
||||
!!! info "Disambiguate Traefik and Kubernetes Services "
|
||||
|
||||
As the field `name` can reference different types of objects, use the field `kind` to avoid any ambiguity.
|
||||
|
||||
The field `kind` allows the following values:
|
||||
|
||||
* `Service` (default value): to reference a [Kubernetes Service](https://kubernetes.io/docs/concepts/services-networking/service/)
|
||||
* `TraefikService`: to reference another [Traefik Service](../services/index.md)
|
||||
|
||||
`TraefikService` object allows to use any (valid) combinations of:
|
||||
|
||||
* servers [load balancing](#server-load-balancing).
|
||||
* services [Weighted Round Robin](#weighted-round-robin) load balancing.
|
||||
* services [mirroring](#mirroring).
|
||||
|
||||
|
||||
#### Server Load Balancing
|
||||
|
||||
More information in the dedicated server [load balancing](../services/index.md#load-balancing) section.
|
||||
|
||||
??? "Declaring and Using Server Load Balancing"
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroutebar
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`bar.com`) && PathPrefix(`/foo`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: svc1
|
||||
namespace: default
|
||||
- name: svc2
|
||||
namespace: default
|
||||
```
|
||||
|
||||
Once the `TraefikService` kind has been registered with the Kubernetes cluster, it can then be used in `IngressRoute` definitions
|
||||
(as well as recursively in other Traefik Services), such as below.
|
||||
Note how the `name` field in the IngressRoute definition now refers to a TraefikService instead of a (Kubernetes) Service.
|
||||
The reason this is allowed, and why a `name` can refer either to a TraefikService or a Service,
|
||||
is because the `kind` field is used to break the ambiguity. The allowed values for this field are `TraefikService`, or `Service`
|
||||
(which is the default value).
|
||||
```yaml tab="K8s Service"
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc1
|
||||
namespace: default
|
||||
|
||||
```yaml
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: app1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: app2
|
||||
```
|
||||
|
||||
#### Weighted Round Robin
|
||||
|
||||
More information in the dedicated [Weighted Round Robin](../services/index.md#weighted-round-robin-service) service load balancing section.
|
||||
|
||||
??? "Declaring and Using Weighted Round Robin"
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroutebar
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`bar.com`) && PathPrefix(`/foo`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: wrr1
|
||||
namespace: default
|
||||
kind: TraefikService
|
||||
```
|
||||
|
||||
```yaml tab="Weighted Round Robin"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
|
@ -142,38 +477,91 @@ metadata:
|
|||
spec:
|
||||
weighted:
|
||||
services:
|
||||
- name: s2
|
||||
kind: Service
|
||||
- name: svc1
|
||||
port: 80
|
||||
weight: 1
|
||||
- name: s3
|
||||
- name: wrr2
|
||||
kind: TraefikService
|
||||
weight: 1
|
||||
- name: mirror1
|
||||
kind: TraefikService
|
||||
weight: 1
|
||||
port: 80
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
name: mirror1
|
||||
name: wrr2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
mirroring:
|
||||
name: wrr1
|
||||
kind: TraefikService
|
||||
mirrors:
|
||||
- name: s1
|
||||
percent: 20
|
||||
weighted:
|
||||
services:
|
||||
- name: svc2
|
||||
port: 80
|
||||
weight: 1
|
||||
- name: svc3
|
||||
port: 80
|
||||
weight: 1
|
||||
```
|
||||
|
||||
```yaml tab="K8s Service"
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: app1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: app2
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc3
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: app3
|
||||
```
|
||||
|
||||
#### Mirroring
|
||||
|
||||
More information in the dedicated [mirroring](../services/index.md#mirroring-service) service section.
|
||||
|
||||
??? "Declaring and Using Mirroring"
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroutebar
|
||||
namespace: default
|
||||
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
|
@ -186,26 +574,252 @@ spec:
|
|||
kind: TraefikService
|
||||
```
|
||||
|
||||
```yaml tab="Mirroring k8s Service"
|
||||
# Mirroring from a k8s Service
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
name: mirror1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
mirroring:
|
||||
name: svc1
|
||||
port: 80
|
||||
mirrors:
|
||||
- name: svc2
|
||||
port: 80
|
||||
percent: 20
|
||||
- name: svc3
|
||||
kind: TraefikService
|
||||
percent: 20
|
||||
```
|
||||
|
||||
```yaml tab="Mirroring Traefik Service"
|
||||
# Mirroring from a Traefik Service
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TraefikService
|
||||
metadata:
|
||||
name: mirror1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
mirroring:
|
||||
name: wrr1
|
||||
kind: TraefikService
|
||||
mirrors:
|
||||
- name: svc2
|
||||
port: 80
|
||||
percent: 20
|
||||
- name: svc3
|
||||
kind: TraefikService
|
||||
percent: 20
|
||||
```
|
||||
|
||||
```yaml tab="K8s Service"
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: app1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: containous
|
||||
task: app2
|
||||
```
|
||||
|
||||
!!! important "References and namespaces"
|
||||
|
||||
If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the current resource.
|
||||
|
||||
Additionally, when the definition of the `TraefikService` is from another provider,
|
||||
the cross-provider syntax (service@provider) should be used to refer to the `TraefikService`, just as in the middleware case.
|
||||
the cross-provider syntax (`service@provider`) should be used to refer to the `TraefikService`, just as in the middleware case.
|
||||
|
||||
Specifying a namespace attribute in this case would not make any sense, and will be ignored (except if the provider is `kubernetescrd`).
|
||||
|
||||
### TLS Option
|
||||
### Kind `IngressRouteTCP`
|
||||
|
||||
Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind.
|
||||
More information about TLS Options is available in the dedicated [TLS Configuration Options](../../../https/tls/#tls-options).
|
||||
`IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../routers/index.md#configuring-tcp-routers).
|
||||
|
||||
Register the `IngressRouteTCP` kind in the Kubernetes cluster before creating `IngressRouteTCP` objects.
|
||||
|
||||
!!! info "IngressRouteTCP Attributes"
|
||||
|
||||
```yaml
|
||||
--8<-- "content/routing/providers/crd_tls_option.yml"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
metadata:
|
||||
name: ingressroutetcpfoo
|
||||
|
||||
spec:
|
||||
entryPoints: # [1]
|
||||
- footcp
|
||||
routes: # [2]
|
||||
- match: HostSNI(`*`) # [3]
|
||||
services: # [4]
|
||||
- name: foo # [5]
|
||||
port: 8080 # [6]
|
||||
weight: 10 # [7]
|
||||
TerminationDelay: 400 # [8]
|
||||
tls: # [9]
|
||||
secretName: supersecret # [10]
|
||||
options: # [11]
|
||||
name: opt # [12]
|
||||
namespace: default # [13]
|
||||
certResolver: foo # [14]
|
||||
domains: # [15]
|
||||
- main: foo.com # [16]
|
||||
sans: # [17]
|
||||
- a.foo.com
|
||||
- b.foo.com
|
||||
passthrough: false # [18]
|
||||
```
|
||||
|
||||
Once the TLSOption kind has been registered with the Kubernetes cluster or defined in the File Provider, it can then be used in IngressRoute definitions, such as:
|
||||
| Ref | Attribute | Purpose |
|
||||
|------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| [1] | `entryPoints` | List of [entrypoints](../routers/index.md#entrypoints_1) name |
|
||||
| [2] | `routes` | List of route |
|
||||
| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule_1) corresponding to an underlying router. |
|
||||
| [4] | `routes[n].services` | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
|
||||
| [5] | `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
|
||||
| [6] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
|
||||
| [7] | `services[n].weight` | Defines the weight to apply to the server load balancing |
|
||||
| [8] | `services[n].TerminationDelay` | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection.<br/>It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
|
||||
| [9] | `tls` | Defines [TLS](../routers/index.md#tls_1) certificate configuration |
|
||||
| [10] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) |
|
||||
| [11] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) |
|
||||
| [12] | `options.name` | Defines the [TLSOption](#kind-tlsoption) name |
|
||||
| [13] | `options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace |
|
||||
| [14] | `tls.cetResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1) |
|
||||
| [15] | `tls.domains` | List of [domains](../routers/index.md#domains_1) |
|
||||
| [16] | `domains[n].main` | Defines the main domain name |
|
||||
| [17] | `domains[n].sans` | List of SANs (alternative domains) |
|
||||
| [18] | `tls.passthrough` | If `true`, delegates the TLS termination to the backend |
|
||||
|
||||
```yaml
|
||||
??? example "Declaring an IngressRouteTCP"
|
||||
|
||||
```yaml tab="IngressRouteTCP"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
metadata:
|
||||
name: ingressroutetcpfoo
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- footcp
|
||||
routes:
|
||||
# Match is the rule corresponding to an underlying router.
|
||||
- match: HostSNI(`*`)
|
||||
services:
|
||||
- name: foo
|
||||
port: 8080
|
||||
TerminationDelay: 400
|
||||
weight: 10
|
||||
- name: bar
|
||||
port: 8081
|
||||
TerminationDelay: 500
|
||||
weight: 10
|
||||
tls:
|
||||
certResolver: foo
|
||||
domains:
|
||||
- main: foo.com
|
||||
sans:
|
||||
- a.foo.com
|
||||
- b.foo.com
|
||||
options:
|
||||
name: opt
|
||||
namespace: default
|
||||
secretName: supersecret
|
||||
passthrough: false
|
||||
```
|
||||
|
||||
```yaml tab="TLSOption"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: opt
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
minVersion: VersionTLS12
|
||||
```
|
||||
|
||||
```yaml tab="Secret"
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: supersecret
|
||||
|
||||
data:
|
||||
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
|
||||
```
|
||||
|
||||
### Kind: `TLSOption`
|
||||
|
||||
`TLSOption` is the CRD implementation of a [Traefik "TLS Option"](../../https/tls.md#tls-options).
|
||||
|
||||
Register the `TLSOption` kind in the Kubernetes cluster before creating `TLSOption` objects
|
||||
or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`IngressRouteTCP`](#kind-ingressroutetcp) objects.
|
||||
|
||||
!!! info "TLSOption Attributes"
|
||||
|
||||
```yaml tab="TLSOption"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: mytlsoption
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
minVersion: VersionTLS12 # [1]
|
||||
maxVersion: VersionTLS13 # [1]
|
||||
curvePreferences: # [3]
|
||||
- CurveP521
|
||||
- CurveP384
|
||||
cipherSuites: # [4]
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientAuth: # [5]
|
||||
secretNames: # [6]
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
clientAuthType: VerifyClientCertIfGiven # [7]
|
||||
sniStrict: true # [8]
|
||||
```
|
||||
|
||||
| Ref | Attribute | Purpose |
|
||||
|-----|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| [1] | `minVersion` | Defines the [minimum TLS version](../../https/tls.md#minimum-tls-version) that is acceptable |
|
||||
| [2] | `maxVersion` | Defines the [maximum TLS version](../../https/tls.md#maximum-tls-version) that is acceptable |
|
||||
| [3] | `cipherSuites` | list of supported [cipher suites](../../https/tls.md#cipher-suites) for TLS versions up to TLS 1.2 |
|
||||
| [4] | `curvePreferences` | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake, in preference order |
|
||||
| [5] | `clientAuth` | determines the server's policy for TLS [Client Authentication](../../https/tls.md#client-authentication-mtls) |
|
||||
| [6] | `clientAuth.secretNames` | list of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace) |
|
||||
| [7] | `clientAuth.clientAuthType` | defines the client authentication type to apply. The available values are: `NoClientCert`, `RequestClientCert`, `VerifyClientCertIfGiven` and `RequireAndVerifyClientCert` |
|
||||
| [8] | `sniStrict` | if `true`, Traefik won't allow connections from clients connections that do not specify a server_name extension |
|
||||
|
||||
??? example "Declaring and referencing a TLSOption"
|
||||
|
||||
```yaml tab="TLSOption"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
|
@ -214,8 +828,18 @@ metadata:
|
|||
|
||||
spec:
|
||||
minVersion: VersionTLS12
|
||||
sniStrict: true
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
```
|
||||
|
||||
---
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
|
@ -236,6 +860,27 @@ spec:
|
|||
namespace: default
|
||||
```
|
||||
|
||||
```yaml tab="Secrets"
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secretCA1
|
||||
namespace: default
|
||||
|
||||
data:
|
||||
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secretCA2
|
||||
namespace: default
|
||||
|
||||
data:
|
||||
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||
```
|
||||
|
||||
!!! important "References and namespaces"
|
||||
|
||||
If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
|
||||
|
@ -245,39 +890,6 @@ spec:
|
|||
just as in the [middleware case](../../middlewares/overview.md#provider-namespace).
|
||||
Specifying a namespace attribute in this case would not make any sense, and will be ignored.
|
||||
|
||||
### TLS
|
||||
|
||||
To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: supersecret
|
||||
|
||||
data:
|
||||
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroutetls
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`foo.com`) && PathPrefix(`/bar`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: whoami
|
||||
port: 443
|
||||
tls:
|
||||
secretName: supersecret
|
||||
```
|
||||
|
||||
## Further
|
||||
|
||||
Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.
|
||||
|
|
Loading…
Reference in a new issue