baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge v2.5 into master

Browse source
This commit is contained in:
romain 2021-07-20 15:38:53 +02:00
parent ca2ff214c4 a5b169c563
commit 36ffdf548d
81 changed files with 6800 additions and 2301 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
CHANGELOG.md
View file

@ -1,3 +1,26 @@
## [v2.4.11](https://github.com/traefik/traefik/tree/v2.4.11) (2021-07-15)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.9...v2.4.11)
**Bug fixes:**
- **[k8s,k8s/crd,k8s/ingress]** Disable ExternalName Services by default on Kubernetes providers ([#8261](https://github.com/traefik/traefik/pull/8261) by [dtomcej](https://github.com/dtomcej))
- **[k8s,k8s/crd,k8s/ingress]** Fix: malformed Kubernetes resource names and references in tests ([#8226](https://github.com/traefik/traefik/pull/8226) by [rtribotte](https://github.com/rtribotte))
- **[k8s,k8s/crd]** Disable Cross-Namespace by default for IngressRoute provider ([#8260](https://github.com/traefik/traefik/pull/8260) by [dtomcej](https://github.com/dtomcej))
- **[logs,middleware]** Accesslog: support multiple values for a given header ([#8258](https://github.com/traefik/traefik/pull/8258) by [ldez](https://github.com/ldez))
- **[logs]** Ignore http 1.0 request host missing errors ([#8252](https://github.com/traefik/traefik/pull/8252) by [dtomcej](https://github.com/dtomcej))
- **[middleware]** Headers Middleware: support http.CloseNotifier interface ([#8238](https://github.com/traefik/traefik/pull/8238) by [dtomcej](https://github.com/dtomcej))
- **[tls]** Detect certificates content modifications ([#8243](https://github.com/traefik/traefik/pull/8243) by [jbdoumenjou](https://github.com/jbdoumenjou))
**Documentation:**
- **[middleware,k8s]** Fix invalid subdomain ([#8212](https://github.com/traefik/traefik/pull/8212) by [WLun001](https://github.com/WLun001))
- Add the list of available provider names ([#8225](https://github.com/traefik/traefik/pull/8225) by [WLun001](https://github.com/WLun001))
- Fix maintainers-guidelines page title ([#8216](https://github.com/traefik/traefik/pull/8216) by [kubopanda](https://github.com/kubopanda))
- Typos in contributing section ([#8215](https://github.com/traefik/traefik/pull/8215) by [kubopanda](https://github.com/kubopanda))
## [v2.4.10](https://github.com/traefik/traefik/tree/v2.4.10) (2021-07-13)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.9...v2.4.10)
Release canceled.
## [v2.5.0-rc2](https://github.com/traefik/traefik/tree/v2.5.0-rc2) (2021-06-28)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.0-rc1...v2.5.0-rc2)

9
Makefile
View file

@ -96,6 +96,15 @@ test-integration: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
TEST_HOST=1 ./script/make.sh test-integration
## Run the container integration tests
test-integration-container: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
## Run the host integration tests
test-integration-host: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary
TEST_HOST=1 ./script/make.sh test-integration
## Validate code and docs
validate-files: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell

34
cmd/internal/gen/centrifuge.go
View file

@ -12,6 +12,7 @@ import (
"os"
"path"
"path/filepath"
"reflect"
"sort"
"strings"
@ -183,15 +184,15 @@ func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string,
continue
}
values, ok := lookupTagValue(obj.Tag(i), "json")
if len(values) > 0 && values[0] == "-" {
continue
}
b.WriteString(fmt.Sprintf("\t%s %s", field.Name(), fType))
tags := obj.Tag(i)
if tags != "" {
tg := extractJSONTag(tags)
if tg != `json:"-"` {
b.WriteString(fmt.Sprintf(" `%s`", tg))
}
if ok {
b.WriteString(fmt.Sprintf(" `json:\"%s\"`", strings.Join(values, ",")))
}
b.WriteString("\n")
@ -202,16 +203,19 @@ func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string,
return b.String()
}
func extractJSONTag(value string) string {
fields := strings.Fields(value)
for _, field := range fields {
if strings.HasPrefix(field, `json:"`) {
return field
}
func lookupTagValue(raw, key string) ([]string, bool) {
value, ok := reflect.StructTag(raw).Lookup(key)
if !ok {
return nil, ok
}
return ""
values := strings.Split(value, ",")
if len(values) < 1 {
return nil, true
}
return values, true
}
func extractPackage(t types.Type) string {

13
docs/content/getting-started/faq.md
View file

@ -124,3 +124,16 @@ http:
If there is a need for a response code other than a `503` and/or a custom message,
the principle of the above example above (a catchall router) still stands,
but the `unavailable` service should be adapted to fit such a need.
## Why Is My TLS Certificate Not Reloaded When Its Contents Change ?
With the file provider,
a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
Which is why, when a certificate is defined by path,
and the actual contents of this certificate change,
a configuration update is _not_ triggered.
To take into account the new certificate contents, the update of the dynamic configuration must be forced.
One way to achieve that, is to trigger a file notification,
for example, by using the `touch` command on the configuration file.

15
docs/content/migration/v2.md
View file

@ -365,6 +365,17 @@ For more information, please read the [HTTP routers rule](../routing/routers/ind
In `v2.4.9`, we changed span error to log only server errors (>= 500).
## v2.4.9 to v2.4.10
### K8S CrossNamespace
In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
### K8S ExternalName Service
In `v2.4.10`, by default, it is no longer authorized to reference Kubernetes ExternalName services.
To allow it, the `allowExternalNameServices` option should be set to `true`.
## v2.4 to v2.5
### Kubernetes CRD
@ -387,8 +398,6 @@ The `extensions/v1beta1` API Version should now be replaced either by `networkin
The support of the `networking.k8s.io/v1beta1` API Version will stop in Kubernetes v1.22.
## v2.5 to v2.6
### Headers middleware: ssl redirect options
`sslRedirect`, `sslTemporaryRedirect`, `sslHost` and `sslForceHost` are deprecated in Traefik v2.5.
@ -399,4 +408,4 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](
### Headers middleware: accessControlAllowOrigin
`accessControlAllowOrigin` is no longer supported.
`accessControlAllowOrigin` is no longer supported in Traefik v2.5.

75
docs/content/providers/consul-catalog.md
View file

@ -556,6 +556,81 @@ providers:
# ...
```
### `connectAware`
_Optional, Default=false_
Enable Consul Connect support.
If set to `true`, Traefik will be enabled to communicate with Connect services.
```toml tab="File (TOML)"
[providers.consulCatalog]
connectAware = true
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
connectAware: true
# ...
```
```bash tab="CLI"
--providers.consulcatalog.connectAware=true
# ...
```
### `connectByDefault`
_Optional, Default=false_
Consider every service as Connect capable by default.
If set to `true`, Traefik will consider every Consul Catalog service to be Connect capable by default.
The option can be overridden on an instance basis with the `traefik.consulcatalog.connect` tag.
```toml tab="File (TOML)"
[providers.consulCatalog]
connectByDefault = true
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
connectByDefault: true
# ...
```
```bash tab="CLI"
--providers.consulcatalog.connectByDefault=true
# ...
```
### `serviceName`
_Optional, Default="traefik"_
Name of the Traefik service in Consul Catalog.
```toml tab="File (TOML)"
[providers.consulCatalog]
serviceName = "test"
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
serviceName: test
# ...
```
```bash tab="CLI"
--providers.consulcatalog.serviceName=test
# ...
```
### `constraints`
_Optional, Default=""_

37
docs/content/providers/kubernetes-crd.md
View file

@ -266,29 +266,48 @@ providers:
### `allowCrossNamespace`
_Optional, Default: true_
_Optional, Default: false_
If the parameter is set to `false`, IngressRoutes are not able to reference any resources in other namespaces than theirs.
!!! warning "Deprecation"
Please note that the default value for this option will be set to `false` in a future version.
If the parameter is set to `true`, IngressRoutes are able to reference resources in other namespaces than theirs.
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
allowCrossNamespace: false
allowCrossNamespace: true
# ...
```
```toml tab="File (TOML)"
[providers.kubernetesCRD]
allowCrossNamespace = false
allowCrossNamespace = true
# ...
```
```bash tab="CLI"
--providers.kubernetescrd.allowCrossNamespace=false
--providers.kubernetescrd.allowCrossNamespace=true
```
### `allowExternalNameServices`
_Optional, Default: false_
If the parameter is set to `true`, IngressRoutes are able to reference ExternalName services.
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
allowExternalNameServices: true
# ...
```
```toml tab="File (TOML)"
[providers.kubernetesCRD]
allowExternalNameServices = true
# ...
```
```bash tab="CLI"
--providers.kubernetescrd.allowexternalnameservices=true
```
## Full Example

4
docs/content/providers/kubernetes-gateway.md
View file

@ -9,7 +9,7 @@ The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
specifications from the Kubernetes Special Interest Groups (SIGs).
This provider is proposed as an experimental feature and partially supports the Gateway API [v0.2.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.2.0) specification.
This provider is proposed as an experimental feature and partially supports the Gateway API [v0.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.3.0) specification.
!!! warning "Enabling The Experimental Kubernetes Gateway Provider"
@ -77,7 +77,7 @@ The [getting started guide](https://gateway-api.sigs.k8s.io/guides/getting-start
!!! note ""
Keep in mind that the Traefik Gateway provider only supports the `v0.2.0`.
Keep in mind that the Traefik Gateway provider only supports the `v0.3.0`.
For now, the Traefik Gateway Provider can be used while following the below guides:

23
docs/content/providers/kubernetes-ingress.md
View file

@ -464,6 +464,29 @@ providers:
Allow the creation of services if there are no endpoints available.
This results in `503` http responses instead of `404`.
### `allowExternalNameServices`
_Optional, Default: false_
If the parameter is set to `true`, Ingresses are able to reference ExternalName services.
```yaml tab="File (YAML)"
providers:
kubernetesIngress:
allowExternalNameServices: true
# ...
```
```toml tab="File (TOML)"
[providers.kubernetesIngress]
allowExternalNameServices = true
# ...
```
```bash tab="CLI"
--providers.kubernetesingress.allowexternalnameservices=true
```
### Further
To learn more about the various aspects of the Ingress specification that Traefik supports,

1
docs/content/reference/dynamic-configuration/consul-catalog.yml
View file

@ -1 +1,2 @@
- "traefik.enable=true"
- "traefik.consulcatalog.connect=true"

2
docs/content/reference/dynamic-configuration/file.toml
View file

@ -278,6 +278,7 @@
rootCAs = ["foobar", "foobar"]
maxIdleConnsPerHost = 42
disableHTTP2 = true
peerCertURI = "foobar"
[[http.serversTransports.ServersTransport0.certificates]]
certFile = "foobar"
@ -296,6 +297,7 @@
rootCAs = ["foobar", "foobar"]
maxIdleConnsPerHost = 42
disableHTTP2 = true
peerCertURI = "foobar"
[[http.serversTransports.ServersTransport1.certificates]]
certFile = "foobar"

2
docs/content/reference/dynamic-configuration/file.yaml
View file

@ -329,6 +329,7 @@ http:
responseHeaderTimeout: 42s
idleConnTimeout: 42s
disableHTTP2: true
peerCertURI: foobar
ServersTransport1:
serverName: foobar
insecureSkipVerify: true
@ -346,6 +347,7 @@ http:
responseHeaderTimeout: 42s
idleConnTimeout: 42s
disableHTTP2: true
peerCertURI: foobar
tcp:
routers:
TCPRouter0:

2
docs/content/reference/dynamic-configuration/kv-ref.md
View file

@ -174,6 +174,7 @@
| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/responseHeaderTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport0/insecureSkipVerify` | `true` |
| `traefik/http/serversTransports/ServersTransport0/maxIdleConnsPerHost` | `42` |
| `traefik/http/serversTransports/ServersTransport0/peerCertURI` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/rootCAs/0` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/rootCAs/1` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/serverName` | `foobar` |
@ -187,6 +188,7 @@
| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/responseHeaderTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport1/insecureSkipVerify` | `true` |
| `traefik/http/serversTransports/ServersTransport1/maxIdleConnsPerHost` | `42` |
| `traefik/http/serversTransports/ServersTransport1/peerCertURI` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/rootCAs/0` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/rootCAs/1` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/serverName` | `foobar` |

84
docs/content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml
View file

@ -4,12 +4,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: gatewayclasses.networking.x-k8s.io
spec:
group: networking.x-k8s.io
names:
categories:
- gateway-api
kind: GatewayClass
listKind: GatewayClassList
plural: gatewayclasses
@ -22,16 +24,25 @@ spec:
- jsonPath: .spec.controller
name: Controller
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n GatewayClass is a Cluster level resource."
description: "GatewayClass describes a class of Gateways available to the
user for creating Gateway resources. \n GatewayClass is a Cluster level
resource."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@ -39,11 +50,23 @@ spec:
description: Spec defines the desired state of GatewayClass.
properties:
controller:
description: "Controller is a domain/path string that indicates the controller that is managing Gateways of this class. \n Example: \"acme.io/gateway-controller\". \n This field is not mutable and cannot be empty. \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Support: Core"
description: "Controller is a domain/path string that indicates the
controller that is managing Gateways of this class. \n Example:
\"acme.io/gateway-controller\". \n This field is not mutable and
cannot be empty. \n The format of this field is DOMAIN \"/\" PATH,
where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
\n Support: Core"
maxLength: 253
type: string
parametersRef:
description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Custom"
description: "ParametersRef is a reference to a resource that contains
the configuration parameters corresponding to the GatewayClass.
This is optional if the controller does not require any additional
configuration. \n ParametersRef can reference a standard Kubernetes
resource, i.e. ConfigMap, or an implementation-specific custom resource.
The resource can be cluster-scoped or namespace-scoped. \n If the
referent cannot be found, the GatewayClass's \"InvalidParameters\"
status condition will be true. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -61,13 +84,16 @@ spec:
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. This field is required when scope is set to "Namespace" and ignored when scope is set to "Cluster".
description: Namespace is the namespace of the referent. This
field is required when scope is set to "Namespace" and ignored
when scope is set to "Cluster".
maxLength: 253
minLength: 1
type: string
scope:
default: Cluster
description: Scope represents if the referent is a Cluster or Namespace scoped resource. This may be set to "Cluster" or "Namespace".
description: Scope represents if the referent is a Cluster or
Namespace scoped resource. This may be set to "Cluster" or "Namespace".
enum:
- Cluster
- Namespace
@ -97,25 +123,49 @@ spec:
reason: Waiting
status: "False"
type: Admitted
description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition."
description: "Conditions is the current status from the controller
for this GatewayClass. \n Controllers should prefer to publish conditions
using values of GatewayClassConditionType for the type of each Condition."
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@ -128,7 +178,11 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string

395
docs/content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml
View file

@ -4,12 +4,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: gateways.networking.x-k8s.io
spec:
group: networking.x-k8s.io
names:
categories:
- gateway-api
kind: Gateway
listKind: GatewayList
plural: gateways
@ -22,16 +24,28 @@ spec:
- jsonPath: .spec.gatewayClassName
name: Class
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: "Gateway represents an instantiation of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. \n Implementations should add the `gateway-exists-finalizer.networking.x-k8s.io` finalizer on the associated GatewayClass whenever Gateway(s) is running. This ensures that a GatewayClass associated with a Gateway(s) is not deleted while in use."
description: "Gateway represents an instantiation of a service-traffic handling
infrastructure by binding Listeners to a set of IP addresses. \n Implementations
should add the `gateway-exists-finalizer.networking.x-k8s.io` finalizer
on the associated GatewayClass whenever Gateway(s) is running. This ensures
that a GatewayClass associated with a Gateway(s) is not deleted while in
use."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@ -39,9 +53,18 @@ spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
description: "Addresses requested for this gateway. This is optional and behavior can depend on the GatewayClass. If a value is set in the spec and the requested address is invalid, the GatewayClass MUST indicate this in the associated entry in GatewayStatus.Addresses. \n If no Addresses are specified, the GatewayClass may schedule the Gateway in an implementation-defined manner, assigning an appropriate set of Addresses. \n The GatewayClass MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway. \n Support: Core"
description: "Addresses requested for this gateway. This is optional
and behavior can depend on the GatewayClass. If a value is set in
the spec and the requested address is invalid, the GatewayClass
MUST indicate this in the associated entry in GatewayStatus.Addresses.
\n If no Addresses are specified, the GatewayClass may schedule
the Gateway in an implementation-defined manner, assigning an appropriate
set of Addresses. \n The GatewayClass MUST bind all Listeners to
every GatewayAddress that it assigns to the Gateway. \n Support:
Core"
items:
description: GatewayAddress describes an address that can be bound to a Gateway.
description: GatewayAddress describes an address that can be bound
to a Gateway.
properties:
type:
default: IPAddress
@ -51,7 +74,9 @@ spec:
- NamedAddress
type: string
value:
description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
description: "Value of the address. The validity of the values
will depend on the type and support by the controller. \n
Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
@ -61,70 +86,186 @@ spec:
maxItems: 16
type: array
gatewayClassName:
description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.
description: GatewayClassName used for this Gateway. This is the name
of a GatewayClass resource.
maxLength: 253
minLength: 1
type: string
listeners:
description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core"
description: "Listeners associated with this Gateway. Listeners define
logical endpoints that are bound on this Gateway's addresses. At
least one Listener MUST be specified. \n An implementation MAY group
Listeners by Port and then collapse each group of Listeners into
a single Listener if the implementation determines that the Listeners
in the group are \"compatible\". An implementation MAY also group
together and collapse compatible Listeners belonging to different
Gateways. \n For example, an implementation might consider Listeners
to be compatible with each other if all of the following conditions
are met: \n 1. Either each Listener within the group specifies the
\"HTTP\" Protocol or each Listener within the group specifies
either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener
within the group specifies a Hostname that is unique within the
group. \n 3. As a special case, one Listener within a group may
omit Hostname, in which case this Listener matches when no other
Listener matches. \n If the implementation does collapse compatible
Listeners, the hostname provided in the incoming client request
MUST be matched to a Listener to find the correct set of Routes.
The incoming hostname MUST be matched using the Hostname field for
each Listener in order of most to least specific. That is, exact
matches must be processed before wildcard matches. \n If this field
specifies multiple Listeners that have the same Port value but are
not compatible, the implementation must raise a \"Conflicted\" condition
in the Listener status. \n Support: Core"
items:
description: Listener embodies the concept of a logical endpoint where a Gateway can accept network connections. Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. This will be enforced by a validating webhook.
description: Listener embodies the concept of a logical endpoint
where a Gateway can accept network connections. Each listener
in a Gateway must have a unique combination of Hostname, Port,
and Protocol. This will be enforced by a validating webhook.
properties:
hostname:
description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, \"\", or `*`, all hostnames are matched. This field can be omitted for protocols that don't require hostname based matching. \n Hostname is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: \n 1. IP literals are not allowed. 2. The `:` delimiter is not respected because ports are not allowed. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). The wildcard character `*` must appear by itself as the first DNS label and matches only a single label. \n Support: Core"
description: "Hostname specifies the virtual hostname to match
for protocol types that define this concept. When unspecified,
\"\", or `*`, all hostnames are matched. This field can be
omitted for protocols that don't require hostname based matching.
\n Hostname is the fully qualified domain name of a network
host, as defined by RFC 3986. Note the following deviations
from the \"host\" part of the URI as defined in the RFC: \n
1. IP literals are not allowed. 2. The `:` delimiter is not
respected because ports are not allowed. \n Hostname can be
\"precise\" which is a domain name without the terminating
dot of a network host (e.g. \"foo.example.com\") or \"wildcard\",
which is a domain name prefixed with a single wildcard label
(e.g. `*.example.com`). The wildcard character `*` must appear
by itself as the first DNS label and matches only a single
label. \n Support: Core"
maxLength: 253
minLength: 1
type: string
port:
description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core"
description: "Port is the network port. Multiple listeners may
use the same port, subject to the Listener compatibility rules.
\n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: "Protocol specifies the network protocol this listener expects to receive. The GatewayClass MUST apply the Hostname match appropriately for each protocol: \n * For the \"TLS\" protocol, the Hostname match MUST be applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3) server name offered by the client. * For the \"HTTP\" protocol, the Hostname match MUST be applied to the host portion of the [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) * For the \"HTTPS\" protocol, the Hostname match MUST be applied at both the TLS and HTTP protocol layers. \n Support: Core"
description: "Protocol specifies the network protocol this listener
expects to receive. The GatewayClass MUST apply the Hostname
match appropriately for each protocol: \n * For the \"TLS\"
protocol, the Hostname match MUST be applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3)
\ server name offered by the client. * For the \"HTTP\" protocol,
the Hostname match MUST be applied to the host portion of
the [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)
\ or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)
* For the \"HTTPS\" protocol, the Hostname match MUST be applied
at both the TLS and HTTP protocol layers. \n Support: Core"
type: string
routes:
description: "Routes specifies a schema for associating routes with the Listener using selectors. A Route is a resource capable of servicing a request and allows a cluster operator to expose a cluster resource (i.e. Service) by externally-reachable URL, load-balance traffic and terminate SSL/TLS. Typically, a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\", however, an implementation may support other types of resources. \n The Routes selector MUST select a set of objects that are compatible with the application protocol specified in the Protocol field. \n Although a client request may technically match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match. For example, the most specific HTTPRoute match is determined by the longest matching combination of hostname and path. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid portions of a Route selected by this field should be supported. Invalid portions of a Route can be ignored (sometimes that will mean the full Route). If a portion of a Route transitions from valid to invalid, support for that portion of the Route should be dropped to ensure consistency. For example, even if a filter specified by a Route is invalid, the rest of the Route should still be supported. \n Support: Core"
description: "Routes specifies a schema for associating routes
with the Listener using selectors. A Route is a resource capable
of servicing a request and allows a cluster operator to expose
a cluster resource (i.e. Service) by externally-reachable
URL, load-balance traffic and terminate SSL/TLS. Typically,
a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\",
however, an implementation may support other types of resources.
\n The Routes selector MUST select a set of objects that are
compatible with the application protocol specified in the
Protocol field. \n Although a client request may technically
match multiple route rules, only one rule may ultimately receive
the request. Matching precedence MUST be determined in order
of the following criteria: \n * The most specific match. For
example, the most specific HTTPRoute match is determined
by the longest matching combination of hostname and path.
* The oldest Route based on creation timestamp. For example,
a Route with a creation timestamp of \"2020-09-08 01:02:03\"
is given precedence over a Route with a creation timestamp
of \"2020-09-08 01:02:04\". * If everything else is equivalent,
the Route appearing first in alphabetical order (namespace/name)
should be given precedence. For example, foo/bar is given
precedence over foo/baz. \n All valid portions of a Route
selected by this field should be supported. Invalid portions
of a Route can be ignored (sometimes that will mean the full
Route). If a portion of a Route transitions from valid to
invalid, support for that portion of the Route should be dropped
to ensure consistency. For example, even if a filter specified
by a Route is invalid, the rest of the Route should still
be supported. \n Support: Core"
properties:
group:
default: networking.x-k8s.io
description: "Group is the group of the route resource to select. Omitting the value or specifying the empty string indicates the networking.x-k8s.io API group. For example, use the following to select an HTTPRoute: \n routes: kind: HTTPRoute \n Otherwise, if an alternative API group is desired, specify the desired group: \n routes: group: acme.io kind: FooRoute \n Support: Core"
description: "Group is the group of the route resource to
select. Omitting the value or specifying the empty string
indicates the networking.x-k8s.io API group. For example,
use the following to select an HTTPRoute: \n routes: kind:
HTTPRoute \n Otherwise, if an alternative API group is
desired, specify the desired group: \n routes: group:
acme.io kind: FooRoute \n Support: Core"
maxLength: 253
minLength: 1
type: string
kind:
description: "Kind is the kind of the route resource to select. \n Kind MUST correspond to kinds of routes that are compatible with the application protocol specified in the Listener's Protocol field. \n If an implementation does not support or recognize this resource type, it SHOULD set the \"ResolvedRefs\" condition to false for this listener with the \"InvalidRoutesRef\" reason. \n Support: Core"
description: "Kind is the kind of the route resource to
select. \n Kind MUST correspond to kinds of routes that
are compatible with the application protocol specified
in the Listener's Protocol field. \n If an implementation
does not support or recognize this resource type, it SHOULD
set the \"ResolvedRefs\" condition to false for this listener
with the \"InvalidRoutesRef\" reason. \n Support: Core"
type: string
namespaces:
default:
from: Same
description: "Namespaces indicates in which namespaces Routes should be selected for this Gateway. This is restricted to the namespace of this Gateway by default. \n Support: Core"
description: "Namespaces indicates in which namespaces Routes
should be selected for this Gateway. This is restricted
to the namespace of this Gateway by default. \n Support:
Core"
properties:
from:
default: Same
description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core"
description: "From indicates where Routes will be selected
for this Gateway. Possible values are: * All: Routes
in all namespaces may be used by this Gateway. * Selector:
Routes in namespaces selected by the selector may
be used by this Gateway. * Same: Only Routes in
the same namespace may be used by this Gateway. \n
Support: Core"
enum:
- All
- Selector
- Same
type: string
selector:
description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core"
description: "Selector must be specified when From is
set to \"Selector\". In that case, only Routes in
Namespaces matching this Selector will be selected
by this Gateway. This field is ignored for other values
of \"From\". \n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
@ -136,26 +277,46 @@ spec:
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
selector:
description: "Selector specifies a set of route labels used for selecting routes to associate with the Gateway. If this Selector is defined, only routes matching the Selector are associated with the Gateway. An empty Selector matches all routes. \n Support: Core"
description: "Selector specifies a set of route labels used
for selecting routes to associate with the Gateway. If
this Selector is defined, only routes matching the Selector
are associated with the Gateway. An empty Selector matches
all routes. \n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists
or DoesNotExist, the values array must be empty.
This array is replaced during a strategic merge
patch.
items:
type: string
type: array
@ -167,17 +328,37 @@ spec:
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
required:
- kind
type: object
tls:
description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\" and ignored otherwise. \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core"
description: "TLS is the TLS configuration for the Listener.
This field is required if the Protocol field is \"HTTPS\"
or \"TLS\" and ignored otherwise. \n The association of SNIs
to Certificate defined in GatewayTLSConfig is defined based
on the Hostname field for this listener. \n The GatewayClass
MUST use the longest matching SNI out of all available certificates
for any TLS handshake. \n Support: Core"
properties:
certificateRef:
description: "CertificateRef is the reference to Kubernetes object that contain a TLS certificate and private key. This certificate MUST be used for TLS handshakes for the domain this GatewayTLSConfig is associated with. \n This field is required when mode is set to \"Terminate\" (default) and optional otherwise. \n If an entry in this list omits or specifies the empty string for both the group and the resource, the resource defaults to \"secrets\". An implementation may support other resources (for example, resource \"mycertificates\" in group \"networking.acme.io\"). \n Support: Core (Kubernetes Secrets) \n Support: Implementation-specific (Other resource types)"
description: "CertificateRef is a reference to a Kubernetes
object that contains a TLS certificate and private key.
This certificate is used to establish a TLS handshake
for requests that match the hostname of the associated
listener. The referenced object MUST reside in the same
namespace as Gateway. \n This field is required when mode
is set to \"Terminate\" (default) and optional otherwise.
\n CertificateRef can reference a standard Kubernetes
resource, i.e. Secret, or an implementation-specific custom
resource. \n Support: Core (Kubernetes Secrets) \n Support:
Implementation-specific (Other resource types)"
properties:
group:
description: Group is the group of the referent.
@ -201,7 +382,16 @@ spec:
type: object
mode:
default: Terminate
description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRef to be set. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRef field is ignored in this mode. \n Support: Core"
description: "Mode defines the TLS behavior for the TLS
session initiated by the client. There are two possible
modes: - Terminate: The TLS session between the downstream
client and the Gateway is terminated at the Gateway.
This mode requires certificateRef to be set. - Passthrough:
The TLS session is NOT terminated by the Gateway. This
\ implies that the Gateway can't decipher the TLS stream
except for the ClientHello message of the TLS protocol.
\ CertificateRef field is ignored in this mode. \n Support:
Core"
enum:
- Terminate
- Passthrough
@ -209,16 +399,29 @@ spec:
options:
additionalProperties:
type: string
description: "Options are a list of key/value pairs to give extended options to the provider. \n There variation among providers as to how ciphersuites are expressed. If there is a common subset for expressing ciphers then it will make sense to loft that as a core API construct. \n Support: Implementation-specific"
description: "Options are a list of key/value pairs to give
extended options to the provider. \n There variation among
providers as to how ciphersuites are expressed. If there
is a common subset for expressing ciphers then it will
make sense to loft that as a core API construct. \n Support:
Implementation-specific"
type: object
routeOverride:
default:
certificate: Deny
description: "RouteOverride dictates if TLS settings can be configured via Routes or not. \n CertificateRef must be defined even if `routeOverride.certificate` is set to 'Allow' as it will be used as the default certificate for the listener. \n Support: Core"
description: "RouteOverride dictates if TLS settings can
be configured via Routes or not. \n CertificateRef must
be defined even if `routeOverride.certificate` is set
to 'Allow' as it will be used as the default certificate
for the listener. \n Support: Core"
properties:
certificate:
default: Deny
description: "Certificate dictates if TLS certificates can be configured via Routes. If set to 'Allow', a TLS certificate for a hostname defined in a Route takes precedence over the certificate defined in Gateway. \n Support: Core"
description: "Certificate dictates if TLS certificates
can be configured via Routes. If set to 'Allow', a
TLS certificate for a hostname defined in a Route
takes precedence over the certificate defined in Gateway.
\n Support: Core"
enum:
- Allow
- Deny
@ -248,9 +451,13 @@ spec:
description: Status defines the current state of Gateway.
properties:
addresses:
description: "Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. \n These addresses should all be of type \"IPAddress\"."
description: "Addresses lists the IP addresses that have actually
been bound to the Gateway. These addresses may differ from the addresses
in the Spec, e.g. if the Gateway automatically assigns an address
from a reserved pool. \n These addresses should all be of type \"IPAddress\"."
items:
description: GatewayAddress describes an address that can be bound to a Gateway.
description: GatewayAddress describes an address that can be bound
to a Gateway.
properties:
type:
default: IPAddress
@ -260,7 +467,9 @@ spec:
- NamedAddress
type: string
value:
description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
description: "Value of the address. The validity of the values
will depend on the type and support by the controller. \n
Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
@ -276,25 +485,52 @@ spec:
reason: NotReconciled
status: "False"
type: Scheduled
description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Scheduled\" * \"Ready\""
description: "Conditions describe the current conditions of the Gateway.
\n Implementations should prefer to express Gateway conditions using
the `GatewayConditionType` and `GatewayConditionReason` constants
so that operators and tools can converge on a common vocabulary
to describe Gateway state. \n Known condition types are: \n * \"Scheduled\"
* \"Ready\""
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@ -307,7 +543,11 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@ -324,43 +564,75 @@ spec:
- type
x-kubernetes-list-type: map
listeners:
description: Listeners provide status for each unique listener port defined in the Spec.
description: Listeners provide status for each unique listener port
defined in the Spec.
items:
description: ListenerStatus is the status associated with a Listener.
properties:
conditions:
description: Conditions describe the current condition of this listener.
description: Conditions describe the current condition of this
listener.
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@ -377,18 +649,21 @@ spec:
- type
x-kubernetes-list-type: map
hostname:
description: Hostname is the Listener hostname value for which this message is reporting the status.
description: Hostname is the Listener hostname value for which
this message is reporting the status.
maxLength: 253
minLength: 1
type: string
port:
description: Port is the unique Listener port value for which this message is reporting the status.
description: Port is the unique Listener port value for which
this message is reporting the status.
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: Protocol is the Listener protocol value for which this message is reporting the status.
description: Protocol is the Listener protocol value for which
this message is reporting the status.
type: string
required:
- conditions

559
docs/content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml
View file

@ -4,12 +4,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: httproutes.networking.x-k8s.io
spec:
group: networking.x-k8s.io
names:
categories:
- gateway-api
kind: HTTPRoute
listKind: HTTPRouteList
plural: httproutes
@ -20,16 +22,23 @@ spec:
- jsonPath: .spec.hostnames
name: Hostnames
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: HTTPRoute is the Schema for the HTTPRoute resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@ -43,16 +52,24 @@ spec:
properties:
allow:
default: SameNamespace
description: 'Allow indicates which Gateways will be allowed to use this route. Possible values are: * All: Gateways in any namespace can use this route. * FromList: Only Gateways specified in GatewayRefs may use this route. * SameNamespace: Only Gateways in the same namespace may use this route.'
description: 'Allow indicates which Gateways will be allowed to
use this route. Possible values are: * All: Gateways in any
namespace can use this route. * FromList: Only Gateways specified
in GatewayRefs may use this route. * SameNamespace: Only Gateways
in the same namespace may use this route.'
enum:
- All
- FromList
- SameNamespace
type: string
gatewayRefs:
description: GatewayRefs must be specified when Allow is set to "FromList". In that case, only Gateways referenced in this list will be allowed to use this route. This field is ignored for other values of "Allow".
description: GatewayRefs must be specified when Allow is set to
"FromList". In that case, only Gateways referenced in this list
will be allowed to use this route. This field is ignored for
other values of "Allow".
items:
description: GatewayReference identifies a Gateway in a specified namespace.
description: GatewayReference identifies a Gateway in a specified
namespace.
properties:
name:
description: Name is the name of the referent.
@ -71,9 +88,29 @@ spec:
type: array
type: object
hostnames:
description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. Hostname is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: \n 1. IPs are not allowed. 2. The `:` delimiter is not respected because ports are not allowed. \n Incoming requests are matched against the hostnames before the HTTPRoute rules. If no hostname is specified, traffic is routed based on the HTTPRouteRules. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). The wildcard character `*` must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == `*`). Requests will be matched against the Host field in the following order: \n 1. If Host is precise, the request matches this rule if the HTTP Host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the HTTP Host header is to equal to the suffix (removing the first label) of the wildcard rule. \n Support: Core"
description: "Hostnames defines a set of hostname that should match
against the HTTP Host header to select a HTTPRoute to process the
request. Hostname is the fully qualified domain name of a network
host, as defined by RFC 3986. Note the following deviations from
the \"host\" part of the URI as defined in the RFC: \n 1. IPs are
not allowed. 2. The `:` delimiter is not respected because ports
are not allowed. \n Incoming requests are matched against the hostnames
before the HTTPRoute rules. If no hostname is specified, traffic
is routed based on the HTTPRouteRules. \n Hostname can be \"precise\"
which is a domain name without the terminating dot of a network
host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
name prefixed with a single wildcard label (e.g. `*.example.com`).
The wildcard character `*` must appear by itself as the first DNS
label and matches only a single label. You cannot have a wildcard
label by itself (e.g. Host == `*`). Requests will be matched against
the Host field in the following order: \n 1. If Host is precise,
the request matches this rule if the HTTP Host header is equal
to Host. 2. If Host is a wildcard, then the request matches this
rule if the HTTP Host header is to equal to the suffix (removing
the first label) of the wildcard rule. \n Support: Core"
items:
description: Hostname is used to specify a hostname that should be matched.
description: Hostname is used to specify a hostname that should
be matched.
maxLength: 253
minLength: 1
type: string
@ -87,15 +124,40 @@ spec:
value: /
description: Rules are a list of HTTP matchers, filters and actions.
items:
description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions, optionally executing additional processing steps, and forwarding the request to an API object.
description: HTTPRouteRule defines semantics for matching an HTTP
request based on conditions, optionally executing additional processing
steps, and forwarding the request to an API object.
properties:
filters:
description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or custom conformance. \n Support: Core"
description: "Filters define the filters that are applied to
requests that match this rule. \n The effects of ordering
of multiple behaviors are currently unspecified. This can
change in the future based on feedback during the alpha stage.
\n Conformance-levels at this level are defined based on the
type of filter: \n - ALL core filters MUST be supported by
all implementations. - Implementers are encouraged to support
extended filters. - Implementation-specific custom filters
have no API guarantees across implementations. \n Specifying
a core filter multiple times has unspecified or custom conformance.
\n Support: Core"
items:
description: 'HTTPRouteFilter defines additional processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express additional processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. TODO(hbagdi): re-render CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 - https://github.com/kubernetes-sigs/controller-tools/issues/461'
description: 'HTTPRouteFilter defines additional processing
steps that must be completed during the request or response
lifecycle. HTTPRouteFilters are meant as an extension point
to express additional processing that may be done in Gateway
implementations. Some examples include request or response
modification, implementing authentication strategies, rate-limiting,
and traffic shaping. API guarantee/conformance is defined
based on the type of the filter. TODO(hbagdi): re-render
CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298
- https://github.com/kubernetes-sigs/controller-tools/issues/461'
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.acme.io\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific"
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.acme.io\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent.
@ -118,15 +180,30 @@ spec:
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core"
description: "RequestHeaderModifier defines a schema for
a filter that modifies request headers. \n Support:
Core"
properties:
add:
additionalProperties:
type: string
description: "Add adds the given header (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: {\"my-header\": \"bar\"} \n Output: GET /foo HTTP/1.1 my-header: foo my-header: bar \n Support: Extended"
description: "Add adds the given header (name, value)
to the request before the action. It appends to
any existing values associated with the header name.
\n Input: GET /foo HTTP/1.1 my-header: foo \n
Config: add: {\"my-header\": \"bar\"} \n Output:
\ GET /foo HTTP/1.1 my-header: foo my-header:
bar \n Support: Extended"
type: object
remove:
description: "Remove the given header(s) from the HTTP request before the action. The value of RemoveHeader is a list of HTTP header names. Note that the header names are case-insensitive [RFC-2616 4.2]. \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar \n Support: Extended"
description: "Remove the given header(s) from the
HTTP request before the action. The value of RemoveHeader
is a list of HTTP header names. Note that the header
names are case-insensitive [RFC-2616 4.2]. \n Input:
\ GET /foo HTTP/1.1 my-header1: foo my-header2:
bar my-header3: baz \n Config: remove: [\"my-header1\",
\"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
bar \n Support: Extended"
items:
type: string
maxItems: 16
@ -134,14 +211,28 @@ spec:
set:
additionalProperties:
type: string
description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: {\"my-header\": \"bar\"} \n Output: GET /foo HTTP/1.1 my-header: bar \n Support: Extended"
description: "Set overwrites the request with the
given header (name, value) before the action. \n
Input: GET /foo HTTP/1.1 my-header: foo \n Config:
\ set: {\"my-header\": \"bar\"} \n Output: GET
/foo HTTP/1.1 my-header: bar \n Support: Extended"
type: object
type: object
requestMirror:
description: "RequestMirror defines a schema for a filter that mirrors requests. \n Support: Extended"
description: "RequestMirror defines a schema for a filter
that mirrors requests. \n Support: Extended"
properties:
backendRef:
description: "BackendRef is a local object reference to mirror matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "BackendRef is a local object reference
to mirror matched requests to. If both BackendRef
and ServiceName are specified, ServiceName will
be given precedence. \n If the referent cannot be
found, the rule is not included in the route. The
controller should raise the \"ResolvedRefs\" condition
on the Gateway with the \"DegradedRoutes\" reason.
The gateway status for this route should be updated
with a condition that describes the error more specifically.
\n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -164,18 +255,51 @@ spec:
- name
type: object
port:
description: "Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field. \n If unspecified, the destination port in the request is used when forwarding to a backendRef or serviceName."
description: "Port specifies the destination port
number to use for the backend referenced by the
ServiceName or BackendRef field. \n If unspecified,
the destination port in the request is used when
forwarding to a backendRef or serviceName."
format: int32
maximum: 65535
minimum: 1
type: integer
serviceName:
description: "ServiceName refers to the name of the Service to mirror matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Core"
description: "ServiceName refers to the name of the
Service to mirror matched requests to. When specified,
this takes the place of BackendRef. If both BackendRef
and ServiceName are specified, ServiceName will
be given precedence. \n If the referent cannot be
found, the rule is not included in the route. The
controller should raise the \"ResolvedRefs\" condition
on the Gateway with the \"DegradedRoutes\" reason.
The gateway status for this route should be updated
with a condition that describes the error more specifically.
\n Support: Core"
maxLength: 253
type: string
type: object
type:
description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Custom: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior."
description: "Type identifies the type of filter to apply.
As with other API fields, types are classified into
three conformance levels: \n - Core: Filter types and
their corresponding configuration defined by \"Support:
Core\" in this package, e.g. \"RequestHeaderModifier\".
All implementations must support core filters. \n
- Extended: Filter types and their corresponding configuration
defined by \"Support: Extended\" in this package,
e.g. \"RequestMirror\". Implementers are encouraged
to support extended filters. \n - Custom: Filters that
are defined and supported by specific vendors. In
the future, filters showing convergence in behavior
across multiple implementations will be considered
for inclusion in extended or core conformance levels.
Filter-specific configuration for such filters is
specified using the ExtensionRef field. `Type` should
be set to \"ExtensionRef\" for custom filters. \n
Implementers are encouraged to define custom implementation
types to extend the core API with implementation-specific
behavior."
enum:
- RequestHeaderModifier
- RequestMirror
@ -187,12 +311,25 @@ spec:
maxItems: 16
type: array
forwardTo:
description: ForwardTo defines the backend(s) where matching requests should be sent. If unspecified, the rule performs no forwarding. If unspecified and no filters are specified that would result in a response being sent, a 503 error code is returned.
description: ForwardTo defines the backend(s) where matching
requests should be sent. If unspecified, the rule performs
no forwarding. If unspecified and no filters are specified
that would result in a response being sent, a 503 error code
is returned.
items:
description: HTTPRouteForwardTo defines how a HTTPRoute should forward a request.
description: HTTPRouteForwardTo defines how a HTTPRoute should
forward a request.
properties:
backendRef:
description: "BackendRef is a reference to a backend to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the route must be dropped from the Gateway. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "BackendRef is a reference to a backend to
forward matched requests to. If both BackendRef and
ServiceName are specified, ServiceName will be given
precedence. \n If the referent cannot be found, the
route must be dropped from the Gateway. The controller
should raise the \"ResolvedRefs\" condition on the Gateway
with the \"DegradedRoutes\" reason. The gateway status
for this route should be updated with a condition that
describes the error more specifically. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -215,12 +352,31 @@ spec:
- name
type: object
filters:
description: "Filters defined at this-level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Custom (For broader support of filters, use the Filters field in HTTPRouteRule.)"
description: "Filters defined at this-level should be
executed if and only if the request is being forwarded
to the backend defined here. \n Support: Custom (For
broader support of filters, use the Filters field in
HTTPRouteRule.)"
items:
description: 'HTTPRouteFilter defines additional processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express additional processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. TODO(hbagdi): re-render CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 - https://github.com/kubernetes-sigs/controller-tools/issues/461'
description: 'HTTPRouteFilter defines additional processing
steps that must be completed during the request or
response lifecycle. HTTPRouteFilters are meant as
an extension point to express additional processing
that may be done in Gateway implementations. Some
examples include request or response modification,
implementing authentication strategies, rate-limiting,
and traffic shaping. API guarantee/conformance is
defined based on the type of the filter. TODO(hbagdi):
re-render CRDs once controller-tools supports union
tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298
- https://github.com/kubernetes-sigs/controller-tools/issues/461'
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.acme.io\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific"
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.acme.io\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent.
@ -243,15 +399,32 @@ spec:
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core"
description: "RequestHeaderModifier defines a schema
for a filter that modifies request headers. \n
Support: Core"
properties:
add:
additionalProperties:
type: string
description: "Add adds the given header (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: {\"my-header\": \"bar\"} \n Output: GET /foo HTTP/1.1 my-header: foo my-header: bar \n Support: Extended"
description: "Add adds the given header (name,
value) to the request before the action. It
appends to any existing values associated
with the header name. \n Input: GET /foo
HTTP/1.1 my-header: foo \n Config: add:
{\"my-header\": \"bar\"} \n Output: GET
/foo HTTP/1.1 my-header: foo my-header:
bar \n Support: Extended"
type: object
remove:
description: "Remove the given header(s) from the HTTP request before the action. The value of RemoveHeader is a list of HTTP header names. Note that the header names are case-insensitive [RFC-2616 4.2]. \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar \n Support: Extended"
description: "Remove the given header(s) from
the HTTP request before the action. The value
of RemoveHeader is a list of HTTP header names.
Note that the header names are case-insensitive
[RFC-2616 4.2]. \n Input: GET /foo HTTP/1.1
\ my-header1: foo my-header2: bar my-header3:
baz \n Config: remove: [\"my-header1\",
\"my-header3\"] \n Output: GET /foo HTTP/1.1
\ my-header2: bar \n Support: Extended"
items:
type: string
maxItems: 16
@ -259,14 +432,30 @@ spec:
set:
additionalProperties:
type: string
description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: {\"my-header\": \"bar\"} \n Output: GET /foo HTTP/1.1 my-header: bar \n Support: Extended"
description: "Set overwrites the request with
the given header (name, value) before the
action. \n Input: GET /foo HTTP/1.1 my-header:
foo \n Config: set: {\"my-header\": \"bar\"}
\n Output: GET /foo HTTP/1.1 my-header:
bar \n Support: Extended"
type: object
type: object
requestMirror:
description: "RequestMirror defines a schema for a filter that mirrors requests. \n Support: Extended"
description: "RequestMirror defines a schema for
a filter that mirrors requests. \n Support: Extended"
properties:
backendRef:
description: "BackendRef is a local object reference to mirror matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "BackendRef is a local object reference
to mirror matched requests to. If both BackendRef
and ServiceName are specified, ServiceName
will be given precedence. \n If the referent
cannot be found, the rule is not included
in the route. The controller should raise
the \"ResolvedRefs\" condition on the Gateway
with the \"DegradedRoutes\" reason. The gateway
status for this route should be updated with
a condition that describes the error more
specifically. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -289,18 +478,54 @@ spec:
- name
type: object
port:
description: "Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field. \n If unspecified, the destination port in the request is used when forwarding to a backendRef or serviceName."
description: "Port specifies the destination
port number to use for the backend referenced
by the ServiceName or BackendRef field. \n
If unspecified, the destination port in the
request is used when forwarding to a backendRef
or serviceName."
format: int32
maximum: 65535
minimum: 1
type: integer
serviceName:
description: "ServiceName refers to the name of the Service to mirror matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Core"
description: "ServiceName refers to the name
of the Service to mirror matched requests
to. When specified, this takes the place of
BackendRef. If both BackendRef and ServiceName
are specified, ServiceName will be given precedence.
\n If the referent cannot be found, the rule
is not included in the route. The controller
should raise the \"ResolvedRefs\" condition
on the Gateway with the \"DegradedRoutes\"
reason. The gateway status for this route
should be updated with a condition that describes
the error more specifically. \n Support: Core"
maxLength: 253
type: string
type: object
type:
description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Custom: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior."
description: "Type identifies the type of filter
to apply. As with other API fields, types are
classified into three conformance levels: \n -
Core: Filter types and their corresponding configuration
defined by \"Support: Core\" in this package,
e.g. \"RequestHeaderModifier\". All implementations
must support core filters. \n - Extended: Filter
types and their corresponding configuration defined
by \"Support: Extended\" in this package, e.g.
\"RequestMirror\". Implementers are encouraged
to support extended filters. \n - Custom: Filters
that are defined and supported by specific vendors.
\ In the future, filters showing convergence
in behavior across multiple implementations
will be considered for inclusion in extended or
core conformance levels. Filter-specific configuration
for such filters is specified using the ExtensionRef
field. `Type` should be set to \"ExtensionRef\"
for custom filters. \n Implementers are encouraged
to define custom implementation types to extend
the core API with implementation-specific behavior."
enum:
- RequestHeaderModifier
- RequestMirror
@ -312,18 +537,53 @@ spec:
maxItems: 16
type: array
port:
description: "Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field. If unspecified, the destination port in the request is used when forwarding to a backendRef or serviceName. \n Support: Core"
description: "Port specifies the destination port number
to use for the backend referenced by the ServiceName
or BackendRef field. If unspecified, the destination
port in the request is used when forwarding to a backendRef
or serviceName. \n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
serviceName:
description: "ServiceName refers to the name of the Service to forward matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the route must be dropped from the Gateway. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n The protocol to use should be specified with the AppProtocol field on Service resources. This field was introduced in Kubernetes 1.18. If using an earlier version of Kubernetes, a `networking.x-k8s.io/app-protocol` annotation on the BackendPolicy resource may be used to define the protocol. If the AppProtocol field is available, this annotation should not be used. The AppProtocol field, when populated, takes precedence over the annotation in the BackendPolicy resource. For custom backends, it is encouraged to add a semantically-equivalent field in the Custom Resource Definition. \n Support: Core"
description: "ServiceName refers to the name of the Service
to forward matched requests to. When specified, this
takes the place of BackendRef. If both BackendRef and
ServiceName are specified, ServiceName will be given
precedence. \n If the referent cannot be found, the
route must be dropped from the Gateway. The controller
should raise the \"ResolvedRefs\" condition on the Gateway
with the \"DegradedRoutes\" reason. The gateway status
for this route should be updated with a condition that
describes the error more specifically. \n The protocol
to use should be specified with the AppProtocol field
on Service resources. This field was introduced in Kubernetes
1.18. If using an earlier version of Kubernetes, a `networking.x-k8s.io/app-protocol`
annotation on the BackendPolicy resource may be used
to define the protocol. If the AppProtocol field is
available, this annotation should not be used. The AppProtocol
field, when populated, takes precedence over the annotation
in the BackendPolicy resource. For custom backends,
it is encouraged to add a semantically-equivalent field
in the Custom Resource Definition. \n Support: Core"
maxLength: 253
type: string
weight:
default: 1
description: "Weight specifies the proportion of HTTP requests forwarded to the backend referenced by the ServiceName or BackendRef field. This is computed as weight/(sum of all weights in this ForwardTo list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support: Core"
description: "Weight specifies the proportion of HTTP
requests forwarded to the backend referenced by the
ServiceName or BackendRef field. This is computed as
weight/(sum of all weights in this ForwardTo list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support: Core"
format: int32
maximum: 1000000
minimum: 0
@ -336,12 +596,55 @@ spec:
- path:
type: Prefix
value: /
description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: values: version: \"2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request should satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: \"2\"` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n A client request may match multiple HTTP route rules. Matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The longest matching hostname. * The longest matching path. * The largest number of header matches * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz."
description: "Matches define conditions used for matching the
rule against incoming HTTP requests. Each match is independent,
i.e. this rule will be matched if **any** one of the matches
is satisfied. \n For example, take the following matches configuration:
\n ``` matches: - path: value: \"/foo\" headers: values:
\ version: \"2\" - path: value: \"/v2/foo\" ``` \n
For a request to match against this rule, a request should
satisfy EITHER of the two conditions: \n - path prefixed with
`/foo` AND contains the header `version: \"2\"` - path prefix
of `/v2/foo` \n See the documentation for HTTPRouteMatch on
how to specify multiple match conditions that should be ANDed
together. \n If no matches are specified, the default is a
prefix path match on \"/\", which has the effect of matching
every HTTP request. \n Each client request MUST map to a maximum
of one route rule. If a request matches multiple rules, matching
precedence MUST be determined in order of the following criteria,
continuing on ties: \n * The longest matching hostname. *
The longest matching path. * The largest number of header
matches. \n If ties still exist across multiple Routes, matching
precedence MUST be determined in order of the following criteria,
continuing on ties: \n * The oldest Route based on creation
timestamp. For example, a Route with a creation timestamp
of \"2020-09-08 01:02:03\" is given precedence over a Route
with a creation timestamp of \"2020-09-08 01:02:04\". * The
Route appearing first in alphabetical order by \"<namespace>/<name>\".
For example, foo/bar is given precedence over foo/baz. \n
If ties still exist within the Route that has been given precedence,
matching precedence MUST be granted to the first matching
rule meeting the above criteria."
items:
description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: \"1\"` header: \n ``` match: path: value: \"/foo\" headers: values: version: \"1\" ```"
description: "HTTPRouteMatch defines the predicate used to
match requests to a given action. Multiple match types are
ANDed together, i.e. the match will evaluate to true only
if all conditions are satisfied. \n For example, the match
below will match a HTTP request only if its path starts
with `/foo` AND it contains the `version: \"1\"` header:
\n ``` match: path: value: \"/foo\" headers: values:
\ version: \"1\" ```"
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific extension to the \"match\" behavior. For example, resource \"myroutematcher\" in group \"networking.acme.io\". If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "ExtensionRef is an optional, implementation-specific
extension to the \"match\" behavior. For example, resource
\"myroutematcher\" in group \"networking.acme.io\".
If the referent cannot be found, the rule is not included
in the route. The controller should raise the \"ResolvedRefs\"
condition on the Gateway with the \"DegradedRoutes\"
reason. The gateway status for this route should be
updated with a condition that describes the error more
specifically. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -368,7 +671,15 @@ spec:
properties:
type:
default: Exact
description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Custom (RegularExpression, ImplementationSpecific) \n Since RegularExpression PathType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect. \n HTTP Header name matching MUST be case-insensitive (RFC 2616 - section 4.2)."
description: "Type specifies how to match against
the value of the header. \n Support: Core (Exact)
\n Support: Custom (RegularExpression, ImplementationSpecific)
\n Since RegularExpression PathType has custom conformance,
implementations can support POSIX, PCRE or any other
dialects of regular expressions. Please read the
implementation's documentation to determine the
supported dialect. \n HTTP Header name matching
MUST be case-insensitive (RFC 2616 - section 4.2)."
enum:
- Exact
- RegularExpression
@ -377,7 +688,14 @@ spec:
values:
additionalProperties:
type: string
description: "Values is a map of HTTP Headers to be matched. It MUST contain at least one entry. \n The HTTP header field name to match is the map key, and the value of the HTTP header is the map value. HTTP header field name matching MUST be case-insensitive. \n Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route."
description: "Values is a map of HTTP Headers to be
matched. It MUST contain at least one entry. \n
The HTTP header field name to match is the map key,
and the value of the HTTP header is the map value.
HTTP header field name matching MUST be case-insensitive.
\n Multiple match values are ANDed together, meaning,
a request must match all the specified headers to
select the route."
type: object
required:
- values
@ -386,11 +704,20 @@ spec:
default:
type: Prefix
value: /
description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided.
description: Path specifies a HTTP request path matcher.
If this field is not specified, a default prefix match
on the "/" path is provided.
properties:
type:
default: Prefix
description: "Type specifies how to match against the path Value. \n Support: Core (Exact, Prefix) \n Support: Custom (RegularExpression, ImplementationSpecific) \n Since RegularExpression PathType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect."
description: "Type specifies how to match against
the path Value. \n Support: Core (Exact, Prefix)
\n Support: Custom (RegularExpression, ImplementationSpecific)
\n Since RegularExpression PathType has custom conformance,
implementations can support POSIX, PCRE or any other
dialects of regular expressions. Please read the
implementation's documentation to determine the
supported dialect."
enum:
- Exact
- Prefix
@ -398,11 +725,46 @@ spec:
- ImplementationSpecific
type: string
value:
default: /
description: Value of the HTTP path to match against.
minLength: 1
type: string
type: object
queryParams:
description: QueryParams specifies a HTTP query parameter
matcher.
properties:
type:
default: Exact
description: "Type specifies how to match against
the value of the query parameter. \n Support: Extended
(Exact) \n Support: Custom (RegularExpression, ImplementationSpecific)
\n Since RegularExpression QueryParamMatchType has
custom conformance, implementations can support
POSIX, PCRE or any other dialects of regular expressions.
Please read the implementation's documentation to
determine the supported dialect."
enum:
- Exact
- RegularExpression
- ImplementationSpecific
type: string
values:
additionalProperties:
type: string
description: "Values is a map of HTTP query parameters
to be matched. It MUST contain at least one entry.
\n The query parameter name to match is the map
key, and the value of the query parameter is the
map value. \n Multiple match values are ANDed together,
meaning, a request must match all the specified
query parameters to select the route. \n HTTP query
parameter matching MUST be case-sensitive for both
keys and values. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
\n Note that the query parameter key MUST always
be an exact match by string comparison."
type: object
required:
- value
- values
type: object
type: object
maxItems: 8
@ -411,10 +773,31 @@ spec:
maxItems: 16
type: array
tls:
description: "TLS defines the TLS certificate to use for Hostnames defined in this Route. This configuration only takes effect if the AllowRouteOverride field is set to true in the associated Gateway resource. \n Collisions can happen if multiple HTTPRoutes define a TLS certificate for the same hostname. In such a case, conflict resolution guiding principles apply, specifically, if hostnames are same and two different certificates are specified then the certificate in the oldest resource wins. \n Please note that HTTP Route-selection takes place after the TLS Handshake (ClientHello). Due to this, TLS certificate defined here will take precedence even if the request has the potential to match multiple routes (in case multiple HTTPRoutes share the same hostname). \n Support: Core"
description: "TLS defines the TLS certificate to use for Hostnames
defined in this Route. This configuration only takes effect if the
AllowRouteOverride field is set to true in the associated Gateway
resource. \n Collisions can happen if multiple HTTPRoutes define
a TLS certificate for the same hostname. In such a case, conflict
resolution guiding principles apply, specifically, if hostnames
are same and two different certificates are specified then the certificate
in the oldest resource wins. \n Please note that HTTP Route-selection
takes place after the TLS Handshake (ClientHello). Due to this,
TLS certificate defined here will take precedence even if the request
has the potential to match multiple routes (in case multiple HTTPRoutes
share the same hostname). \n Support: Core"
properties:
certificateRef:
description: "CertificateRef refers to a Kubernetes object that contains a TLS certificate and private key. This certificate MUST be used for TLS handshakes for the domain this RouteTLSConfig is associated with. If an entry in this list omits or specifies the empty string for both the group and kind, the resource defaults to \"secrets\". An implementation may support other resources (for example, resource \"mycertificates\" in group \"networking.acme.io\"). \n Support: Core (Kubernetes Secrets) \n Support: Implementation-specific (Other resource types)"
description: "CertificateRef is a reference to a Kubernetes object
that contains a TLS certificate and private key. This certificate
is used to establish a TLS handshake for requests that match
the hostname of the associated HTTPRoute. The referenced object
MUST reside in the same namespace as HTTPRoute. \n This field
is required when the TLS configuration mode of the associated
Gateway listener is set to \"Passthrough\". \n CertificateRef
can reference a standard Kubernetes resource, i.e. Secret, or
an implementation-specific custom resource. \n Support: Core
(Kubernetes Secrets) \n Support: Implementation-specific (Other
resource types)"
properties:
group:
description: Group is the group of the referent.
@ -444,43 +827,87 @@ spec:
description: Status defines the current state of HTTPRoute.
properties:
gateways:
description: "Gateways is a list of Gateways that are associated with the route, and the status of the route with respect to each Gateway. When a Gateway selects this route, the controller that manages the Gateway must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route is modified. \n A maximum of 100 Gateways will be represented in this list. If this list is full, there may be additional Gateways using this Route that are not included in the list. An empty list means the route has not been admitted by any Gateway."
description: "Gateways is a list of Gateways that are associated with
the route, and the status of the route with respect to each Gateway.
When a Gateway selects this route, the controller that manages the
Gateway must add an entry to this list when the controller first
sees the route and should update the entry as appropriate when the
route is modified. \n A maximum of 100 Gateways will be represented
in this list. If this list is full, there may be additional Gateways
using this Route that are not included in the list. An empty list
means the route has not been admitted by any Gateway."
items:
description: RouteGatewayStatus describes the status of a route with respect to an associated Gateway.
description: RouteGatewayStatus describes the status of a route
with respect to an associated Gateway.
properties:
conditions:
description: Conditions describes the status of the route with respect to the Gateway. The "Admitted" condition must always be specified by controllers to indicate whether the route has been admitted or rejected by the Gateway, and why. Note that the route's availability is also subject to the Gateway's own status conditions and listener status.
description: Conditions describes the status of the route with
respect to the Gateway. The "Admitted" condition must always
be specified by controllers to indicate whether the route
has been admitted or rejected by the Gateway, and why. Note
that the route's availability is also subject to the Gateway's
own status conditions and listener status.
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@ -497,8 +924,18 @@ spec:
- type
x-kubernetes-list-type: map
gatewayRef:
description: GatewayRef is a reference to a Gateway object that is associated with the route.
description: GatewayRef is a reference to a Gateway object that
is associated with the route.
properties:
controller:
description: "Controller is a domain/path string that indicates
the controller implementing the Gateway. This corresponds
with the controller field on GatewayClass. \n Example:
\"acme.io/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are
valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
maxLength: 253
type: string
name:
description: Name is the name of the referent.
maxLength: 253

201
docs/content/reference/dynamic-configuration/networking.x-k8s.io_tcproutes.yaml
View file

@ -4,28 +4,38 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: tcproutes.networking.x-k8s.io
spec:
group: networking.x-k8s.io
names:
categories:
- gateway-api
kind: TCPRoute
listKind: TCPRouteList
plural: tcproutes
singular: tcproute
scope: Namespaced
versions:
- name: v1alpha1
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: TCPRoute is the Schema for the TCPRoute resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@ -39,16 +49,24 @@ spec:
properties:
allow:
default: SameNamespace
description: 'Allow indicates which Gateways will be allowed to use this route. Possible values are: * All: Gateways in any namespace can use this route. * FromList: Only Gateways specified in GatewayRefs may use this route. * SameNamespace: Only Gateways in the same namespace may use this route.'
description: 'Allow indicates which Gateways will be allowed to
use this route. Possible values are: * All: Gateways in any
namespace can use this route. * FromList: Only Gateways specified
in GatewayRefs may use this route. * SameNamespace: Only Gateways
in the same namespace may use this route.'
enum:
- All
- FromList
- SameNamespace
type: string
gatewayRefs:
description: GatewayRefs must be specified when Allow is set to "FromList". In that case, only Gateways referenced in this list will be allowed to use this route. This field is ignored for other values of "Allow".
description: GatewayRefs must be specified when Allow is set to
"FromList". In that case, only Gateways referenced in this list
will be allowed to use this route. This field is ignored for
other values of "Allow".
items:
description: GatewayReference identifies a Gateway in a specified namespace.
description: GatewayReference identifies a Gateway in a specified
namespace.
properties:
name:
description: Name is the name of the referent.
@ -72,12 +90,22 @@ spec:
description: TCPRouteRule is the configuration for a given rule.
properties:
forwardTo:
description: ForwardTo defines the backend(s) where matching requests should be sent.
description: ForwardTo defines the backend(s) where matching
requests should be sent.
items:
description: RouteForwardTo defines how a Route should forward a request.
description: RouteForwardTo defines how a Route should forward
a request.
properties:
backendRef:
description: "BackendRef is a reference to a backend to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "BackendRef is a reference to a backend to
forward matched requests to. If both BackendRef and
ServiceName are specified, ServiceName will be given
precedence. \n If the referent cannot be found, the
rule is not included in the route. The controller should
raise the \"ResolvedRefs\" condition on the Gateway
with the \"DegradedRoutes\" reason. The gateway status
for this route should be updated with a condition that
describes the error more specifically. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -100,18 +128,53 @@ spec:
- name
type: object
port:
description: "Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field. If unspecified, the destination port in the request is used when forwarding to a backendRef or serviceName. \n Support: Core"
description: "Port specifies the destination port number
to use for the backend referenced by the ServiceName
or BackendRef field. If unspecified, the destination
port in the request is used when forwarding to a backendRef
or serviceName. \n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
serviceName:
description: "ServiceName refers to the name of the Service to forward matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n The protocol to use is defined using AppProtocol field (introduced in Kubernetes 1.18) in the Service resource. In the absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` annotation on the BackendPolicy resource may be used to define the protocol. If the AppProtocol field is available, this annotation should not be used. The AppProtocol field, when populated, takes precedence over the annotation in the BackendPolicy resource. For custom backends, it is encouraged to add a semantically-equivalent field in the Custom Resource Definition. \n Support: Core"
description: "ServiceName refers to the name of the Service
to forward matched requests to. When specified, this
takes the place of BackendRef. If both BackendRef and
ServiceName are specified, ServiceName will be given
precedence. \n If the referent cannot be found, the
rule is not included in the route. The controller should
raise the \"ResolvedRefs\" condition on the Gateway
with the \"DegradedRoutes\" reason. The gateway status
for this route should be updated with a condition that
describes the error more specifically. \n The protocol
to use is defined using AppProtocol field (introduced
in Kubernetes 1.18) in the Service resource. In the
absence of the AppProtocol field a `networking.x-k8s.io/app-protocol`
annotation on the BackendPolicy resource may be used
to define the protocol. If the AppProtocol field is
available, this annotation should not be used. The AppProtocol
field, when populated, takes precedence over the annotation
in the BackendPolicy resource. For custom backends,
it is encouraged to add a semantically-equivalent field
in the Custom Resource Definition. \n Support: Core"
maxLength: 253
type: string
weight:
default: 1
description: "Weight specifies the proportion of HTTP requests forwarded to the backend referenced by the ServiceName or BackendRef field. This is computed as weight/(sum of all weights in this ForwardTo list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support: Extended"
description: "Weight specifies the proportion of HTTP
requests forwarded to the backend referenced by the
ServiceName or BackendRef field. This is computed as
weight/(sum of all weights in this ForwardTo list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support: Extended"
format: int32
maximum: 1000000
minimum: 0
@ -121,12 +184,42 @@ spec:
minItems: 1
type: array
matches:
description: Matches define conditions used for matching the rule against incoming TCP connections. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. If unspecified, all requests from the associated gateway TCP listener will match.
description: "Matches define conditions used for matching the
rule against incoming TCP connections. Each match is independent,
i.e. this rule will be matched if **any** one of the matches
is satisfied. If unspecified (i.e. empty), this Rule will
match all requests for the associated Listener. \n Each client
request MUST map to a maximum of one route rule. If a request
matches multiple rules, matching precedence MUST be determined
in order of the following criteria, continuing on ties: \n
* The most specific match specified by ExtensionRef. Each
implementation that supports ExtensionRef may have different
ways of determining the specificity of the referenced extension.
\n If ties still exist across multiple Routes, matching precedence
MUST be determined in order of the following criteria, continuing
on ties: \n * The oldest Route based on creation timestamp.
For example, a Route with a creation timestamp of \"2020-09-08
01:02:03\" is given precedence over a Route with a creation
timestamp of \"2020-09-08 01:02:04\". * The Route appearing
first in alphabetical order by \"<namespace>/<name>\". For
example, foo/bar is given precedence over foo/baz. \n If
ties still exist within the Route that has been given precedence,
matching precedence MUST be granted to the first matching
rule meeting the above criteria."
items:
description: TCPRouteMatch defines the predicate used to match connections to a given action.
description: TCPRouteMatch defines the predicate used to match
connections to a given action.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific extension to the \"match\" behavior. For example, resource \"mytcproutematcher\" in group \"networking.acme.io\". If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "ExtensionRef is an optional, implementation-specific
extension to the \"match\" behavior. For example, resource
\"mytcproutematcher\" in group \"networking.acme.io\".
If the referent cannot be found, the rule is not included
in the route. The controller should raise the \"ResolvedRefs\"
condition on the Gateway with the \"DegradedRoutes\"
reason. The gateway status for this route should be
updated with a condition that describes the error more
specifically. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -164,43 +257,87 @@ spec:
description: Status defines the current state of TCPRoute.
properties:
gateways:
description: "Gateways is a list of Gateways that are associated with the route, and the status of the route with respect to each Gateway. When a Gateway selects this route, the controller that manages the Gateway must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route is modified. \n A maximum of 100 Gateways will be represented in this list. If this list is full, there may be additional Gateways using this Route that are not included in the list. An empty list means the route has not been admitted by any Gateway."
description: "Gateways is a list of Gateways that are associated with
the route, and the status of the route with respect to each Gateway.
When a Gateway selects this route, the controller that manages the
Gateway must add an entry to this list when the controller first
sees the route and should update the entry as appropriate when the
route is modified. \n A maximum of 100 Gateways will be represented
in this list. If this list is full, there may be additional Gateways
using this Route that are not included in the list. An empty list
means the route has not been admitted by any Gateway."
items:
description: RouteGatewayStatus describes the status of a route with respect to an associated Gateway.
description: RouteGatewayStatus describes the status of a route
with respect to an associated Gateway.
properties:
conditions:
description: Conditions describes the status of the route with respect to the Gateway. The "Admitted" condition must always be specified by controllers to indicate whether the route has been admitted or rejected by the Gateway, and why. Note that the route's availability is also subject to the Gateway's own status conditions and listener status.
description: Conditions describes the status of the route with
respect to the Gateway. The "Admitted" condition must always
be specified by controllers to indicate whether the route
has been admitted or rejected by the Gateway, and why. Note
that the route's availability is also subject to the Gateway's
own status conditions and listener status.
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@ -217,8 +354,18 @@ spec:
- type
x-kubernetes-list-type: map
gatewayRef:
description: GatewayRef is a reference to a Gateway object that is associated with the route.
description: GatewayRef is a reference to a Gateway object that
is associated with the route.
properties:
controller:
description: "Controller is a domain/path string that indicates
the controller implementing the Gateway. This corresponds
with the controller field on GatewayClass. \n Example:
\"acme.io/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are
valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
maxLength: 253
type: string
name:
description: Name is the name of the referent.
maxLength: 253

234
docs/content/reference/dynamic-configuration/networking.x-k8s.io_tlsroutes.yaml
View file

@ -4,28 +4,42 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: tlsroutes.networking.x-k8s.io
spec:
group: networking.x-k8s.io
names:
categories:
- gateway-api
kind: TLSRoute
listKind: TLSRouteList
plural: tlsroutes
singular: tlsroute
scope: Namespaced
versions:
- name: v1alpha1
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener."
description: "The TLSRoute resource is similar to TCPRoute, but can be configured
to match against TLS-specific metadata. This allows more flexibility in
matching streams for a given TLS listener. \n If you need to forward traffic
to a single target for a TLS listener, you could choose to use a TCPRoute
with a TLS listener."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@ -39,16 +53,24 @@ spec:
properties:
allow:
default: SameNamespace
description: 'Allow indicates which Gateways will be allowed to use this route. Possible values are: * All: Gateways in any namespace can use this route. * FromList: Only Gateways specified in GatewayRefs may use this route. * SameNamespace: Only Gateways in the same namespace may use this route.'
description: 'Allow indicates which Gateways will be allowed to
use this route. Possible values are: * All: Gateways in any
namespace can use this route. * FromList: Only Gateways specified
in GatewayRefs may use this route. * SameNamespace: Only Gateways
in the same namespace may use this route.'
enum:
- All
- FromList
- SameNamespace
type: string
gatewayRefs:
description: GatewayRefs must be specified when Allow is set to "FromList". In that case, only Gateways referenced in this list will be allowed to use this route. This field is ignored for other values of "Allow".
description: GatewayRefs must be specified when Allow is set to
"FromList". In that case, only Gateways referenced in this list
will be allowed to use this route. This field is ignored for
other values of "Allow".
items:
description: GatewayReference identifies a Gateway in a specified namespace.
description: GatewayReference identifies a Gateway in a specified
namespace.
properties:
name:
description: Name is the name of the referent.
@ -72,12 +94,22 @@ spec:
description: TLSRouteRule is the configuration for a given rule.
properties:
forwardTo:
description: ForwardTo defines the backend(s) where matching requests should be sent.
description: ForwardTo defines the backend(s) where matching
requests should be sent.
items:
description: RouteForwardTo defines how a Route should forward a request.
description: RouteForwardTo defines how a Route should forward
a request.
properties:
backendRef:
description: "BackendRef is a reference to a backend to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "BackendRef is a reference to a backend to
forward matched requests to. If both BackendRef and
ServiceName are specified, ServiceName will be given
precedence. \n If the referent cannot be found, the
rule is not included in the route. The controller should
raise the \"ResolvedRefs\" condition on the Gateway
with the \"DegradedRoutes\" reason. The gateway status
for this route should be updated with a condition that
describes the error more specifically. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -100,18 +132,53 @@ spec:
- name
type: object
port:
description: "Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field. If unspecified, the destination port in the request is used when forwarding to a backendRef or serviceName. \n Support: Core"
description: "Port specifies the destination port number
to use for the backend referenced by the ServiceName
or BackendRef field. If unspecified, the destination
port in the request is used when forwarding to a backendRef
or serviceName. \n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
serviceName:
description: "ServiceName refers to the name of the Service to forward matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n The protocol to use is defined using AppProtocol field (introduced in Kubernetes 1.18) in the Service resource. In the absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` annotation on the BackendPolicy resource may be used to define the protocol. If the AppProtocol field is available, this annotation should not be used. The AppProtocol field, when populated, takes precedence over the annotation in the BackendPolicy resource. For custom backends, it is encouraged to add a semantically-equivalent field in the Custom Resource Definition. \n Support: Core"
description: "ServiceName refers to the name of the Service
to forward matched requests to. When specified, this
takes the place of BackendRef. If both BackendRef and
ServiceName are specified, ServiceName will be given
precedence. \n If the referent cannot be found, the
rule is not included in the route. The controller should
raise the \"ResolvedRefs\" condition on the Gateway
with the \"DegradedRoutes\" reason. The gateway status
for this route should be updated with a condition that
describes the error more specifically. \n The protocol
to use is defined using AppProtocol field (introduced
in Kubernetes 1.18) in the Service resource. In the
absence of the AppProtocol field a `networking.x-k8s.io/app-protocol`
annotation on the BackendPolicy resource may be used
to define the protocol. If the AppProtocol field is
available, this annotation should not be used. The AppProtocol
field, when populated, takes precedence over the annotation
in the BackendPolicy resource. For custom backends,
it is encouraged to add a semantically-equivalent field
in the Custom Resource Definition. \n Support: Core"
maxLength: 253
type: string
weight:
default: 1
description: "Weight specifies the proportion of HTTP requests forwarded to the backend referenced by the ServiceName or BackendRef field. This is computed as weight/(sum of all weights in this ForwardTo list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support: Extended"
description: "Weight specifies the proportion of HTTP
requests forwarded to the backend referenced by the
ServiceName or BackendRef field. This is computed as
weight/(sum of all weights in this ForwardTo list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support: Extended"
format: int32
maximum: 1000000
minimum: 0
@ -121,12 +188,45 @@ spec:
minItems: 1
type: array
matches:
description: Matches define conditions used for matching the rule against an incoming TLS handshake. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. If unspecified, all requests from the associated gateway TLS listener will match.
description: "Matches define conditions used for matching the
rule against incoming TLS connections. Each match is independent,
i.e. this rule will be matched if **any** one of the matches
is satisfied. If unspecified (i.e. empty), this Rule will
match all requests for the associated Listener. \n Each client
request MUST map to a maximum of one route rule. If a request
matches multiple rules, matching precedence MUST be determined
in order of the following criteria, continuing on ties: \n
* The longest matching SNI. * The longest matching precise
SNI (without a wildcard). This means that \"b.example.com\"
should be given precedence over \"*.example.com\". * The most
specific match specified by ExtensionRef. Each implementation
\ that supports ExtensionRef may have different ways of determining
the specificity of the referenced extension. \n If ties
still exist across multiple Routes, matching precedence MUST
be determined in order of the following criteria, continuing
on ties: \n * The oldest Route based on creation timestamp.
For example, a Route with a creation timestamp of \"2020-09-08
01:02:03\" is given precedence over a Route with a creation
timestamp of \"2020-09-08 01:02:04\". * The Route appearing
first in alphabetical order by \"<namespace>/<name>\". For
example, foo/bar is given precedence over foo/baz. \n If
ties still exist within the Route that has been given precedence,
matching precedence MUST be granted to the first matching
rule meeting the above criteria."
items:
description: TLSRouteMatch defines the predicate used to match connections to a given action.
description: TLSRouteMatch defines the predicate used to match
connections to a given action.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific extension to the \"match\" behavior. For example, resource \"mytlsroutematcher\" in group \"networking.acme.io\". If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
description: "ExtensionRef is an optional, implementation-specific
extension to the \"match\" behavior. For example, resource
\"mytlsroutematcher\" in group \"networking.acme.io\".
If the referent cannot be found, the rule is not included
in the route. The controller should raise the \"ResolvedRefs\"
condition on the Gateway with the \"DegradedRoutes\"
reason. The gateway status for this route should be
updated with a condition that describes the error more
specifically. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
@ -149,9 +249,29 @@ spec:
- name
type: object
snis:
description: "SNIs defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. \n SNI can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). The wildcard character `*` must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == `*`). \n Requests will be matched against the Host field in the following order: \n 1. If SNI is precise, the request matches this rule if the SNI in ClientHello is equal to one of the defined SNIs. 2. If SNI is a wildcard, then the request matches this rule if the SNI is to equal to the suffix (removing the first label) of the wildcard rule. 3. If SNIs is unspecified, all requests associated with the gateway TLS listener will match. This can be used to define a default backend for a TLS listener. \n Support: Core"
description: "SNIs defines a set of SNI names that should
match against the SNI attribute of TLS ClientHello message
in TLS handshake. \n SNI can be \"precise\" which is
a domain name without the terminating dot of a network
host (e.g. \"foo.example.com\") or \"wildcard\", which
is a domain name prefixed with a single wildcard label
(e.g. `*.example.com`). The wildcard character `*` must
appear by itself as the first DNS label and matches
only a single label. You cannot have a wildcard label
by itself (e.g. Host == `*`). \n Requests will be matched
against the Host field in the following order: \n 1.
If SNI is precise, the request matches this rule if
the SNI in ClientHello is equal to one of the defined
SNIs. 2. If SNI is a wildcard, then the request matches
this rule if the SNI is to equal to the suffix (removing
the first label) of the wildcard rule. 3. If SNIs
is unspecified, all requests associated with the gateway
TLS listener will match. This can be used to define
a default backend for a TLS listener. \n Support:
Core"
items:
description: Hostname is used to specify a hostname that should be matched.
description: Hostname is used to specify a hostname
that should be matched.
maxLength: 253
minLength: 1
type: string
@ -173,43 +293,87 @@ spec:
description: Status defines the current state of TLSRoute.
properties:
gateways:
description: "Gateways is a list of Gateways that are associated with the route, and the status of the route with respect to each Gateway. When a Gateway selects this route, the controller that manages the Gateway must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route is modified. \n A maximum of 100 Gateways will be represented in this list. If this list is full, there may be additional Gateways using this Route that are not included in the list. An empty list means the route has not been admitted by any Gateway."
description: "Gateways is a list of Gateways that are associated with
the route, and the status of the route with respect to each Gateway.
When a Gateway selects this route, the controller that manages the
Gateway must add an entry to this list when the controller first
sees the route and should update the entry as appropriate when the
route is modified. \n A maximum of 100 Gateways will be represented
in this list. If this list is full, there may be additional Gateways
using this Route that are not included in the list. An empty list
means the route has not been admitted by any Gateway."
items:
description: RouteGatewayStatus describes the status of a route with respect to an associated Gateway.
description: RouteGatewayStatus describes the status of a route
with respect to an associated Gateway.
properties:
conditions:
description: Conditions describes the status of the route with respect to the Gateway. The "Admitted" condition must always be specified by controllers to indicate whether the route has been admitted or rejected by the Gateway, and why. Note that the route's availability is also subject to the Gateway's own status conditions and listener status.
description: Conditions describes the status of the route with
respect to the Gateway. The "Admitted" condition must always
be specified by controllers to indicate whether the route
has been admitted or rejected by the Gateway, and why. Note
that the route's availability is also subject to the Gateway's
own status conditions and listener status.
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@ -226,8 +390,18 @@ spec:
- type
x-kubernetes-list-type: map
gatewayRef:
description: GatewayRef is a reference to a Gateway object that is associated with the route.
description: GatewayRef is a reference to a Gateway object that
is associated with the route.
properties:
controller:
description: "Controller is a domain/path string that indicates
the controller implementing the Gateway. This corresponds
with the controller field on GatewayClass. \n Example:
\"acme.io/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are
valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
maxLength: 253
type: string
name:
description: Name is the name of the referent.
maxLength: 253

3
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
View file

@ -299,6 +299,7 @@ spec:
type: string
type: object
featurePolicy:
description: 'Deprecated: use PermissionsPolicy instead.'
type: string
forceSTSHeader:
type: boolean
@ -310,6 +311,8 @@ spec:
type: array
isDevelopment:
type: boolean
permissionsPolicy:
type: string
publicKey:
type: string
referrerPolicy:

4
docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
View file

@ -78,6 +78,10 @@ spec:
description: If non-zero, controls the maximum idle (keep-alive) to
keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
type: integer
peerCertURI:
description: URI used to match against SAN URI during the peer certificate
verification.
type: string
rootCAsSecrets:
description: Add cert file for self-signed certificate.
items:

19
docs/content/reference/static-configuration/cli-ref.md
View file

@ -369,6 +369,12 @@ Enable ConsulCatalog backend with default settings. (Default: ```false```)
`--providers.consulcatalog.cache`:
Use local agent caching for catalog reads. (Default: ```false```)
`--providers.consulcatalog.connectaware`:
Enable Consul Connect support. (Default: ```false```)
`--providers.consulcatalog.connectbydefault`:
Consider every service as Connect capable by default. (Default: ```false```)
`--providers.consulcatalog.constraints`:
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
@ -376,7 +382,7 @@ Constraints is an expression that Traefik matches against the container's labels
Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
`--providers.consulcatalog.endpoint.address`:
The address of the Consul server (Default: ```127.0.0.1:8500```)
The address of the Consul server
`--providers.consulcatalog.endpoint.datacenter`:
Data center to use. If not provided, the default agent data center is used
@ -423,6 +429,9 @@ Interval for check Consul API. Default 15s (Default: ```15```)
`--providers.consulcatalog.requireconsistent`:
Forces the read to be fully consistent. (Default: ```false```)
`--providers.consulcatalog.servicename`:
Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). (Default: ```traefik```)
`--providers.consulcatalog.stale`:
Use stale consistency for catalog reads. (Default: ```false```)
@ -577,7 +586,10 @@ TLS key
Enable Kubernetes backend with default settings. (Default: ```false```)
`--providers.kubernetescrd.allowcrossnamespace`:
Allow cross namespace resource reference. (Default: ```true```)
Allow cross namespace resource reference. (Default: ```false```)
`--providers.kubernetescrd.allowexternalnameservices`:
Allow ExternalName services. (Default: ```false```)
`--providers.kubernetescrd.certauthfilepath`:
Kubernetes certificate authority file path (not needed for in-cluster client).
@ -627,6 +639,9 @@ Enable Kubernetes backend with default settings. (Default: ```false```)
`--providers.kubernetesingress.allowemptyservices`:
Allow creation of services without endpoints. (Default: ```false```)
`--providers.kubernetesingress.allowexternalnameservices`:
Allow ExternalName services. (Default: ```false```)
`--providers.kubernetesingress.certauthfilepath`:
Kubernetes certificate authority file path (not needed for in-cluster client).

19
docs/content/reference/static-configuration/env-ref.md
View file

@ -342,6 +342,12 @@ Enable ConsulCatalog backend with default settings. (Default: ```false```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_CACHE`:
Use local agent caching for catalog reads. (Default: ```false```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_CONNECTAWARE`:
Enable Consul Connect support. (Default: ```false```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_CONNECTBYDEFAULT`:
Consider every service as Connect capable by default. (Default: ```false```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_CONSTRAINTS`:
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
@ -349,7 +355,7 @@ Constraints is an expression that Traefik matches against the container's labels
Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ADDRESS`:
The address of the Consul server (Default: ```127.0.0.1:8500```)
The address of the Consul server
`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_DATACENTER`:
Data center to use. If not provided, the default agent data center is used
@ -396,6 +402,9 @@ Interval for check Consul API. Default 15s (Default: ```15```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_REQUIRECONSISTENT`:
Forces the read to be fully consistent. (Default: ```false```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_SERVICENAME`:
Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). (Default: ```traefik```)
`TRAEFIK_PROVIDERS_CONSULCATALOG_STALE`:
Use stale consistency for catalog reads. (Default: ```false```)
@ -577,7 +586,10 @@ TLS key
Enable Kubernetes backend with default settings. (Default: ```false```)
`TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWCROSSNAMESPACE`:
Allow cross namespace resource reference. (Default: ```true```)
Allow cross namespace resource reference. (Default: ```false```)
`TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWEXTERNALNAMESERVICES`:
Allow ExternalName services. (Default: ```false```)
`TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:
Kubernetes certificate authority file path (not needed for in-cluster client).
@ -627,6 +639,9 @@ Enable Kubernetes backend with default settings. (Default: ```false```)
`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ALLOWEMPTYSERVICES`:
Allow creation of services without endpoints. (Default: ```false```)
`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ALLOWEXTERNALNAMESERVICES`:
Allow ExternalName services. (Default: ```false```)
`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_CERTAUTHFILEPATH`:
Kubernetes certificate authority file path (not needed for in-cluster client).

10
docs/content/routing/providers/consul-catalog.md
View file

@ -454,6 +454,16 @@ You can tell Traefik to consider (or not) the service by setting `traefik.enable
This option overrides the value of `exposedByDefault`.
#### `traefik.consulcatalog.connect`
```yaml
traefik.consulcatalog.connect=true
```
You can tell Traefik to consider (or not) the service as a Connect capable one by setting `traefik.consulcatalog.connect` to true or false.
This option overrides the value of `connectByDefault`.
#### Port Lookup
Traefik is capable of detecting the port to use, by following the default consul Catalog flow.

24
docs/content/routing/providers/kubernetes-crd.md
View file

@ -1648,19 +1648,21 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
dialTimeout: 42s # [7]
responseHeaderTimeout: 42s # [8]
idleConnTimeout: 42s # [9]
peerCertURI: foobar # [10]
```
| Ref | Attribute | Purpose |
|-----|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `serverName` | ServerName used to contact the server. |
| [2] | `insecureSkipVerify` | Disable SSL certificate verification. |
| [3] | `rootCAsSecrets` | Add cert file for self-signed certificate. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [4] | `certificatesSecrets` | Certificates for mTLS. |
| [5] | `maxIdleConnsPerHost` | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used. |
| [6] | `forwardingTimeouts` | Timeouts for requests forwarded to the backend servers. |
| [7] | `dialTimeout` | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. |
| [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
| [9] | `idleConnTimeout` | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself. |
| Ref | Attribute | Purpose |
|------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `serverName` | ServerName used to contact the server. |
| [2] | `insecureSkipVerify` | Disable SSL certificate verification. |
| [3] | `rootCAsSecrets` | Add cert file for self-signed certificate. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [4] | `certificatesSecrets` | Certificates for mTLS. |
| [5] | `maxIdleConnsPerHost` | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used. |
| [6] | `forwardingTimeouts` | Timeouts for requests forwarded to the backend servers. |
| [7] | `dialTimeout` | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. |
| [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
| [9] | `idleConnTimeout` | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself. |
| [10] | `peerCertURI` | URI used to match with service certificate. |
!!! info "CA Secret"

31
docs/content/routing/services/index.md
View file

@ -738,6 +738,37 @@ spec:
disableHTTP2: true
```
#### `peerCertURI`
_Optional, Default=false_
`peerCertURI` defines the URI used to match against SAN URI during the peer certificate verification.
```toml tab="File (TOML)"
## Dynamic configuration
[http.serversTransports.mytransport]
peerCertURI = "foobar"
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
serversTransports:
mytransport:
peerCertURI: foobar
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: mytransport
namespace: default
spec:
peerCertURI: foobar
```
#### `forwardingTimeouts`
`forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.

2
docs/scripts/verify.sh
View file

@ -22,7 +22,7 @@ find "${PATH_TO_SITE}" -type f -not -path "/app/site/theme/*" \
--alt_ignore="/traefikproxy-vertical-logo-color.svg/" \
--http_status_ignore="0,500,501,503" \
--file_ignore="/404.html/" \
--url_ignore="/https://groups.google.com/a/traefik.io/forum/#!forum/security/,/localhost:/,/127.0.0.1:/,/fonts.gstatic.com/,/.minikube/,/github.com\/traefik\/traefik\/*edit*/,/github.com\/traefik\/traefik/,/doc.traefik.io/,/github\.com\/golang\/oauth2\/blob\/36a7019397c4c86cf59eeab3bc0d188bac444277\/.+/,/www.akamai.com/,/pilot.traefik.io\/profile/,/traefik.io/,/doc.traefik.io\/traefik-mesh/,/www.mkdocs.org/,/squidfunk.github.io/,/ietf.org/,/www.namesilo.com/,/www.youtube.com/,/www.linode.com/" \
--url_ignore="/https://groups.google.com/a/traefik.io/forum/#!forum/security/,/localhost:/,/127.0.0.1:/,/fonts.gstatic.com/,/.minikube/,/github.com\/traefik\/traefik\/*edit*/,/github.com\/traefik\/traefik/,/doc.traefik.io/,/github\.com\/golang\/oauth2\/blob\/36a7019397c4c86cf59eeab3bc0d188bac444277\/.+/,/www.akamai.com/,/pilot.traefik.io\/profile/,/traefik.io/,/doc.traefik.io\/traefik-mesh/,/www.mkdocs.org/,/squidfunk.github.io/,/ietf.org/,/www.namesilo.com/,/www.youtube.com/,/www.linode.com/,/www.alibabacloud.com/" \
'{}' 1>/dev/null
## HTML-proofer options at https://github.com/gjtorikian/html-proofer#configuration

35
go.mod
View file

@ -37,20 +37,23 @@ require (
github.com/google/go-github/v28 v28.1.1
github.com/gorilla/mux v1.7.3
github.com/gorilla/websocket v1.4.2
github.com/hashicorp/consul/api v1.3.0
github.com/hashicorp/go-multierror v1.0.0
github.com/hashicorp/go-version v1.2.0
github.com/hashicorp/consul v1.10.0
github.com/hashicorp/consul/api v1.9.1
github.com/hashicorp/go-hclog v0.16.1
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-version v1.2.1
github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d
github.com/instana/go-sensor v1.5.1
github.com/klauspost/compress v1.13.0
github.com/libkermit/compose v0.0.0-20171122111507-c04e39c026ad
github.com/libkermit/docker v0.0.0-20171122101128-e6674d32b807
github.com/libkermit/docker-check v0.0.0-20171122104347-1113af38e591
github.com/lucas-clemente/quic-go v0.20.1
github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f
github.com/miekg/dns v1.1.40
github.com/miekg/dns v1.1.43
github.com/mitchellh/copystructure v1.0.0
github.com/mitchellh/hashstructure v1.0.0
github.com/mitchellh/mapstructure v1.3.3
github.com/mitchellh/mapstructure v1.4.1
github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c // indirect
github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
github.com/opencontainers/image-spec v1.0.1 // indirect
@ -69,9 +72,8 @@ require (
github.com/stretchr/testify v1.7.0
github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
github.com/tinylib/msgp v1.0.2 // indirect
github.com/traefik/gziphandler v1.1.2-0.20210212101304-175e0fad6888
github.com/traefik/paerser v0.1.4
github.com/traefik/yaegi v0.9.19
github.com/traefik/yaegi v0.9.21
github.com/uber/jaeger-client-go v2.29.1+incompatible
github.com/uber/jaeger-lib v2.2.0+incompatible
github.com/unrolled/render v1.0.2
@ -82,21 +84,22 @@ require (
go.elastic.co/apm v1.11.0
go.elastic.co/apm/module/apmot v1.11.0
golang.org/x/mod v0.4.2
golang.org/x/net v0.0.0-20210220033124-5f55cee0dc0d
golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
golang.org/x/tools v0.0.0-20200904185747-39188db58858
golang.org/x/tools v0.1.0
google.golang.org/grpc v1.27.1
gopkg.in/DataDog/dd-trace-go.v1 v1.19.0
gopkg.in/fsnotify.v1 v1.4.7
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
k8s.io/api v0.20.2
k8s.io/apiextensions-apiserver v0.20.1
k8s.io/apimachinery v0.20.2
k8s.io/client-go v0.20.2
k8s.io/code-generator v0.20.2
k8s.io/api v0.21.0
k8s.io/apiextensions-apiserver v0.20.2
k8s.io/apimachinery v0.21.0
k8s.io/client-go v0.21.0
k8s.io/code-generator v0.21.0
k8s.io/utils v0.0.0-20210709001253-0e1f9d693477
mvdan.cc/xurls/v2 v2.1.0
sigs.k8s.io/controller-tools v0.4.1
sigs.k8s.io/gateway-api v0.2.0
sigs.k8s.io/controller-tools v0.5.0
sigs.k8s.io/gateway-api v0.3.0
)
// Containous forks

422
go.sum
View file

File diff suppressed because it is too large Load diff

230
integration/consul_catalog_test.go
View file

@ -54,6 +54,18 @@ func (s *ConsulCatalogSuite) waitToElectConsulLeader() error {
})
}
func (s *ConsulCatalogSuite) waitForConnectCA() error {
return try.Do(15*time.Second, func() error {
caroots, _, err := s.consulClient.Connect().CARoots(nil)
if err != nil || len(caroots.Roots) == 0 {
return fmt.Errorf("connect CA not fully initialized. %w", err)
}
return nil
})
}
func (s *ConsulCatalogSuite) TearDownSuite(c *check.C) {
// shutdown and delete compose project
if s.composeProject != nil {
@ -611,3 +623,221 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithHealthCheck(c *check.C) {
err = s.deregisterService("whoami2", false)
c.Assert(err, checker.IsNil)
}
func (s *ConsulCatalogSuite) TestConsulConnect(c *check.C) {
// Wait for consul to fully initialize connect CA
err := s.waitForConnectCA()
c.Assert(err, checker.IsNil)
connectIP := s.composeProject.Container(c, "connect").NetworkSettings.IPAddress
reg := &api.AgentServiceRegistration{
ID: "uuid-api1",
Name: "uuid-api",
Tags: []string{
"traefik.enable=true",
"traefik.consulcatalog.connect=true",
"traefik.http.routers.router1.rule=Path(`/`)",
"traefik.http.routers.router1.service=service1",
"traefik.http.services.service1.loadBalancer.server.url=https://" + connectIP,
},
Connect: &api.AgentServiceConnect{
Native: true,
},
Port: 443,
Address: connectIP,
}
err = s.registerService(reg, false)
c.Assert(err, checker.IsNil)
whoamiIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
regWhoami := &api.AgentServiceRegistration{
ID: "whoami1",
Name: "whoami",
Tags: []string{
"traefik.enable=true",
"traefik.http.routers.router2.rule=Path(`/whoami`)",
"traefik.http.routers.router2.service=whoami",
},
Port: 80,
Address: whoamiIP,
}
err = s.registerService(regWhoami, false)
c.Assert(err, checker.IsNil)
tempObjects := struct {
ConsulAddress string
}{
ConsulAddress: s.consulAddress,
}
file := s.adaptFile(c, "fixtures/consul_catalog/connect.toml", tempObjects)
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
defer display(c)
err = cmd.Start()
c.Assert(err, checker.IsNil)
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8000/", 10*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 10*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = s.deregisterService("uuid-api1", false)
c.Assert(err, checker.IsNil)
err = s.deregisterService("whoami1", false)
c.Assert(err, checker.IsNil)
}
func (s *ConsulCatalogSuite) TestConsulConnect_ByDefault(c *check.C) {
// Wait for consul to fully initialize connect CA
err := s.waitForConnectCA()
c.Assert(err, checker.IsNil)
connectIP := s.composeProject.Container(c, "connect").NetworkSettings.IPAddress
reg := &api.AgentServiceRegistration{
ID: "uuid-api1",
Name: "uuid-api",
Tags: []string{
"traefik.enable=true",
"traefik.http.routers.router1.rule=Path(`/`)",
"traefik.http.routers.router1.service=service1",
"traefik.http.services.service1.loadBalancer.server.url=https://" + connectIP,
},
Connect: &api.AgentServiceConnect{
Native: true,
},
Port: 443,
Address: connectIP,
}
err = s.registerService(reg, false)
c.Assert(err, checker.IsNil)
whoamiIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
regWhoami := &api.AgentServiceRegistration{
ID: "whoami1",
Name: "whoami1",
Tags: []string{
"traefik.enable=true",
"traefik.http.routers.router2.rule=Path(`/whoami`)",
"traefik.http.routers.router2.service=whoami",
},
Port: 80,
Address: whoamiIP,
}
err = s.registerService(regWhoami, false)
c.Assert(err, checker.IsNil)
whoami2IP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
regWhoami2 := &api.AgentServiceRegistration{
ID: "whoami2",
Name: "whoami2",
Tags: []string{
"traefik.enable=true",
"traefik.consulcatalog.connect=false",
"traefik.http.routers.router2.rule=Path(`/whoami2`)",
"traefik.http.routers.router2.service=whoami2",
},
Port: 80,
Address: whoami2IP,
}
err = s.registerService(regWhoami2, false)
c.Assert(err, checker.IsNil)
tempObjects := struct {
ConsulAddress string
}{
ConsulAddress: s.consulAddress,
}
file := s.adaptFile(c, "fixtures/consul_catalog/connect_by_default.toml", tempObjects)
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
defer display(c)
err = cmd.Start()
c.Assert(err, checker.IsNil)
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8000/", 10*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 10*time.Second, try.StatusCodeIs(http.StatusNotFound))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami2", 10*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = s.deregisterService("uuid-api1", false)
c.Assert(err, checker.IsNil)
err = s.deregisterService("whoami1", false)
c.Assert(err, checker.IsNil)
err = s.deregisterService("whoami2", false)
c.Assert(err, checker.IsNil)
}
func (s *ConsulCatalogSuite) TestConsulConnect_NotAware(c *check.C) {
// Wait for consul to fully initialize connect CA
err := s.waitForConnectCA()
c.Assert(err, checker.IsNil)
connectIP := s.composeProject.Container(c, "connect").NetworkSettings.IPAddress
reg := &api.AgentServiceRegistration{
ID: "uuid-api1",
Name: "uuid-api",
Tags: []string{
"traefik.enable=true",
"traefik.consulcatalog.connect=true",
"traefik.http.routers.router1.rule=Path(`/`)",
"traefik.http.routers.router1.service=service1",
"traefik.http.services.service1.loadBalancer.server.url=https://" + connectIP,
},
Connect: &api.AgentServiceConnect{
Native: true,
},
Port: 443,
Address: connectIP,
}
err = s.registerService(reg, false)
c.Assert(err, checker.IsNil)
whoamiIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
regWhoami := &api.AgentServiceRegistration{
ID: "whoami1",
Name: "whoami",
Tags: []string{
"traefik.enable=true",
"traefik.http.routers.router2.rule=Path(`/whoami`)",
"traefik.http.routers.router2.service=whoami",
},
Port: 80,
Address: whoamiIP,
}
err = s.registerService(regWhoami, false)
c.Assert(err, checker.IsNil)
tempObjects := struct {
ConsulAddress string
}{
ConsulAddress: s.consulAddress,
}
file := s.adaptFile(c, "fixtures/consul_catalog/connect_not_aware.toml", tempObjects)
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
defer display(c)
err = cmd.Start()
c.Assert(err, checker.IsNil)
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8000/", 10*time.Second, try.StatusCodeIs(http.StatusNotFound))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 10*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = s.deregisterService("uuid-api1", false)
c.Assert(err, checker.IsNil)
err = s.deregisterService("whoami1", false)
c.Assert(err, checker.IsNil)
}

21
integration/fixtures/consul_catalog/connect.toml Normal file
View file

@ -0,0 +1,21 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[api]
insecure = true
[providers]
[providers.consulCatalog]
exposedByDefault = false
refreshInterval = "500ms"
connectAware = true
[providers.consulCatalog.endpoint]
address = "{{ .ConsulAddress }}"

22
integration/fixtures/consul_catalog/connect_by_default.toml Normal file
View file

@ -0,0 +1,22 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[api]
insecure = true
[providers]
[providers.consulCatalog]
exposedByDefault = false
refreshInterval = "500ms"
connectAware = true
connectByDefault = true
[providers.consulCatalog.endpoint]
address = "{{ .ConsulAddress }}"

21
integration/fixtures/consul_catalog/connect_not_aware.toml Normal file
View file

@ -0,0 +1,21 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[api]
insecure = true
[providers]
[providers.consulCatalog]
exposedByDefault = false
refreshInterval = "500ms"
connectAware = false
[providers.consulCatalog.endpoint]
address = "{{ .ConsulAddress }}"

3134
integration/fixtures/k8s/01-gateway-api.yml
View file

File diff suppressed because it is too large Load diff

7
integration/fixtures/k8s/01-traefik-crd.yml
View file

@ -741,6 +741,7 @@ spec:
type: string
type: object
featurePolicy:
description: 'Deprecated: use PermissionsPolicy instead.'
type: string
forceSTSHeader:
type: boolean
@ -752,6 +753,8 @@ spec:
type: array
isDevelopment:
type: boolean
permissionsPolicy:
type: string
publicKey:
type: string
referrerPolicy:
@ -1142,6 +1145,10 @@ spec:
description: If non-zero, controls the maximum idle (keep-alive) to
keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
type: integer
peerCertURI:
description: URI used to match against SAN URI during the peer certificate
verification.
type: string
rootCAsSecrets:
description: Add cert file for self-signed certificate.
items:

1
integration/fixtures/k8s_crd.toml
View file

@ -17,3 +17,4 @@
[providers.kubernetesCRD]
allowCrossNamespace = false
allowExternalNameServices = true

10
integration/resources/compose/consul_catalog.yml
View file

@ -2,7 +2,7 @@ consul:
image: consul:1.6.2
ports:
- 8500:8500
command: "agent -server -bootstrap -ui -client 0.0.0.0"
command: "agent -server -bootstrap -ui -client 0.0.0.0 -hcl 'connect { enabled = true }'"
consul-agent:
image: consul:1.6.2
ports:
@ -22,3 +22,11 @@ whoami3:
whoamitcp:
image: traefik/whoamitcp
hostname: whoamitcp
connect:
image: hashicorpnomad/uuid-api:v5
links:
- consul
environment:
PORT: 443
BIND: 0.0.0.0
CONSUL_HTTP_ADDR: http://consul:8500

17
pkg/config/dynamic/http_config.go
View file

@ -5,7 +5,7 @@ import (
"time"
ptypes "github.com/traefik/paerser/types"
"github.com/traefik/traefik/v2/pkg/tls"
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
"github.com/traefik/traefik/v2/pkg/types"
)
@ -218,13 +218,14 @@ type HealthCheck struct{}
// ServersTransport options to configure communication between Traefik and the servers.
type ServersTransport struct {
ServerName string `description:"ServerName used to contact the server" json:"serverName,omitempty" toml:"serverName,omitempty" yaml:"serverName,omitempty"`
InsecureSkipVerify bool `description:"Disable SSL certificate verification." json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
RootCAs []tls.FileOrContent `description:"Add cert file for self-signed certificate." json:"rootCAs,omitempty" toml:"rootCAs,omitempty" yaml:"rootCAs,omitempty"`
Certificates tls.Certificates `description:"Certificates for mTLS." json:"certificates,omitempty" toml:"certificates,omitempty" yaml:"certificates,omitempty" export:"true"`
MaxIdleConnsPerHost int `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used" json:"maxIdleConnsPerHost,omitempty" toml:"maxIdleConnsPerHost,omitempty" yaml:"maxIdleConnsPerHost,omitempty" export:"true"`
ForwardingTimeouts *ForwardingTimeouts `description:"Timeouts for requests forwarded to the backend servers." json:"forwardingTimeouts,omitempty" toml:"forwardingTimeouts,omitempty" yaml:"forwardingTimeouts,omitempty" export:"true"`
DisableHTTP2 bool `description:"Disable HTTP/2 for connections with backend servers." json:"disableHTTP2,omitempty" toml:"disableHTTP2,omitempty" yaml:"disableHTTP2,omitempty" export:"true"`
ServerName string `description:"ServerName used to contact the server" json:"serverName,omitempty" toml:"serverName,omitempty" yaml:"serverName,omitempty"`
InsecureSkipVerify bool `description:"Disable SSL certificate verification." json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
RootCAs []traefiktls.FileOrContent `description:"Add cert file for self-signed certificate." json:"rootCAs,omitempty" toml:"rootCAs,omitempty" yaml:"rootCAs,omitempty"`
Certificates traefiktls.Certificates `description:"Certificates for mTLS." json:"certificates,omitempty" toml:"certificates,omitempty" yaml:"certificates,omitempty" export:"true"`
MaxIdleConnsPerHost int `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used" json:"maxIdleConnsPerHost,omitempty" toml:"maxIdleConnsPerHost,omitempty" yaml:"maxIdleConnsPerHost,omitempty" export:"true"`
ForwardingTimeouts *ForwardingTimeouts `description:"Timeouts for requests forwarded to the backend servers." json:"forwardingTimeouts,omitempty" toml:"forwardingTimeouts,omitempty" yaml:"forwardingTimeouts,omitempty" export:"true"`
DisableHTTP2 bool `description:"Disable HTTP/2 for connections with backend servers." json:"disableHTTP2,omitempty" toml:"disableHTTP2,omitempty" yaml:"disableHTTP2,omitempty" export:"true"`
PeerCertURI string `description:"URI used to match against SAN URI during the peer certificate verification." json:"peerCertURI,omitempty" toml:"peerCertURI,omitempty" yaml:"peerCertURI,omitempty" export:"true"`
}
// +k8s:deepcopy-gen=true

1
pkg/config/label/label_test.go
View file

@ -675,6 +675,7 @@ func TestDecodeConfiguration(t *testing.T) {
},
}
assert.Nil(t, configuration.HTTP.ServersTransports)
assert.Equal(t, expected, configuration)
}

3
pkg/middlewares/accesslog/logger.go
View file

@ -10,6 +10,7 @@ import (
"net/url"
"os"
"path/filepath"
"strings"
"sync"
"sync/atomic"
"time"
@ -347,7 +348,7 @@ func (h *Handler) redactHeaders(headers http.Header, fields logrus.Fields, prefi
for k := range headers {
v := h.config.Fields.KeepHeader(k)
if v == types.AccessLogKeep {
fields[prefix+k] = headers.Get(k)
fields[prefix+k] = strings.Join(headers.Values(k), ",")
} else if v == types.AccessLogRedact {
fields[prefix+k] = "REDACTED"
}

11
pkg/middlewares/accesslog/logger_test.go
View file

@ -114,7 +114,7 @@ func lineCount(t *testing.T, fileName string) int {
}
func TestLoggerHeaderFields(t *testing.T) {
expectedValue := "expectedValue"
expectedValues := []string{"AAA", "BBB"}
testCases := []struct {
desc string
@ -191,7 +191,10 @@ func TestLoggerHeaderFields(t *testing.T) {
Path: testPath,
},
}
req.Header.Set(test.header, expectedValue)
for _, s := range expectedValues {
req.Header.Add(test.header, s)
}
logger.ServeHTTP(httptest.NewRecorder(), req, http.HandlerFunc(func(writer http.ResponseWriter, r *http.Request) {
writer.WriteHeader(http.StatusOK)
@ -201,9 +204,9 @@ func TestLoggerHeaderFields(t *testing.T) {
require.NoError(t, err)
if test.expected == types.AccessLogDrop {
assert.NotContains(t, string(logData), expectedValue)
assert.NotContains(t, string(logData), strings.Join(expectedValues, ","))
} else {
assert.Contains(t, string(logData), expectedValue)
assert.Contains(t, string(logData), strings.Join(expectedValues, ","))
}
})
}

10
pkg/middlewares/compress/compress.go
View file

@ -6,8 +6,8 @@ import (
"mime"
"net/http"
"github.com/klauspost/compress/gzhttp"
"github.com/opentracing/opentracing-go/ext"
"github.com/traefik/gziphandler"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/log"
"github.com/traefik/traefik/v2/pkg/middlewares"
@ -61,10 +61,10 @@ func (c *compress) GetTracingInformation() (string, ext.SpanKindEnum) {
}
func (c *compress) gzipHandler(ctx context.Context) http.Handler {
wrapper, err := gziphandler.GzipHandlerWithOpts(
gziphandler.ContentTypeExceptions(c.excludes),
gziphandler.CompressionLevel(gzip.DefaultCompression),
gziphandler.MinSize(gziphandler.DefaultMinSize))
wrapper, err := gzhttp.NewWrapper(
gzhttp.ExceptContentTypes(c.excludes),
gzhttp.CompressionLevel(gzip.DefaultCompression),
gzhttp.MinSize(gzhttp.DefaultMinSize))
if err != nil {
log.FromContext(ctx).Error(err)
}

111
pkg/middlewares/compress/compress_test.go
View file

@ -7,9 +7,9 @@ import (
"net/http/httptest"
"testing"
"github.com/klauspost/compress/gzhttp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/traefik/gziphandler"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/testhelpers"
)
@ -26,13 +26,14 @@ func TestShouldCompressWhenNoContentEncodingHeader(t *testing.T) {
req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost", nil)
req.Header.Add(acceptEncodingHeader, gzipValue)
baseBody := generateBytes(gziphandler.DefaultMinSize)
baseBody := generateBytes(gzhttp.DefaultMinSize)
next := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
_, err := rw.Write(baseBody)
assert.NoError(t, err)
})
handler := &compress{next: next}
handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
require.NoError(t, err)
rw := httptest.NewRecorder()
handler.ServeHTTP(rw, req)
@ -49,7 +50,7 @@ func TestShouldNotCompressWhenContentEncodingHeader(t *testing.T) {
req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost", nil)
req.Header.Add(acceptEncodingHeader, gzipValue)
fakeCompressedBody := generateBytes(gziphandler.DefaultMinSize)
fakeCompressedBody := generateBytes(gzhttp.DefaultMinSize)
next := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
rw.Header().Add(contentEncodingHeader, gzipValue)
rw.Header().Add(varyHeader, acceptEncodingHeader)
@ -58,7 +59,8 @@ func TestShouldNotCompressWhenContentEncodingHeader(t *testing.T) {
http.Error(rw, err.Error(), http.StatusInternalServerError)
}
})
handler := &compress{next: next}
handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
require.NoError(t, err)
rw := httptest.NewRecorder()
handler.ServeHTTP(rw, req)
@ -72,14 +74,15 @@ func TestShouldNotCompressWhenContentEncodingHeader(t *testing.T) {
func TestShouldNotCompressWhenNoAcceptEncodingHeader(t *testing.T) {
req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost", nil)
fakeBody := generateBytes(gziphandler.DefaultMinSize)
fakeBody := generateBytes(gzhttp.DefaultMinSize)
next := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
_, err := rw.Write(fakeBody)
if err != nil {
http.Error(rw, err.Error(), http.StatusInternalServerError)
}
})
handler := &compress{next: next}
handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
require.NoError(t, err)
rw := httptest.NewRecorder()
handler.ServeHTTP(rw, req)
@ -89,7 +92,7 @@ func TestShouldNotCompressWhenNoAcceptEncodingHeader(t *testing.T) {
}
func TestShouldNotCompressWhenSpecificContentType(t *testing.T) {
baseBody := generateBytes(gziphandler.DefaultMinSize)
baseBody := generateBytes(gzhttp.DefaultMinSize)
testCases := []struct {
desc string
@ -190,7 +193,9 @@ func TestIntegrationShouldNotCompress(t *testing.T) {
for _, test := range testCases {
t.Run(test.name, func(t *testing.T) {
compress := &compress{next: test.handler}
compress, err := New(context.Background(), test.handler, dynamic.Compress{}, "testing")
require.NoError(t, err)
ts := httptest.NewServer(compress)
defer ts.Close()
@ -223,7 +228,9 @@ func TestShouldWriteHeaderWhenFlush(t *testing.T) {
http.Error(rw, err.Error(), http.StatusInternalServerError)
}
})
handler := &compress{next: next}
handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
require.NoError(t, err)
ts := httptest.NewServer(handler)
defer ts.Close()
@ -272,7 +279,9 @@ func TestIntegrationShouldCompress(t *testing.T) {
for _, test := range testCases {
t.Run(test.name, func(t *testing.T) {
compress := &compress{next: test.handler}
compress, err := New(context.Background(), test.handler, dynamic.Compress{}, "testing")
require.NoError(t, err)
ts := httptest.NewServer(compress)
defer ts.Close()
@ -296,6 +305,86 @@ func TestIntegrationShouldCompress(t *testing.T) {
}
}
func BenchmarkCompress(b *testing.B) {
testCases := []struct {
name string
parallel bool
size int
}{
{
name: "2k",
size: 2048,
},
{
name: "20k",
size: 20480,
},
{
name: "100k",
size: 102400,
},
{
name: "2k parallel",
parallel: true,
size: 2048,
},
{
name: "20k parallel",
parallel: true,
size: 20480,
},
{
name: "100k parallel",
parallel: true,
size: 102400,
},
}
for _, test := range testCases {
b.Run(test.name, func(b *testing.B) {
baseBody := generateBytes(test.size)
next := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
_, err := rw.Write(baseBody)
assert.NoError(b, err)
})
handler, _ := New(context.Background(), next, dynamic.Compress{}, "testing")
req, _ := http.NewRequest("GET", "/whatever", nil)
req.Header.Set("Accept-Encoding", "gzip")
b.ReportAllocs()
b.SetBytes(int64(test.size))
if test.parallel {
b.ResetTimer()
b.RunParallel(func(pb *testing.PB) {
for pb.Next() {
runBenchmark(b, req, handler)
}
})
return
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
runBenchmark(b, req, handler)
}
})
}
}
func runBenchmark(b *testing.B, req *http.Request, handler http.Handler) {
b.Helper()
res := httptest.NewRecorder()
handler.ServeHTTP(res, req)
if code := res.Code; code != 200 {
b.Fatalf("Expected 200 but got %d", code)
}
assert.Equal(b, gzipValue, res.Header().Get(contentEncodingHeader))
}
func generateBytes(length int) []byte {
var value []byte
for i := 0; i < length; i++ {

63
pkg/middlewares/headers/responsewriter.go
View file

@ -10,8 +10,8 @@ import (
)
type responseModifier struct {
r *http.Request
w http.ResponseWriter
req *http.Request
rw http.ResponseWriter
headersSent bool // whether headers have already been sent
code int // status code, must default to 200
@ -24,71 +24,76 @@ type responseModifier struct {
// modifier can be nil.
func newResponseModifier(w http.ResponseWriter, r *http.Request, modifier func(*http.Response) error) *responseModifier {
return &responseModifier{
r: r,
w: w,
req: r,
rw: w,
modifier: modifier,
code: http.StatusOK,
}
}
func (w *responseModifier) WriteHeader(code int) {
if w.headersSent {
func (r *responseModifier) WriteHeader(code int) {
if r.headersSent {
return
}
defer func() {
w.code = code
w.headersSent = true
r.code = code
r.headersSent = true
}()
if w.modifier == nil || w.modified {
w.w.WriteHeader(code)
if r.modifier == nil || r.modified {
r.rw.WriteHeader(code)
return
}
resp := http.Response{
Header: w.w.Header(),
Request: w.r,
Header: r.rw.Header(),
Request: r.req,
}
if err := w.modifier(&resp); err != nil {
w.modifierErr = err
if err := r.modifier(&resp); err != nil {
r.modifierErr = err
// we are propagating when we are called in Write, but we're logging anyway,
// because we could be called from another place which does not take care of
// checking w.modifierErr.
log.WithoutContext().Errorf("Error when applying response modifier: %v", err)
w.w.WriteHeader(http.StatusInternalServerError)
r.rw.WriteHeader(http.StatusInternalServerError)
return
}
w.modified = true
w.w.WriteHeader(code)
r.modified = true
r.rw.WriteHeader(code)
}
func (w *responseModifier) Header() http.Header {
return w.w.Header()
func (r *responseModifier) Header() http.Header {
return r.rw.Header()
}
func (w *responseModifier) Write(b []byte) (int, error) {
w.WriteHeader(w.code)
if w.modifierErr != nil {
return 0, w.modifierErr
func (r *responseModifier) Write(b []byte) (int, error) {
r.WriteHeader(r.code)
if r.modifierErr != nil {
return 0, r.modifierErr
}
return w.w.Write(b)
return r.rw.Write(b)
}
// Hijack hijacks the connection.
func (w *responseModifier) Hijack() (net.Conn, *bufio.ReadWriter, error) {
if h, ok := w.w.(http.Hijacker); ok {
func (r *responseModifier) Hijack() (net.Conn, *bufio.ReadWriter, error) {
if h, ok := r.rw.(http.Hijacker); ok {
return h.Hijack()
}
return nil, nil, fmt.Errorf("not a hijacker: %T", w.w)
return nil, nil, fmt.Errorf("not a hijacker: %T", r.rw)
}
// Flush sends any buffered data to the client.
func (w *responseModifier) Flush() {
if flusher, ok := w.w.(http.Flusher); ok {
func (r *responseModifier) Flush() {
if flusher, ok := r.rw.(http.Flusher); ok {
flusher.Flush()
}
}
// CloseNotify implements http.CloseNotifier.
func (r *responseModifier) CloseNotify() <-chan bool {
return r.rw.(http.CloseNotifier).CloseNotify()
}

3
pkg/plugins/providers.go
View file

@ -23,6 +23,7 @@ type PP interface {
}
type _PP struct {
IValue interface{}
WInit func() error
WProvide func(cfgChan chan<- json.Marshaler) error
WStop func() error
@ -42,7 +43,7 @@ func (p _PP) Stop() error {
func ppSymbols() map[string]map[string]reflect.Value {
return map[string]map[string]reflect.Value{
"github.com/traefik/traefik/v2/pkg/plugins": {
"github.com/traefik/traefik/v2/pkg/plugins/plugins": {
"PP": reflect.ValueOf((*PP)(nil)),
"_PP": reflect.ValueOf((*_PP)(nil)),
},

33
pkg/provider/configuration.go
View file

@ -20,9 +20,10 @@ func Merge(ctx context.Context, configurations map[string]*dynamic.Configuration
configuration := &dynamic.Configuration{
HTTP: &dynamic.HTTPConfiguration{
Routers: make(map[string]*dynamic.Router),
Middlewares: make(map[string]*dynamic.Middleware),
Services: make(map[string]*dynamic.Service),
Routers: make(map[string]*dynamic.Router),
Middlewares: make(map[string]*dynamic.Middleware),
Services: make(map[string]*dynamic.Service),
ServersTransports: make(map[string]*dynamic.ServersTransport),
},
TCP: &dynamic.TCPConfiguration{
Routers: make(map[string]*dynamic.TCPRouter),
@ -59,6 +60,9 @@ func Merge(ctx context.Context, configurations map[string]*dynamic.Configuration
middlewaresTCPToDelete := map[string]struct{}{}
middlewaresTCP := map[string][]string{}
transportsToDelete := map[string]struct{}{}
transports := map[string][]string{}
var sortedKeys []string
for key := range configurations {
sortedKeys = append(sortedKeys, key)
@ -81,6 +85,13 @@ func Merge(ctx context.Context, configurations map[string]*dynamic.Configuration
}
}
for transportName, transport := range conf.HTTP.ServersTransports {
transports[transportName] = append(transports[transportName], root)
if !AddTransport(configuration.HTTP, transportName, transport) {
transportsToDelete[transportName] = struct{}{}
}
}
for serviceName, service := range conf.TCP.Services {
servicesTCP[serviceName] = append(servicesTCP[serviceName], root)
if !AddServiceTCP(configuration.TCP, serviceName, service) {
@ -136,6 +147,12 @@ func Merge(ctx context.Context, configurations map[string]*dynamic.Configuration
delete(configuration.HTTP.Routers, routerName)
}
for transportName := range transportsToDelete {
logger.WithField(log.ServersTransportName, transportName).
Errorf("ServersTransport defined multiple times with different configurations in %v", transports[transportName])
delete(configuration.HTTP.ServersTransports, transportName)
}
for serviceName := range servicesTCPToDelete {
logger.WithField(log.ServiceName, serviceName).
Errorf("Service TCP defined multiple times with different configurations in %v", servicesTCP[serviceName])
@ -290,6 +307,16 @@ func AddRouter(configuration *dynamic.HTTPConfiguration, routerName string, rout
return reflect.DeepEqual(configuration.Routers[routerName], router)
}
// AddTransport Adds a transport to a configurations.
func AddTransport(configuration *dynamic.HTTPConfiguration, transportName string, transport *dynamic.ServersTransport) bool {
if _, ok := configuration.ServersTransports[transportName]; !ok {
configuration.ServersTransports[transportName] = transport
return true
}
return reflect.DeepEqual(configuration.ServersTransports[transportName], transport)
}
// AddMiddleware Adds a middleware to a configurations.
func AddMiddleware(configuration *dynamic.HTTPConfiguration, middlewareName string, middleware *dynamic.Middleware) bool {
if _, ok := configuration.Middlewares[middlewareName]; !ok {

36
pkg/provider/consulcatalog/config.go
View file

@ -14,7 +14,7 @@ import (
"github.com/traefik/traefik/v2/pkg/provider/constraints"
)
func (p *Provider) buildConfiguration(ctx context.Context, items []itemData) *dynamic.Configuration {
func (p *Provider) buildConfiguration(ctx context.Context, items []itemData, certInfo *connectCert) *dynamic.Configuration {
configurations := make(map[string]*dynamic.Configuration)
for _, item := range items {
@ -42,6 +42,7 @@ func (p *Provider) buildConfiguration(ctx context.Context, items []itemData) *dy
logger.Error(err)
continue
}
provider.BuildTCPRouterConfiguration(ctxSvc, confFromLabel.TCP)
}
@ -63,6 +64,17 @@ func (p *Provider) buildConfiguration(ctx context.Context, items []itemData) *dy
continue
}
if item.ExtraConf.ConsulCatalog.Connect {
if confFromLabel.HTTP.ServersTransports == nil {
confFromLabel.HTTP.ServersTransports = make(map[string]*dynamic.ServersTransport)
}
serversTransportKey := itemServersTransportKey(item)
if confFromLabel.HTTP.ServersTransports[serversTransportKey] == nil {
confFromLabel.HTTP.ServersTransports[serversTransportKey] = certInfo.serversTransport(item)
}
}
err = p.buildServiceConfiguration(ctxSvc, item, confFromLabel.HTTP)
if err != nil {
logger.Error(err)
@ -93,13 +105,18 @@ func (p *Provider) keepContainer(ctx context.Context, item itemData) bool {
return false
}
if !p.ConnectAware && item.ExtraConf.ConsulCatalog.Connect {
logger.Debugf("Filtering out Connect aware item, Connect support is not enabled")
return false
}
matches, err := constraints.MatchTags(item.Tags, p.Constraints)
if err != nil {
logger.Errorf("Error matching constraints expression: %v", err)
logger.Errorf("Error matching constraint expressions: %v", err)
return false
}
if !matches {
logger.Debugf("Container pruned by constraint expression: %q", p.Constraints)
logger.Debugf("Container pruned by constraint expressions: %q", p.Constraints)
return false
}
@ -267,8 +284,19 @@ func (p *Provider) addServer(ctx context.Context, item itemData, loadBalancer *d
return errors.New("address is missing")
}
loadBalancer.Servers[0].URL = fmt.Sprintf("%s://%s", loadBalancer.Servers[0].Scheme, net.JoinHostPort(item.Address, port))
scheme := loadBalancer.Servers[0].Scheme
loadBalancer.Servers[0].Scheme = ""
if item.ExtraConf.ConsulCatalog.Connect {
loadBalancer.ServersTransport = itemServersTransportKey(item)
scheme = "https"
}
loadBalancer.Servers[0].URL = fmt.Sprintf("%s://%s", scheme, net.JoinHostPort(item.Address, port))
return nil
}
func itemServersTransportKey(item itemData) string {
return provider.Normalize("tls-" + item.Namespace + "-" + item.Datacenter + "-" + item.Name)
}

320
pkg/provider/consulcatalog/config_test.go
View file

@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/tls"
)
func Int(v int) *int { return &v }
@ -65,6 +66,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -114,6 +116,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -156,6 +159,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -198,6 +202,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -245,6 +250,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -265,11 +271,11 @@ func TestDefaultRule(t *testing.T) {
for i := 0; i < len(test.items); i++ {
var err error
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i])
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i].Labels)
require.NoError(t, err)
}
configuration := p.buildConfiguration(context.Background(), test.items)
configuration := p.buildConfiguration(context.Background(), test.items, nil)
assert.Equal(t, test.expected, configuration)
})
@ -278,10 +284,11 @@ func TestDefaultRule(t *testing.T) {
func Test_buildConfiguration(t *testing.T) {
testCases := []struct {
desc string
items []itemData
constraints string
expected *dynamic.Configuration
desc string
items []itemData
constraints string
ConnectAware bool
expected *dynamic.Configuration
}{
{
desc: "one container no label",
@ -326,6 +333,162 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
{
desc: "one connect container",
ConnectAware: true,
items: []itemData{
{
ID: "Test",
Node: "Node1",
Datacenter: "dc1",
Name: "dev/Test",
Namespace: "ns",
Address: "127.0.0.1",
Port: "443",
Status: api.HealthPassing,
Labels: map[string]string{
"traefik.consulcatalog.connect": "true",
},
Tags: nil,
},
},
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
},
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"dev-Test": {
Service: "dev-Test",
Rule: "Host(`dev-Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"dev-Test": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://127.0.0.1:443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "tls-ns-dc1-dev-Test",
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{
"tls-ns-dc1-dev-Test": {
ServerName: "ns-dc1-dev/Test",
InsecureSkipVerify: true,
RootCAs: []tls.FileOrContent{
"root",
},
Certificates: []tls.Certificate{
{
CertFile: "cert",
KeyFile: "key",
},
},
PeerCertURI: "spiffe:///ns/ns/dc/dc1/svc/dev/Test",
},
},
},
},
},
{
desc: "two connect containers on same service",
ConnectAware: true,
items: []itemData{
{
ID: "Test1",
Node: "Node1",
Datacenter: "dc1",
Name: "dev/Test",
Namespace: "ns",
Address: "127.0.0.1",
Port: "443",
Status: api.HealthPassing,
Labels: map[string]string{
"traefik.consulcatalog.connect": "true",
},
Tags: nil,
},
{
ID: "Test2",
Node: "Node2",
Datacenter: "dc1",
Name: "dev/Test",
Namespace: "ns",
Address: "127.0.0.2",
Port: "444",
Status: api.HealthPassing,
Labels: map[string]string{
"traefik.consulcatalog.connect": "true",
},
Tags: nil,
},
},
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
},
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"dev-Test": {
Service: "dev-Test",
Rule: "Host(`dev-Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"dev-Test": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://127.0.0.1:443",
},
{
URL: "https://127.0.0.2:444",
},
},
PassHostHeader: Bool(true),
ServersTransport: "tls-ns-dc1-dev-Test",
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{
"tls-ns-dc1-dev-Test": {
ServerName: "ns-dc1-dev/Test",
InsecureSkipVerify: true,
RootCAs: []tls.FileOrContent{
"root",
},
Certificates: []tls.Certificate{
{
CertFile: "cert",
KeyFile: "key",
},
},
PeerCertURI: "spiffe:///ns/ns/dc/dc1/svc/dev/Test",
},
},
},
},
},
@ -395,6 +558,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -453,6 +617,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -508,6 +673,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -566,6 +732,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -613,6 +780,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -662,6 +830,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -709,6 +878,7 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`foo.com`)",
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -757,6 +927,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -811,6 +982,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -854,8 +1026,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -910,8 +1083,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -972,6 +1146,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1025,6 +1200,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1090,6 +1266,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1149,6 +1326,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1224,6 +1402,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1280,6 +1459,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1350,6 +1530,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1412,6 +1593,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1459,6 +1641,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1507,6 +1690,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1560,6 +1744,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1586,9 +1771,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1616,9 +1802,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1646,9 +1833,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1676,9 +1864,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1708,9 +1897,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1759,6 +1949,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1817,6 +2008,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1870,9 +2062,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1919,9 +2112,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1965,9 +2159,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2007,9 +2202,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2059,9 +2255,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2106,9 +2303,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2195,6 +2393,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2277,6 +2476,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2316,9 +2516,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2357,9 +2558,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2400,9 +2602,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2417,15 +2620,16 @@ func Test_buildConfiguration(t *testing.T) {
p := Provider{
ExposedByDefault: true,
DefaultRule: "Host(`{{ normalize .Name }}.traefik.wtf`)",
ConnectAware: test.ConnectAware,
Constraints: test.constraints,
}
p.Constraints = test.constraints
err := p.Init()
require.NoError(t, err)
for i := 0; i < len(test.items); i++ {
var err error
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i])
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i].Labels)
require.NoError(t, err)
var tags []string
@ -2435,7 +2639,13 @@ func Test_buildConfiguration(t *testing.T) {
test.items[i].Tags = tags
}
configuration := p.buildConfiguration(context.Background(), test.items)
configuration := p.buildConfiguration(context.Background(), test.items, &connectCert{
root: []string{"root"},
leaf: keyPair{
cert: "cert",
key: "key",
},
})
assert.Equal(t, test.expected, configuration)
})

74
pkg/provider/consulcatalog/connect_tls.go Normal file
View file

@ -0,0 +1,74 @@
package consulcatalog
import (
"fmt"
"github.com/hashicorp/consul/agent/connect"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
)
// connectCert holds our certificates as a client of the Consul Connect protocol.
type connectCert struct {
root []string
leaf keyPair
// err is used to propagate to the caller (Provide) any error occurring within the certificate watcher goroutines.
err error
}
func (c *connectCert) getRoot() []traefiktls.FileOrContent {
var result []traefiktls.FileOrContent
for _, r := range c.root {
result = append(result, traefiktls.FileOrContent(r))
}
return result
}
func (c *connectCert) getLeaf() traefiktls.Certificate {
return traefiktls.Certificate{
CertFile: traefiktls.FileOrContent(c.leaf.cert),
KeyFile: traefiktls.FileOrContent(c.leaf.key),
}
}
func (c *connectCert) isReady() bool {
return c != nil && len(c.root) > 0 && c.leaf.cert != "" && c.leaf.key != ""
}
func (c *connectCert) equals(other *connectCert) bool {
if c == nil && other == nil {
return true
}
if c == nil || other == nil {
return false
}
if len(c.root) != len(other.root) {
return false
}
for i, v := range c.root {
if v != other.root[i] {
return false
}
}
return c.leaf == other.leaf
}
func (c *connectCert) serversTransport(item itemData) *dynamic.ServersTransport {
spiffeIDService := connect.SpiffeIDService{
Namespace: item.Namespace,
Datacenter: item.Datacenter,
Service: item.Name,
}
return &dynamic.ServersTransport{
// This ensures that the config changes whenever the verifier function changes
ServerName: fmt.Sprintf("%s-%s-%s", item.Namespace, item.Datacenter, item.Name),
// InsecureSkipVerify is needed because Go wants to verify a hostname otherwise
InsecureSkipVerify: true,
RootCAs: c.getRoot(),
Certificates: traefiktls.Certificates{
c.getLeaf(),
},
PeerCertURI: spiffeIDService.URI().String(),
}
}

335
pkg/provider/consulcatalog/consul_catalog.go
View file

@ -4,12 +4,14 @@ import (
"context"
"fmt"
"strconv"
"strings"
"text/template"
"time"
"github.com/cenkalti/backoff/v4"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/api/watch"
"github.com/hashicorp/go-hclog"
"github.com/sirupsen/logrus"
ptypes "github.com/traefik/paerser/types"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/job"
@ -26,15 +28,17 @@ const DefaultTemplateRule = "Host(`{{ normalize .Name }}`)"
var _ provider.Provider = (*Provider)(nil)
type itemData struct {
ID string
Node string
Name string
Address string
Port string
Status string
Labels map[string]string
Tags []string
ExtraConf configuration
ID string
Node string
Datacenter string
Name string
Namespace string
Address string
Port string
Status string
Labels map[string]string
Tags []string
ExtraConf configuration
}
// Provider holds configurations of the provider.
@ -48,9 +52,13 @@ type Provider struct {
Cache bool `description:"Use local agent caching for catalog reads." json:"cache,omitempty" toml:"cache,omitempty" yaml:"cache,omitempty" export:"true"`
ExposedByDefault bool `description:"Expose containers by default." json:"exposedByDefault,omitempty" toml:"exposedByDefault,omitempty" yaml:"exposedByDefault,omitempty" export:"true"`
DefaultRule string `description:"Default rule." json:"defaultRule,omitempty" toml:"defaultRule,omitempty" yaml:"defaultRule,omitempty"`
ConnectAware bool `description:"Enable Consul Connect support." json:"connectAware,omitempty" toml:"connectAware,omitempty" yaml:"connectAware,omitempty" export:"true"`
ConnectByDefault bool `description:"Consider every service as Connect capable by default." json:"connectByDefault,omitempty" toml:"connectByDefault,omitempty" yaml:"connectByDefault,omitempty" export:"true"`
ServiceName string `description:"Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually)." json:"serviceName,omitempty" toml:"serviceName,omitempty" yaml:"serviceName,omitempty" export:"true"`
client *api.Client
defaultRuleTpl *template.Template
certChan chan *connectCert
}
// EndpointConfig holds configurations of the endpoint.
@ -64,11 +72,6 @@ type EndpointConfig struct {
EndpointWaitTime ptypes.Duration `description:"WaitTime limits how long a Watch will block. If not provided, the agent default values will be used" json:"endpointWaitTime,omitempty" toml:"endpointWaitTime,omitempty" yaml:"endpointWaitTime,omitempty" export:"true"`
}
// SetDefaults sets the default values.
func (c *EndpointConfig) SetDefaults() {
c.Address = "127.0.0.1:8500"
}
// EndpointHTTPAuthConfig holds configurations of the authentication.
type EndpointHTTPAuthConfig struct {
Username string `description:"Basic Auth username" json:"username,omitempty" toml:"username,omitempty" yaml:"username,omitempty"`
@ -78,12 +81,13 @@ type EndpointHTTPAuthConfig struct {
// SetDefaults sets the default values.
func (p *Provider) SetDefaults() {
endpoint := &EndpointConfig{}
endpoint.SetDefaults()
p.Endpoint = endpoint
p.RefreshInterval = ptypes.Duration(15 * time.Second)
p.Prefix = "traefik"
p.ExposedByDefault = true
p.DefaultRule = DefaultTemplateRule
p.ServiceName = "traefik"
p.certChan = make(chan *connectCert)
}
// Init the provider.
@ -99,6 +103,24 @@ func (p *Provider) Init() error {
// Provide allows the consul catalog provider to provide configurations to traefik using the given configuration channel.
func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.Pool) error {
var err error
p.client, err = createClient(p.Endpoint)
if err != nil {
return fmt.Errorf("unable to create consul client: %w", err)
}
if p.ConnectAware {
leafWatcher, rootWatcher, err := p.createConnectTLSWatchers()
if err != nil {
return fmt.Errorf("unable to create consul watch plans: %w", err)
}
pool.GoCtx(func(routineCtx context.Context) {
p.watchConnectTLS(routineCtx, leafWatcher, rootWatcher)
})
}
var certInfo *connectCert
pool.GoCtx(func(routineCtx context.Context) {
ctxLog := log.With(routineCtx, log.Str(log.ProviderName, "consulcatalog"))
logger := log.FromContext(ctxLog)
@ -106,13 +128,25 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
operation := func() error {
var err error
p.client, err = createClient(p.Endpoint)
if err != nil {
return fmt.Errorf("unable to create consul client: %w", err)
// If we are running in connect aware mode then we need to
// make sure that we obtain the certificates before starting
// the service watcher, otherwise a connect enabled service
// that gets resolved before the certificates are available
// will cause an error condition.
if p.ConnectAware && !certInfo.isReady() {
logger.Infof("Waiting for Connect certificate before building first configuration")
select {
case <-routineCtx.Done():
return nil
case certInfo = <-p.certChan:
if certInfo.err != nil {
return backoff.Permanent(err)
}
}
}
// get configuration at the provider's startup.
err = p.loadConfiguration(routineCtx, configurationChan)
err = p.loadConfiguration(ctxLog, certInfo, configurationChan)
if err != nil {
return fmt.Errorf("failed to get consul catalog data: %w", err)
}
@ -123,14 +157,17 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
for {
select {
case <-ticker.C:
err = p.loadConfiguration(routineCtx, configurationChan)
if err != nil {
return fmt.Errorf("failed to refresh consul catalog data: %w", err)
}
case <-routineCtx.Done():
return nil
case <-ticker.C:
case certInfo = <-p.certChan:
if certInfo.err != nil {
return backoff.Permanent(err)
}
}
err = p.loadConfiguration(ctxLog, certInfo, configurationChan)
if err != nil {
return fmt.Errorf("failed to refresh consul catalog data: %w", err)
}
}
}
@ -148,7 +185,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
return nil
}
func (p *Provider) loadConfiguration(ctx context.Context, configurationChan chan<- dynamic.Message) error {
func (p *Provider) loadConfiguration(ctx context.Context, certInfo *connectCert, configurationChan chan<- dynamic.Message) error {
data, err := p.getConsulServicesData(ctx)
if err != nil {
return err
@ -156,21 +193,53 @@ func (p *Provider) loadConfiguration(ctx context.Context, configurationChan chan
configurationChan <- dynamic.Message{
ProviderName: "consulcatalog",
Configuration: p.buildConfiguration(ctx, data),
Configuration: p.buildConfiguration(ctx, data, certInfo),
}
return nil
}
func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error) {
consulServiceNames, err := p.fetchServices(ctx)
// The query option "Filter" is not supported by /catalog/services.
// https://www.consul.io/api/catalog.html#list-services
opts := &api.QueryOptions{AllowStale: p.Stale, RequireConsistent: p.RequireConsistent, UseCache: p.Cache}
serviceNames, _, err := p.client.Catalog().Services(opts)
if err != nil {
return nil, err
}
var data []itemData
for _, name := range consulServiceNames {
consulServices, statuses, err := p.fetchService(ctx, name)
for name, tags := range serviceNames {
logger := log.FromContext(log.With(ctx, log.Str("serviceName", name)))
svcCfg, err := p.getConfiguration(tagsToNeutralLabels(tags, p.Prefix))
if err != nil {
logger.Errorf("Skip service: %v", err)
continue
}
if !svcCfg.Enable {
logger.Debug("Filtering disabled item")
continue
}
matches, err := constraints.MatchTags(tags, p.Constraints)
if err != nil {
logger.Errorf("Error matching constraint expressions: %v", err)
continue
}
if !matches {
logger.Debugf("Container pruned by constraint expressions: %q", p.Constraints)
continue
}
if !p.ConnectAware && svcCfg.ConsulCatalog.Connect {
logger.Debugf("Filtering out Connect aware item, Connect support is not enabled")
continue
}
consulServices, statuses, err := p.fetchService(ctx, name, svcCfg.ConsulCatalog.Connect)
if err != nil {
return nil, err
}
@ -181,23 +250,30 @@ func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error
address = consulService.Address
}
namespace := consulService.Namespace
if namespace == "" {
namespace = "default"
}
status, exists := statuses[consulService.ID+consulService.ServiceID]
if !exists {
status = api.HealthAny
}
item := itemData{
ID: consulService.ServiceID,
Node: consulService.Node,
Name: consulService.ServiceName,
Address: address,
Port: strconv.Itoa(consulService.ServicePort),
Labels: tagsToNeutralLabels(consulService.ServiceTags, p.Prefix),
Tags: consulService.ServiceTags,
Status: status,
ID: consulService.ServiceID,
Node: consulService.Node,
Datacenter: consulService.Datacenter,
Namespace: namespace,
Name: name,
Address: address,
Port: strconv.Itoa(consulService.ServicePort),
Labels: tagsToNeutralLabels(consulService.ServiceTags, p.Prefix),
Tags: consulService.ServiceTags,
Status: status,
}
extraConf, err := p.getConfiguration(item)
extraConf, err := p.getConfiguration(item.Labels)
if err != nil {
log.FromContext(ctx).Errorf("Skip item %s: %v", item.Name, err)
continue
@ -207,10 +283,11 @@ func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error
data = append(data, item)
}
}
return data, nil
}
func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.CatalogService, map[string]string, error) {
func (p *Provider) fetchService(ctx context.Context, name string, connectEnabled bool) ([]*api.CatalogService, map[string]string, error) {
var tagFilter string
if !p.ExposedByDefault {
tagFilter = p.Prefix + ".enable=true"
@ -219,12 +296,19 @@ func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.Catalo
opts := &api.QueryOptions{AllowStale: p.Stale, RequireConsistent: p.RequireConsistent, UseCache: p.Cache}
opts = opts.WithContext(ctx)
consulServices, _, err := p.client.Catalog().Service(name, tagFilter, opts)
catalogFunc := p.client.Catalog().Service
healthFunc := p.client.Health().Service
if connectEnabled {
catalogFunc = p.client.Catalog().Connect
healthFunc = p.client.Health().Connect
}
consulServices, _, err := catalogFunc(name, tagFilter, opts)
if err != nil {
return nil, nil, err
}
healthServices, _, err := p.client.Health().Service(name, tagFilter, false, opts)
healthServices, _, err := healthFunc(name, tagFilter, false, opts)
if err != nil {
return nil, nil, err
}
@ -243,55 +327,132 @@ func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.Catalo
return consulServices, statuses, err
}
func (p *Provider) fetchServices(ctx context.Context) ([]string, error) {
// The query option "Filter" is not supported by /catalog/services.
// https://www.consul.io/api/catalog.html#list-services
opts := &api.QueryOptions{AllowStale: p.Stale, RequireConsistent: p.RequireConsistent, UseCache: p.Cache}
serviceNames, _, err := p.client.Catalog().Services(opts)
if err != nil {
return nil, err
func rootsWatchHandler(ctx context.Context, dest chan<- []string) func(watch.BlockingParamVal, interface{}) {
return func(_ watch.BlockingParamVal, raw interface{}) {
if raw == nil {
log.FromContext(ctx).Errorf("Root certificate watcher called with nil")
return
}
v, ok := raw.(*api.CARootList)
if !ok || v == nil {
log.FromContext(ctx).Errorf("Invalid result for root certificate watcher")
return
}
roots := make([]string, 0, len(v.Roots))
for _, root := range v.Roots {
roots = append(roots, root.RootCertPEM)
}
dest <- roots
}
// The keys are the service names, and the array values provide all known tags for a given service.
// https://www.consul.io/api/catalog.html#list-services
var filtered []string
for svcName, tags := range serviceNames {
logger := log.FromContext(log.With(ctx, log.Str("serviceName", svcName)))
if !p.ExposedByDefault && !contains(tags, p.Prefix+".enable=true") {
logger.Debug("Filtering disabled item")
continue
}
if contains(tags, p.Prefix+".enable=false") {
logger.Debug("Filtering disabled item")
continue
}
matches, err := constraints.MatchTags(tags, p.Constraints)
if err != nil {
logger.Errorf("Error matching constraints expression: %v", err)
continue
}
if !matches {
logger.Debugf("Container pruned by constraint expression: %q", p.Constraints)
continue
}
filtered = append(filtered, svcName)
}
return filtered, err
}
func contains(values []string, val string) bool {
for _, value := range values {
if strings.EqualFold(value, val) {
return true
type keyPair struct {
cert string
key string
}
func leafWatcherHandler(ctx context.Context, dest chan<- keyPair) func(watch.BlockingParamVal, interface{}) {
return func(_ watch.BlockingParamVal, raw interface{}) {
if raw == nil {
log.FromContext(ctx).Errorf("Leaf certificate watcher called with nil")
return
}
v, ok := raw.(*api.LeafCert)
if !ok || v == nil {
log.FromContext(ctx).Errorf("Invalid result for leaf certificate watcher")
return
}
dest <- keyPair{
cert: v.CertPEM,
key: v.PrivateKeyPEM,
}
}
}
func (p *Provider) createConnectTLSWatchers() (*watch.Plan, *watch.Plan, error) {
leafWatcher, err := watch.Parse(map[string]interface{}{
"type": "connect_leaf",
"service": p.ServiceName,
})
if err != nil {
return nil, nil, fmt.Errorf("failed to create leaf cert watcher plan: %w", err)
}
rootWatcher, err := watch.Parse(map[string]interface{}{
"type": "connect_roots",
})
if err != nil {
return nil, nil, fmt.Errorf("failed to create root cert watcher plan: %w", err)
}
return leafWatcher, rootWatcher, nil
}
// watchConnectTLS watches for updates of the root certificate or the leaf
// certificate, and transmits them to the caller via p.certChan. Any error is also
// propagated up through p.certChan, in connectCert.err.
func (p *Provider) watchConnectTLS(ctx context.Context, leafWatcher *watch.Plan, rootWatcher *watch.Plan) {
ctxLog := log.With(ctx, log.Str(log.ProviderName, "consulcatalog"))
logger := log.FromContext(ctxLog)
leafChan := make(chan keyPair)
rootChan := make(chan []string)
leafWatcher.HybridHandler = leafWatcherHandler(ctx, leafChan)
rootWatcher.HybridHandler = rootsWatchHandler(ctx, rootChan)
logOpts := &hclog.LoggerOptions{
Name: "consulcatalog",
Level: hclog.LevelFromString(logrus.GetLevel().String()),
JSONFormat: true,
}
hclogger := hclog.New(logOpts)
go func() {
err := leafWatcher.RunWithClientAndHclog(p.client, hclogger)
if err != nil {
p.certChan <- &connectCert{err: err}
}
}()
go func() {
err := rootWatcher.RunWithClientAndHclog(p.client, hclogger)
if err != nil {
p.certChan <- &connectCert{err: err}
}
}()
var (
certInfo *connectCert
leafCerts keyPair
rootCerts []string
)
for {
select {
case <-ctx.Done():
leafWatcher.Stop()
rootWatcher.Stop()
return
case rootCerts = <-rootChan:
case leafCerts = <-leafChan:
}
newCertInfo := &connectCert{
root: rootCerts,
leaf: leafCerts,
}
if newCertInfo.isReady() && !newCertInfo.equals(certInfo) {
logger.Debugf("Updating connect certs for service %s", p.ServiceName)
certInfo = newCertInfo
p.certChan <- newCertInfo
}
}
return false
}
func createClient(cfg *EndpointConfig) (*api.Client, error) {

14
pkg/provider/consulcatalog/label.go
View file

@ -6,15 +6,21 @@ import (
// configuration Contains information from the labels that are globals (not related to the dynamic configuration) or specific to the provider.
type configuration struct {
Enable bool
Enable bool
ConsulCatalog specificConfiguration
}
func (p *Provider) getConfiguration(item itemData) (configuration, error) {
type specificConfiguration struct {
Connect bool
}
func (p *Provider) getConfiguration(labels map[string]string) (configuration, error) {
conf := configuration{
Enable: p.ExposedByDefault,
Enable: p.ExposedByDefault,
ConsulCatalog: specificConfiguration{Connect: p.ConnectByDefault},
}
err := label.Decode(item.Labels, &conf, "traefik.consulcatalog.", "traefik.enable")
err := label.Decode(labels, &conf, "traefik.consulcatalog.", "traefik.enable")
if err != nil {
return configuration{}, err
}

153
pkg/provider/docker/config_test.go
View file

@ -74,6 +74,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -128,6 +129,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -184,6 +186,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -233,6 +236,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -282,6 +286,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -336,6 +341,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -408,9 +414,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -447,9 +454,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -486,9 +494,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -542,6 +551,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -625,6 +635,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -699,6 +710,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -754,6 +766,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -811,6 +824,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -866,6 +880,7 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`foo.com`)",
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -922,6 +937,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -984,6 +1000,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1040,6 +1057,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1102,8 +1120,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1185,8 +1204,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1265,6 +1285,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1326,6 +1347,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1410,6 +1432,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1488,6 +1511,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1588,6 +1612,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1661,6 +1686,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1756,6 +1782,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1834,6 +1861,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1912,6 +1940,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1967,6 +1996,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2023,6 +2053,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2084,6 +2115,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2116,9 +2148,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2153,9 +2186,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2192,9 +2226,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2230,9 +2265,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2270,9 +2306,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2329,6 +2366,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2395,6 +2433,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2456,9 +2495,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2513,9 +2553,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2567,9 +2608,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2617,9 +2659,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2677,9 +2720,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2732,9 +2776,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2834,6 +2879,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2880,9 +2926,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2931,9 +2978,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2997,6 +3045,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},

161
pkg/provider/ecs/config_test.go
View file

@ -67,6 +67,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -116,6 +117,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -167,6 +169,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -211,6 +214,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -255,6 +259,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -304,6 +309,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -371,9 +377,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -405,9 +412,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -439,9 +447,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -490,6 +499,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -563,6 +573,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -627,6 +638,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -677,6 +689,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -729,6 +742,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -779,6 +793,7 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`foo.com`)",
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -830,6 +845,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -887,6 +903,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -938,6 +955,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -990,8 +1008,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1058,8 +1077,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1128,6 +1148,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1184,6 +1205,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1258,6 +1280,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1326,6 +1349,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1411,6 +1435,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1474,6 +1499,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1554,6 +1580,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1623,6 +1650,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1691,6 +1719,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1741,6 +1770,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1792,6 +1822,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1843,6 +1874,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1913,6 +1945,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1969,6 +2002,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1996,9 +2030,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2028,9 +2063,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2062,9 +2098,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2097,9 +2134,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2131,9 +2169,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2166,9 +2205,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2220,6 +2260,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2281,6 +2322,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2337,9 +2379,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2389,9 +2432,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2438,9 +2482,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2483,9 +2528,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2538,9 +2584,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2588,9 +2635,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2680,6 +2728,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2721,9 +2770,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2767,9 +2817,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},

84
pkg/provider/file/file.go
View file

@ -167,6 +167,90 @@ func (p *Provider) loadFileConfig(ctx context.Context, filename string, parseTem
if configuration.TLS != nil {
configuration.TLS.Certificates = flattenCertificates(ctx, configuration.TLS)
// TLS Options
if configuration.TLS.Options != nil {
for name, options := range configuration.TLS.Options {
var caCerts []tls.FileOrContent
for _, caFile := range options.ClientAuth.CAFiles {
content, err := caFile.Read()
if err != nil {
log.FromContext(ctx).Error(err)
continue
}
caCerts = append(caCerts, tls.FileOrContent(content))
}
options.ClientAuth.CAFiles = caCerts
configuration.TLS.Options[name] = options
}
}
// TLS stores
if len(configuration.TLS.Stores) > 0 {
for name, store := range configuration.TLS.Stores {
if store.DefaultCertificate == nil {
continue
}
content, err := store.DefaultCertificate.CertFile.Read()
if err != nil {
log.FromContext(ctx).Error(err)
continue
}
store.DefaultCertificate.CertFile = tls.FileOrContent(content)
content, err = store.DefaultCertificate.KeyFile.Read()
if err != nil {
log.FromContext(ctx).Error(err)
continue
}
store.DefaultCertificate.KeyFile = tls.FileOrContent(content)
configuration.TLS.Stores[name] = store
}
}
}
// ServersTransport
if configuration.HTTP != nil && len(configuration.HTTP.ServersTransports) > 0 {
for name, st := range configuration.HTTP.ServersTransports {
var certificates []tls.Certificate
for _, cert := range st.Certificates {
content, err := cert.CertFile.Read()
if err != nil {
log.FromContext(ctx).Error(err)
continue
}
cert.CertFile = tls.FileOrContent(content)
content, err = cert.KeyFile.Read()
if err != nil {
log.FromContext(ctx).Error(err)
continue
}
cert.KeyFile = tls.FileOrContent(content)
certificates = append(certificates, cert)
}
configuration.HTTP.ServersTransports[name].Certificates = certificates
var rootCAs []tls.FileOrContent
for _, rootCA := range st.RootCAs {
content, err := rootCA.Read()
if err != nil {
log.FromContext(ctx).Error(err)
continue
}
rootCAs = append(rootCAs, tls.FileOrContent(content))
}
st.RootCAs = rootCAs
}
}
return configuration, nil

38
pkg/provider/file/file_test.go
View file

@ -25,19 +25,35 @@ type ProvideTestCase struct {
expectedNumTLSOptions int
}
func TestTLSContent(t *testing.T) {
func TestTLSCertificateContent(t *testing.T) {
tempDir := t.TempDir()
fileTLS, err := createTempFile("./fixtures/toml/tls_file.cert", tempDir)
require.NoError(t, err)
fileTLSKey, err := createTempFile("./fixtures/toml/tls_file_key.cert", tempDir)
require.NoError(t, err)
fileConfig, err := os.CreateTemp(tempDir, "temp*.toml")
require.NoError(t, err)
content := `
[[tls.certificates]]
certFile = "` + fileTLS.Name() + `"
keyFile = "` + fileTLS.Name() + `"
keyFile = "` + fileTLSKey.Name() + `"
[tls.options.default.clientAuth]
caFiles = ["` + fileTLS.Name() + `"]
[tls.stores.default.defaultCertificate]
certFile = "` + fileTLS.Name() + `"
keyFile = "` + fileTLSKey.Name() + `"
[http.serversTransports.default]
rootCAs = ["` + fileTLS.Name() + `"]
[[http.serversTransports.default.certificates]]
certFile = "` + fileTLS.Name() + `"
keyFile = "` + fileTLSKey.Name() + `"
`
_, err = fileConfig.Write([]byte(content))
@ -48,7 +64,16 @@ func TestTLSContent(t *testing.T) {
require.NoError(t, err)
require.Equal(t, "CONTENT", configuration.TLS.Certificates[0].Certificate.CertFile.String())
require.Equal(t, "CONTENT", configuration.TLS.Certificates[0].Certificate.KeyFile.String())
require.Equal(t, "CONTENTKEY", configuration.TLS.Certificates[0].Certificate.KeyFile.String())
require.Equal(t, "CONTENT", configuration.TLS.Options["default"].ClientAuth.CAFiles[0].String())
require.Equal(t, "CONTENT", configuration.TLS.Stores["default"].DefaultCertificate.CertFile.String())
require.Equal(t, "CONTENTKEY", configuration.TLS.Stores["default"].DefaultCertificate.KeyFile.String())
require.Equal(t, "CONTENT", configuration.HTTP.ServersTransports["default"].Certificates[0].CertFile.String())
require.Equal(t, "CONTENTKEY", configuration.HTTP.ServersTransports["default"].Certificates[0].KeyFile.String())
require.Equal(t, "CONTENT", configuration.HTTP.ServersTransports["default"].RootCAs[0].String())
}
func TestErrorWhenEmptyConfig(t *testing.T) {
@ -237,6 +262,13 @@ func getTestCases() []ProvideTestCase {
expectedNumRouter: 20,
expectedNumService: 20,
},
{
desc: "simple file with empty store yaml",
filePath: "./fixtures/yaml/simple_empty_store.yml",
expectedNumRouter: 0,
expectedNumService: 0,
expectedNumTLSConf: 0,
},
}
}

1
pkg/provider/file/fixtures/toml/tls_file_key.cert Normal file
View file

@ -0,0 +1 @@
CONTENTKEY

3
pkg/provider/file/fixtures/yaml/simple_empty_store.yml Normal file
View file

@ -0,0 +1,3 @@
tls:
stores:
default: {}

14
pkg/provider/kubernetes/crd/fixtures/udp/with_externalname_service.yml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- services:
- name: external.service.with.port
port: 80

38
pkg/provider/kubernetes/crd/kubernetes.go
View file

@ -41,20 +41,16 @@ const (
// Provider holds configurations of the provider.
type Provider struct {
Endpoint string `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
Token string `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
CertAuthFilePath string `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
Namespaces []string `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
AllowCrossNamespace *bool `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
LabelSelector string `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
IngressClass string `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
ThrottleDuration ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
lastConfiguration safe.Safe
}
// SetDefaults sets the default values.
func (p *Provider) SetDefaults() {
p.AllowCrossNamespace = func(b bool) *bool { return &b }(true)
Endpoint string `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
Token string `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
CertAuthFilePath string `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
Namespaces []string `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
AllowCrossNamespace bool `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
AllowExternalNameServices bool `description:"Allow ExternalName services." json:"allowExternalNameServices,omitempty" toml:"allowExternalNameServices,omitempty" yaml:"allowExternalNameServices,omitempty" export:"true"`
LabelSelector string `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
IngressClass string `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
ThrottleDuration ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
lastConfiguration safe.Safe
}
func (p *Provider) newK8sClient(ctx context.Context) (*clientWrapper, error) {
@ -106,10 +102,14 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
return err
}
if p.AllowCrossNamespace == nil || *p.AllowCrossNamespace {
if p.AllowCrossNamespace {
logger.Warn("Cross-namespace reference between IngressRoutes and resources is enabled, please ensure that this is expected (see AllowCrossNamespace option)")
}
if p.AllowExternalNameServices {
logger.Warn("ExternalName service loading is enabled, please ensure that this is expected (see AllowExternalNameServices option)")
}
pool.GoCtx(func(ctxPool context.Context) {
operation := func() error {
eventsChan, err := k8sClient.WatchAll(p.Namespaces, ctxPool.Done())
@ -274,7 +274,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
}
}
cb := configBuilder{client, p.AllowCrossNamespace}
cb := configBuilder{client: client, allowCrossNamespace: p.AllowCrossNamespace, allowExternalNameServices: p.AllowExternalNameServices}
for _, service := range client.GetTraefikServices() {
err := cb.buildTraefikService(ctx, service, conf.HTTP.Services)
@ -450,7 +450,7 @@ func (p *Provider) createErrorPageMiddleware(client Client, namespace string, er
Query: errorPage.Query,
}
balancerServerHTTP, err := configBuilder{client, p.AllowCrossNamespace}.buildServersLB(namespace, errorPage.Service.LoadBalancerSpec)
balancerServerHTTP, err := configBuilder{client: client, allowCrossNamespace: p.AllowCrossNamespace, allowExternalNameServices: p.AllowExternalNameServices}.buildServersLB(namespace, errorPage.Service.LoadBalancerSpec)
if err != nil {
return nil, nil, err
}
@ -919,7 +919,7 @@ func throttleEvents(ctx context.Context, throttleDuration time.Duration, pool *s
return eventsChanBuffered
}
func isNamespaceAllowed(allowCrossNamespace *bool, parentNamespace, namespace string) bool {
func isNamespaceAllowed(allowCrossNamespace bool, parentNamespace, namespace string) bool {
// If allowCrossNamespace option is not defined the default behavior is to allow cross namespace references.
return allowCrossNamespace == nil || *allowCrossNamespace || parentNamespace == namespace
return allowCrossNamespace || parentNamespace == namespace
}

11
pkg/provider/kubernetes/crd/kubernetes_http.go
View file

@ -50,7 +50,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
ingressName = ingressRoute.GenerateName
}
cb := configBuilder{client, p.AllowCrossNamespace}
cb := configBuilder{client: client, allowCrossNamespace: p.AllowCrossNamespace, allowExternalNameServices: p.AllowExternalNameServices}
for _, route := range ingressRoute.Spec.Routes {
if route.Kind != "Rule" {
@ -173,8 +173,9 @@ func (p *Provider) makeMiddlewareKeys(ctx context.Context, ingRouteNamespace str
}
type configBuilder struct {
client Client
allowCrossNamespace *bool
client Client
allowCrossNamespace bool
allowExternalNameServices bool
}
// buildTraefikService creates the configuration for the traefik service defined in tService,
@ -323,6 +324,10 @@ func (c configBuilder) loadServers(parentNamespace string, svc v1alpha1.LoadBala
var servers []dynamic.Server
if service.Spec.Type == corev1.ServiceTypeExternalName {
if !c.allowExternalNameServices {
return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, sanitizedName)
}
protocol, err := parseServiceProtocol(svc.Scheme, svcPort.Name, svcPort.Port)
if err != nil {
return nil, err

8
pkg/provider/kubernetes/crd/kubernetes_tcp.go
View file

@ -172,7 +172,7 @@ func (p *Provider) createLoadBalancerServerTCP(client Client, parentNamespace st
ns = service.Namespace
}
servers, err := loadTCPServers(client, ns, service)
servers, err := p.loadTCPServers(client, ns, service)
if err != nil {
return nil, err
}
@ -199,7 +199,7 @@ func (p *Provider) createLoadBalancerServerTCP(client Client, parentNamespace st
return tcpService, nil
}
func loadTCPServers(client Client, namespace string, svc v1alpha1.ServiceTCP) ([]dynamic.TCPServer, error) {
func (p *Provider) loadTCPServers(client Client, namespace string, svc v1alpha1.ServiceTCP) ([]dynamic.TCPServer, error) {
service, exists, err := client.GetService(namespace, svc.Name)
if err != nil {
return nil, err
@ -209,6 +209,10 @@ func loadTCPServers(client Client, namespace string, svc v1alpha1.ServiceTCP) ([
return nil, errors.New("service not found")
}
if service.Spec.Type == corev1.ServiceTypeExternalName && !p.AllowExternalNameServices {
return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, svc.Name)
}
svcPort, err := getServicePort(service, svc.Port)
if err != nil {
return nil, err

482
pkg/provider/kubernetes/crd/kubernetes_test.go
View file

File diff suppressed because it is too large Load diff

8
pkg/provider/kubernetes/crd/kubernetes_udp.go
View file

@ -87,7 +87,7 @@ func (p *Provider) createLoadBalancerServerUDP(client Client, parentNamespace st
ns = service.Namespace
}
servers, err := loadUDPServers(client, ns, service)
servers, err := p.loadUDPServers(client, ns, service)
if err != nil {
return nil, err
}
@ -101,7 +101,7 @@ func (p *Provider) createLoadBalancerServerUDP(client Client, parentNamespace st
return udpService, nil
}
func loadUDPServers(client Client, namespace string, svc v1alpha1.ServiceUDP) ([]dynamic.UDPServer, error) {
func (p *Provider) loadUDPServers(client Client, namespace string, svc v1alpha1.ServiceUDP) ([]dynamic.UDPServer, error) {
service, exists, err := client.GetService(namespace, svc.Name)
if err != nil {
return nil, err
@ -111,6 +111,10 @@ func loadUDPServers(client Client, namespace string, svc v1alpha1.ServiceUDP) ([
return nil, errors.New("service not found")
}
if service.Spec.Type == corev1.ServiceTypeExternalName && !p.AllowExternalNameServices {
return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, svc.Name)
}
svcPort, err := getServicePort(service, svc.Port)
if err != nil {
return nil, err

2
pkg/provider/kubernetes/crd/traefik/v1alpha1/serverstransport.go
View file

@ -35,6 +35,8 @@ type ServersTransportSpec struct {
ForwardingTimeouts *ForwardingTimeouts `json:"forwardingTimeouts,omitempty"`
// Disable HTTP/2 for connections with backend servers.
DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
// URI used to match against SAN URI during the peer certificate verification.
PeerCertURI string `json:"peerCertURI,omitempty"`
}
// +k8s:deepcopy-gen=true

84
pkg/provider/kubernetes/gateway/kubernetes.go
View file

@ -25,6 +25,7 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/utils/pointer"
"sigs.k8s.io/gateway-api/apis/v1alpha1"
)
@ -62,7 +63,9 @@ func (p *Provider) newK8sClient(ctx context.Context) (*clientWrapper, error) {
if err != nil {
return nil, fmt.Errorf("invalid label selector: %q", p.LabelSelector)
}
log.FromContext(ctx).Infof("label selector is: %q", p.LabelSelector)
logger := log.FromContext(ctx)
logger.Infof("label selector is: %q", p.LabelSelector)
withEndpoint := ""
if p.Endpoint != "" {
@ -72,19 +75,20 @@ func (p *Provider) newK8sClient(ctx context.Context) (*clientWrapper, error) {
var client *clientWrapper
switch {
case os.Getenv("KUBERNETES_SERVICE_HOST") != "" && os.Getenv("KUBERNETES_SERVICE_PORT") != "":
log.FromContext(ctx).Infof("Creating in-cluster Provider client%s", withEndpoint)
logger.Infof("Creating in-cluster Provider client%s", withEndpoint)
client, err = newInClusterClient(p.Endpoint)
case os.Getenv("KUBECONFIG") != "":
log.FromContext(ctx).Infof("Creating cluster-external Provider client from KUBECONFIG %s", os.Getenv("KUBECONFIG"))
logger.Infof("Creating cluster-external Provider client from KUBECONFIG %s", os.Getenv("KUBECONFIG"))
client, err = newExternalClusterClientFromFile(os.Getenv("KUBECONFIG"))
default:
log.FromContext(ctx).Infof("Creating cluster-external Provider client%s", withEndpoint)
logger.Infof("Creating cluster-external Provider client%s", withEndpoint)
client, err = newExternalClusterClient(p.Endpoint, p.Token, p.CertAuthFilePath)
}
if err != nil {
return nil, err
}
client.labelSelector = p.LabelSelector
return client, nil
@ -394,7 +398,7 @@ func (p *Provider) fillGatewayConf(ctx context.Context, client Client, gateway *
// TLS
if listener.Protocol == v1alpha1.HTTPSProtocolType || listener.Protocol == v1alpha1.TLSProtocolType {
if listener.TLS == nil || (listener.TLS.CertificateRef == nil && listener.TLS.Mode != v1alpha1.TLSModePassthrough) {
if listener.TLS == nil || (listener.TLS.CertificateRef == nil && listener.TLS.Mode != nil && *listener.TLS.Mode != v1alpha1.TLSModePassthrough) {
// update "Detached" status with "UnsupportedProtocol" reason
listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
Type: string(v1alpha1.ListenerConditionDetached),
@ -407,12 +411,17 @@ func (p *Provider) fillGatewayConf(ctx context.Context, client Client, gateway *
continue
}
if listener.TLS.Mode == v1alpha1.TLSModePassthrough && listener.TLS.CertificateRef != nil {
var tlsModeType v1alpha1.TLSModeType
if listener.TLS.Mode != nil {
tlsModeType = *listener.TLS.Mode
}
if tlsModeType == v1alpha1.TLSModePassthrough && listener.TLS.CertificateRef != nil {
// https://gateway-api.sigs.k8s.io/guides/tls/
logger.Warnf("In case of Passthrough TLS mode, no TLS settings take effect as the TLS session from the client is NOT terminated at the Gateway")
}
isTLSPassthrough := listener.TLS.Mode == v1alpha1.TLSModePassthrough
isTLSPassthrough := tlsModeType == v1alpha1.TLSModePassthrough
// Allowed configurations:
// Protocol TLS -> Passthrough -> TLSRoute
@ -428,7 +437,7 @@ func (p *Provider) fillGatewayConf(ctx context.Context, client Client, gateway *
LastTransitionTime: metav1.Now(),
Reason: string(v1alpha1.ListenerReasonUnsupportedProtocol),
Message: fmt.Sprintf("Unsupported route kind %q with %q",
listener.Routes.Kind, listener.TLS.Mode),
listener.Routes.Kind, tlsModeType),
})
continue
@ -484,7 +493,11 @@ func (p *Provider) fillGatewayConf(ctx context.Context, client Client, gateway *
func gatewayHTTPRouteToHTTPConf(ctx context.Context, ep string, listener v1alpha1.Listener, gateway *v1alpha1.Gateway, client Client, conf *dynamic.Configuration) []metav1.Condition {
// TODO: support RouteNamespaces
selector := labels.SelectorFromSet(listener.Routes.Selector.MatchLabels)
selector := labels.Everything()
if listener.Routes.Selector != nil {
selector = labels.SelectorFromSet(listener.Routes.Selector.MatchLabels)
}
httpRoutes, err := client.GetHTTPRoutes(gateway.Namespace, selector)
if err != nil {
// update "ResolvedRefs" status true with "InvalidRoutesRef" reason
@ -599,7 +612,11 @@ func gatewayHTTPRouteToHTTPConf(ctx context.Context, ep string, listener v1alpha
func gatewayTCPRouteToTCPConf(ctx context.Context, ep string, listener v1alpha1.Listener, gateway *v1alpha1.Gateway, client Client, conf *dynamic.Configuration) []metav1.Condition {
// TODO: support RouteNamespaces
selector := labels.SelectorFromSet(listener.Routes.Selector.MatchLabels)
selector := labels.Everything()
if listener.Routes.Selector != nil {
selector = labels.SelectorFromSet(listener.Routes.Selector.MatchLabels)
}
tcpRoutes, err := client.GetTCPRoutes(gateway.Namespace, selector)
if err != nil {
// update "ResolvedRefs" status true with "InvalidRoutesRef" reason
@ -698,7 +715,11 @@ func gatewayTCPRouteToTCPConf(ctx context.Context, ep string, listener v1alpha1.
func gatewayTLSRouteToTCPConf(ctx context.Context, ep string, listener v1alpha1.Listener, gateway *v1alpha1.Gateway, client Client, conf *dynamic.Configuration) []metav1.Condition {
// TODO: support RouteNamespaces
selector := labels.SelectorFromSet(listener.Routes.Selector.MatchLabels)
selector := labels.Everything()
if listener.Routes.Selector != nil {
selector = labels.SelectorFromSet(listener.Routes.Selector.MatchLabels)
}
tlsRoutes, err := client.GetTLSRoutes(gateway.Namespace, selector)
if err != nil {
// update "ResolvedRefs" status true with "InvalidRoutesRef" reason
@ -736,13 +757,10 @@ func gatewayTLSRouteToTCPConf(ctx context.Context, ep string, listener v1alpha1.
router := dynamic.TCPRouter{
Rule: rule,
EntryPoints: []string{ep},
}
if listener.TLS != nil {
// TODO support let's encrypt
router.TLS = &dynamic.RouterTCPTLSConfig{
Passthrough: listener.TLS.Mode == v1alpha1.TLSModePassthrough,
}
// The TLS Passthrough is the only TLS mode supported by a Gateway TLSRoute.
TLS: &dynamic.RouterTCPTLSConfig{
Passthrough: true,
},
}
// Adding the gateway name and the entryPoint name prevents overlapping of routers build from the same routes.
@ -945,37 +963,39 @@ func extractRule(routeRule v1alpha1.HTTPRouteRule, hostRule string) (string, err
var matchesRules []string
for _, match := range routeRule.Matches {
if len(match.Path.Type) == 0 && match.Headers == nil {
if (match.Path == nil || match.Path.Type == nil) && match.Headers == nil {
continue
}
var matchRules []string
// TODO handle other path types
if len(match.Path.Type) > 0 {
switch match.Path.Type {
if match.Path != nil && match.Path.Type != nil && match.Path.Value != nil {
val := pointer.StringDeref(match.Path.Value, "")
switch *match.Path.Type {
case v1alpha1.PathMatchExact:
matchRules = append(matchRules, "Path(`"+match.Path.Value+"`)")
matchRules = append(matchRules, fmt.Sprintf("Path(`%s`)", val))
case v1alpha1.PathMatchPrefix:
matchRules = append(matchRules, "PathPrefix(`"+match.Path.Value+"`)")
matchRules = append(matchRules, fmt.Sprintf("PathPrefix(`%s`)", val))
default:
return "", fmt.Errorf("unsupported path match %s", match.Path.Type)
return "", fmt.Errorf("unsupported path match %s", *match.Path.Type)
}
}
// TODO handle other headers types
if match.Headers != nil {
switch match.Headers.Type {
if match.Headers != nil && match.Headers.Type != nil {
switch *match.Headers.Type {
case v1alpha1.HeaderMatchExact:
var headerRules []string
for headerName, headerValue := range match.Headers.Values {
headerRules = append(headerRules, "Headers(`"+headerName+"`,`"+headerValue+"`)")
headerRules = append(headerRules, fmt.Sprintf("Headers(`%s`,`%s`)", headerName, headerValue))
}
// to have a consistent order
sort.Strings(headerRules)
matchRules = append(matchRules, headerRules...)
default:
return "", fmt.Errorf("unsupported header match type %s", match.Headers.Type)
return "", fmt.Errorf("unsupported header match type %s", *match.Headers.Type)
}
}
@ -1128,7 +1148,7 @@ func loadServices(client Client, namespace string, targets []v1alpha1.HTTPRouteF
}
for _, forwardTo := range targets {
weight := int(forwardTo.Weight)
weight := int(pointer.Int32Deref(forwardTo.Weight, 1))
if forwardTo.ServiceName == nil && forwardTo.BackendRef != nil {
if !(forwardTo.BackendRef.Group == traefikServiceGroupName && forwardTo.BackendRef.Kind == traefikServiceKind) {
@ -1149,7 +1169,7 @@ func loadServices(client Client, namespace string, targets []v1alpha1.HTTPRouteF
svc := dynamic.Service{
LoadBalancer: &dynamic.ServersLoadBalancer{
PassHostHeader: func(v bool) *bool { return &v }(true),
PassHostHeader: pointer.Bool(true),
},
}
@ -1189,7 +1209,7 @@ func loadServices(client Client, namespace string, targets []v1alpha1.HTTPRouteF
return nil, nil, errors.New("service port not found")
}
endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, *forwardTo.ServiceName)
endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, pointer.StringDeref(forwardTo.ServiceName, ""))
if endpointsErr != nil {
return nil, nil, endpointsErr
}
@ -1250,7 +1270,7 @@ func loadTCPServices(client Client, namespace string, targets []v1alpha1.RouteFo
}
for _, forwardTo := range targets {
weight := int(forwardTo.Weight)
weight := int(pointer.Int32Deref(forwardTo.Weight, 1))
if forwardTo.ServiceName == nil && forwardTo.BackendRef != nil {
if !(forwardTo.BackendRef.Group == traefikServiceGroupName && forwardTo.BackendRef.Kind == traefikServiceKind) {

537
pkg/provider/kubernetes/gateway/kubernetes_test.go
View file

File diff suppressed because it is too large Load diff

54
pkg/provider/kubernetes/ingress/client.go
View file

@ -46,7 +46,7 @@ type Client interface {
GetSecret(namespace, name string) (*corev1.Secret, bool, error)
GetEndpoints(namespace, name string) (*corev1.Endpoints, bool, error)
UpdateIngressStatus(ing *networkingv1.Ingress, ingStatus []corev1.LoadBalancerIngress) error
GetServerVersion() (*version.Version, error)
GetServerVersion() *version.Version
}
type clientWrapper struct {
@ -58,6 +58,7 @@ type clientWrapper struct {
ingressLabelSelector string
isNamespaceAll bool
watchedNamespaces []string
serverVersion *version.Version
}
// newInClusterClient returns a new Provider client that is expected to run
@ -135,6 +136,19 @@ func newClientImpl(clientset kubernetes.Interface) *clientWrapper {
// WatchAll starts namespace-specific controllers for all relevant kinds.
func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<-chan interface{}, error) {
// Get and store the serverVersion for future use.
serverVersionInfo, err := c.clientset.Discovery().ServerVersion()
if err != nil {
return nil, fmt.Errorf("could not retrieve server version: %w", err)
}
serverVersion, err := version.NewVersion(serverVersionInfo.GitVersion)
if err != nil {
return nil, fmt.Errorf("could not parse server version: %w", err)
}
c.serverVersion = serverVersion
eventCh := make(chan interface{}, 1)
eventHandler := &k8s.ResourceEventHandler{Ev: eventCh}
@ -153,11 +167,6 @@ func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<
opts.LabelSelector = c.ingressLabelSelector
}
serverVersion, err := c.GetServerVersion()
if err != nil {
return nil, fmt.Errorf("failed to get server version: %w", err)
}
for _, ns := range namespaces {
factoryIngress := informers.NewSharedInformerFactoryWithOptions(c.clientset, resyncPeriod, informers.WithNamespace(ns), informers.WithTweakListOptions(matchesLabelSelector))
@ -230,13 +239,7 @@ func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<
func (c *clientWrapper) GetIngresses() []*networkingv1.Ingress {
var results []*networkingv1.Ingress
serverVersion, err := c.GetServerVersion()
if err != nil {
log.Errorf("Failed to get server version: %v", err)
return results
}
isNetworkingV1Supported := supportsNetworkingV1Ingress(serverVersion)
isNetworkingV1Supported := supportsNetworkingV1Ingress(c.serverVersion)
for ns, factory := range c.factoriesIngress {
if isNetworkingV1Supported {
@ -354,13 +357,7 @@ func (c *clientWrapper) UpdateIngressStatus(src *networkingv1.Ingress, ingStatus
return fmt.Errorf("failed to get ingress %s/%s: namespace is not within watched namespaces", src.Namespace, src.Name)
}
serverVersion, err := c.GetServerVersion()
if err != nil {
log.WithoutContext().Errorf("Failed to get server version: %v", err)
return err
}
if !supportsNetworkingV1Ingress(serverVersion) {
if !supportsNetworkingV1Ingress(c.serverVersion) {
return c.updateIngressStatusOld(src, ingStatus)
}
@ -472,18 +469,12 @@ func (c *clientWrapper) GetSecret(namespace, name string) (*corev1.Secret, bool,
}
func (c *clientWrapper) GetIngressClasses() ([]*networkingv1.IngressClass, error) {
serverVersion, err := c.GetServerVersion()
if err != nil {
log.WithoutContext().Errorf("Failed to get server version: %v", err)
return nil, err
}
if c.clusterFactory == nil {
return nil, errors.New("cluster factory not loaded")
}
var ics []*networkingv1.IngressClass
if !supportsNetworkingV1Ingress(serverVersion) {
if !supportsNetworkingV1Ingress(c.serverVersion) {
ingressClasses, err := c.clusterFactory.Networking().V1beta1().IngressClasses().Lister().List(labels.Everything())
if err != nil {
return nil, err
@ -531,13 +522,8 @@ func (c *clientWrapper) lookupNamespace(ns string) string {
}
// GetServerVersion returns the cluster server version, or an error.
func (c *clientWrapper) GetServerVersion() (*version.Version, error) {
serverVersion, err := c.clientset.Discovery().ServerVersion()
if err != nil {
return nil, fmt.Errorf("could not retrieve server version: %w", err)
}
return version.NewVersion(serverVersion.GitVersion)
func (c *clientWrapper) GetServerVersion() *version.Version {
return c.serverVersion
}
// translateNotFoundError will translate a "not found" error to a boolean return

4
pkg/provider/kubernetes/ingress/client_mock_test.go
View file

@ -80,8 +80,8 @@ func (c clientMock) GetIngresses() []*networkingv1.Ingress {
return c.ingresses
}
func (c clientMock) GetServerVersion() (*version.Version, error) {
return c.serverVersion, nil
func (c clientMock) GetServerVersion() *version.Version {
return c.serverVersion
}
func (c clientMock) GetService(namespace, name string) (*corev1.Service, bool, error) {

14
pkg/provider/kubernetes/ingress/fixtures/Ingress-with-IPv6-endpoints-externalname-enabled_ingress.yml Normal file
View file

@ -0,0 +1,14 @@
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: example.com
namespace: testing
spec:
rules:
- http:
paths:
- path: /foo
backend:
serviceName: service-foo
servicePort: 8080

13
pkg/provider/kubernetes/ingress/fixtures/Ingress-with-IPv6-endpoints-externalname-enabled_service.yml Normal file
View file

@ -0,0 +1,13 @@
---
kind: Service
apiVersion: v1
metadata:
name: service-foo
namespace: testing
spec:
ports:
- name: http
port: 8080
type: ExternalName
externalName: "2001:0db8:3c4d:0015:0000:0000:1a2f:2a3b"

15
pkg/provider/kubernetes/ingress/fixtures/Ingress-with-service-with-externalName-enabled_ingress.yml Normal file
View file

@ -0,0 +1,15 @@
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: ""
namespace: testing
spec:
rules:
- host: traefik.tchouk
http:
paths:
- path: /bar
backend:
serviceName: service1
servicePort: 8080

13
pkg/provider/kubernetes/ingress/fixtures/Ingress-with-service-with-externalName-enabled_service.yml Normal file
View file

@ -0,0 +1,13 @@
kind: Service
apiVersion: v1
metadata:
name: service1
namespace: testing
spec:
ports:
- port: 8080
clusterIP: 10.0.0.1
type: ExternalName
externalName: traefik.wtf

41
pkg/provider/kubernetes/ingress/kubernetes.go
View file

@ -36,16 +36,17 @@ const (
// Provider holds configurations of the provider.
type Provider struct {
Endpoint string `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
Token string `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
CertAuthFilePath string `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
Namespaces []string `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
LabelSelector string `description:"Kubernetes Ingress label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
IngressClass string `description:"Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
IngressEndpoint *EndpointIngress `description:"Kubernetes Ingress Endpoint." json:"ingressEndpoint,omitempty" toml:"ingressEndpoint,omitempty" yaml:"ingressEndpoint,omitempty" export:"true"`
ThrottleDuration ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
AllowEmptyServices bool `description:"Allow creation of services without endpoints." json:"allowEmptyServices,omitempty" toml:"allowEmptyServices,omitempty" yaml:"allowEmptyServices,omitempty" export:"true"`
lastConfiguration safe.Safe
Endpoint string `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
Token string `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
CertAuthFilePath string `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
Namespaces []string `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
LabelSelector string `description:"Kubernetes Ingress label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
IngressClass string `description:"Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
IngressEndpoint *EndpointIngress `description:"Kubernetes Ingress Endpoint." json:"ingressEndpoint,omitempty" toml:"ingressEndpoint,omitempty" yaml:"ingressEndpoint,omitempty" export:"true"`
ThrottleDuration ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
AllowEmptyServices bool `description:"Allow creation of services without endpoints." json:"allowEmptyServices,omitempty" toml:"allowEmptyServices,omitempty" yaml:"allowEmptyServices,omitempty" export:"true"`
AllowExternalNameServices bool `description:"Allow ExternalName services." json:"allowExternalNameServices,omitempty" toml:"allowExternalNameServices,omitempty" yaml:"allowExternalNameServices,omitempty" export:"true"`
lastConfiguration safe.Safe
}
// EndpointIngress holds the endpoint information for the Kubernetes provider.
@ -107,6 +108,10 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
return err
}
if p.AllowExternalNameServices {
logger.Warn("ExternalName service loading is enabled, please ensure that this is expected (see AllowExternalNameServices option)")
}
pool.GoCtx(func(ctxPool context.Context) {
operation := func() error {
eventsChan, err := k8sClient.WatchAll(p.Namespaces, ctxPool.Done())
@ -184,11 +189,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
TCP: &dynamic.TCPConfiguration{},
}
serverVersion, err := client.GetServerVersion()
if err != nil {
log.FromContext(ctx).Errorf("Failed to get server version: %v", err)
return conf
}
serverVersion := client.GetServerVersion()
var ingressClasses []*networkingv1.IngressClass
@ -232,7 +233,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
continue
}
service, err := loadService(client, ingress.Namespace, *ingress.Spec.DefaultBackend)
service, err := p.loadService(client, ingress.Namespace, *ingress.Spec.DefaultBackend)
if err != nil {
log.FromContext(ctx).
WithField("serviceName", ingress.Spec.DefaultBackend.Service.Name).
@ -277,7 +278,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
}
for _, pa := range rule.HTTP.Paths {
service, err := loadService(client, ingress.Namespace, pa.Backend)
service, err := p.loadService(client, ingress.Namespace, pa.Backend)
if err != nil {
log.FromContext(ctx).
WithField("serviceName", pa.Backend.Service.Name).
@ -486,7 +487,7 @@ func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores
return configs
}
func loadService(client Client, namespace string, backend networkingv1.IngressBackend) (*dynamic.Service, error) {
func (p *Provider) loadService(client Client, namespace string, backend networkingv1.IngressBackend) (*dynamic.Service, error) {
service, exists, err := client.GetService(namespace, backend.Service.Name)
if err != nil {
return nil, err
@ -496,6 +497,10 @@ func loadService(client Client, namespace string, backend networkingv1.IngressBa
return nil, errors.New("service not found")
}
if !p.AllowExternalNameServices && service.Spec.Type == corev1.ServiceTypeExternalName {
return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, backend.Service.Name)
}
var portName string
var portSpec corev1.ServicePort
var match bool

217
pkg/provider/kubernetes/ingress/kubernetes_test.go
View file

@ -746,33 +746,6 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
},
},
},
{
desc: "Ingress with service with externalName",
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
HTTP: &dynamic.HTTPConfiguration{
Middlewares: map[string]*dynamic.Middleware{},
Routers: map[string]*dynamic.Router{
"testing-traefik-tchouk-bar": {
Rule: "Host(`traefik.tchouk`) && PathPrefix(`/bar`)",
Service: "testing-service1-8080",
},
},
Services: map[string]*dynamic.Service{
"testing-service1-8080": {
LoadBalancer: &dynamic.ServersLoadBalancer{
PassHostHeader: Bool(true),
Servers: []dynamic.Server{
{
URL: "http://traefik.wtf:8080",
},
},
},
},
},
},
},
},
{
desc: "Ingress with port invalid for one service",
expected: &dynamic.Configuration{
@ -800,47 +773,6 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
},
},
},
{
desc: "Ingress with IPv6 endpoints",
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
HTTP: &dynamic.HTTPConfiguration{
Middlewares: map[string]*dynamic.Middleware{},
Routers: map[string]*dynamic.Router{
"example-com-testing-bar": {
Rule: "PathPrefix(`/bar`)",
Service: "testing-service-bar-8080",
},
"example-com-testing-foo": {
Rule: "PathPrefix(`/foo`)",
Service: "testing-service-foo-8080",
},
},
Services: map[string]*dynamic.Service{
"testing-service-bar-8080": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b]:8080",
},
},
PassHostHeader: Bool(true),
},
},
"testing-service-foo-8080": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:2a3b]:8080",
},
},
PassHostHeader: Bool(true),
},
},
},
},
},
},
{
desc: "TLS support",
expected: &dynamic.Configuration{
@ -1702,7 +1634,6 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
}
clientMock := newClientMock(serverVersion, paths...)
p := Provider{IngressClass: test.ingressClass, AllowEmptyServices: test.allowEmptyServices}
conf := p.loadConfigurationFromIngresses(context.Background(), clientMock)
@ -1711,6 +1642,154 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
}
}
func TestLoadConfigurationFromIngressesWithExternalNameServices(t *testing.T) {
testCases := []struct {
desc string
ingressClass string
serverVersion string
allowExternalNameServices bool
expected *dynamic.Configuration
}{
{
desc: "Ingress with service with externalName",
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
HTTP: &dynamic.HTTPConfiguration{
Middlewares: map[string]*dynamic.Middleware{},
Routers: map[string]*dynamic.Router{},
Services: map[string]*dynamic.Service{},
},
},
},
{
desc: "Ingress with service with externalName enabled",
allowExternalNameServices: true,
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
HTTP: &dynamic.HTTPConfiguration{
Middlewares: map[string]*dynamic.Middleware{},
Routers: map[string]*dynamic.Router{
"testing-traefik-tchouk-bar": {
Rule: "Host(`traefik.tchouk`) && PathPrefix(`/bar`)",
Service: "testing-service1-8080",
},
},
Services: map[string]*dynamic.Service{
"testing-service1-8080": {
LoadBalancer: &dynamic.ServersLoadBalancer{
PassHostHeader: Bool(true),
Servers: []dynamic.Server{
{
URL: "http://traefik.wtf:8080",
},
},
},
},
},
},
},
},
{
desc: "Ingress with IPv6 endpoints",
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
HTTP: &dynamic.HTTPConfiguration{
Middlewares: map[string]*dynamic.Middleware{},
Routers: map[string]*dynamic.Router{
"example-com-testing-bar": {
Rule: "PathPrefix(`/bar`)",
Service: "testing-service-bar-8080",
},
},
Services: map[string]*dynamic.Service{
"testing-service-bar-8080": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b]:8080",
},
},
PassHostHeader: Bool(true),
},
},
},
},
},
},
{
desc: "Ingress with IPv6 endpoints externalname enabled",
allowExternalNameServices: true,
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{},
HTTP: &dynamic.HTTPConfiguration{
Middlewares: map[string]*dynamic.Middleware{},
Routers: map[string]*dynamic.Router{
"example-com-testing-foo": {
Rule: "PathPrefix(`/foo`)",
Service: "testing-service-foo-8080",
},
},
Services: map[string]*dynamic.Service{
"testing-service-foo-8080": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:2a3b]:8080",
},
},
PassHostHeader: Bool(true),
},
},
},
},
},
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
var paths []string
_, err := os.Stat(generateTestFilename("_ingress", test.desc))
if err == nil {
paths = append(paths, generateTestFilename("_ingress", test.desc))
}
_, err = os.Stat(generateTestFilename("_endpoint", test.desc))
if err == nil {
paths = append(paths, generateTestFilename("_endpoint", test.desc))
}
_, err = os.Stat(generateTestFilename("_service", test.desc))
if err == nil {
paths = append(paths, generateTestFilename("_service", test.desc))
}
_, err = os.Stat(generateTestFilename("_secret", test.desc))
if err == nil {
paths = append(paths, generateTestFilename("_secret", test.desc))
}
_, err = os.Stat(generateTestFilename("_ingressclass", test.desc))
if err == nil {
paths = append(paths, generateTestFilename("_ingressclass", test.desc))
}
serverVersion := test.serverVersion
if serverVersion == "" {
serverVersion = "v1.17"
}
clientMock := newClientMock(serverVersion, paths...)
p := Provider{IngressClass: test.ingressClass}
p.AllowExternalNameServices = test.allowExternalNameServices
conf := p.loadConfigurationFromIngresses(context.Background(), clientMock)
assert.Equal(t, test.expected, conf)
})
}
}
func generateTestFilename(suffix, desc string) string {
return "./fixtures/" + strings.ReplaceAll(desc, " ", "-") + suffix + ".yml"
}

128
pkg/provider/marathon/config_test.go
View file

@ -73,6 +73,7 @@ func TestBuildConfiguration(t *testing.T) {
PassHostHeader: Bool(true),
}},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -95,9 +96,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -137,6 +139,7 @@ func TestBuildConfiguration(t *testing.T) {
PassHostHeader: Bool(true),
}},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -188,6 +191,7 @@ func TestBuildConfiguration(t *testing.T) {
PassHostHeader: Bool(true),
}},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -237,9 +241,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -292,6 +297,7 @@ func TestBuildConfiguration(t *testing.T) {
PassHostHeader: Bool(true),
}},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -352,6 +358,7 @@ func TestBuildConfiguration(t *testing.T) {
PassHostHeader: Bool(true),
}},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -407,6 +414,7 @@ func TestBuildConfiguration(t *testing.T) {
PassHostHeader: Bool(true),
}},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -451,6 +459,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -491,6 +500,7 @@ func TestBuildConfiguration(t *testing.T) {
PassHostHeader: Bool(true),
}},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -535,6 +545,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -577,6 +588,7 @@ func TestBuildConfiguration(t *testing.T) {
Rule: "Host(`foo.com`)",
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -620,6 +632,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -669,6 +682,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -708,8 +722,9 @@ func TestBuildConfiguration(t *testing.T) {
Rule: "Host(`app2.marathon.localhost`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -778,6 +793,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -840,6 +856,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -893,6 +910,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -943,6 +961,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -996,6 +1015,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1038,6 +1058,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1081,6 +1102,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1129,6 +1151,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1151,9 +1174,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1177,9 +1201,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1203,9 +1228,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1229,9 +1255,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1256,9 +1283,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1283,9 +1311,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1329,6 +1358,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1372,6 +1402,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1414,6 +1445,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1455,9 +1487,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1496,9 +1529,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1533,9 +1567,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1578,9 +1613,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1620,9 +1656,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1666,9 +1703,10 @@ func TestBuildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1731,6 +1769,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1790,6 +1829,7 @@ func TestBuildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},

94
pkg/provider/rancher/config_test.go
View file

@ -61,6 +61,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -128,6 +129,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -198,6 +200,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -247,6 +250,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -272,9 +276,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -300,9 +305,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -350,6 +356,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -379,9 +386,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -430,6 +438,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -488,6 +497,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -541,9 +551,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -591,6 +602,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -637,9 +649,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -683,9 +696,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -725,9 +739,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -773,9 +788,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -820,9 +836,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -896,6 +913,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -966,6 +984,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1005,9 +1024,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1046,9 +1066,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1089,9 +1110,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},

6
pkg/rules/rules.go
View file

@ -116,7 +116,11 @@ func host(route *mux.Route, hosts ...string) error {
route.MatcherFunc(func(req *http.Request, _ *mux.RouteMatch) bool {
reqHost := requestdecorator.GetCanonizedHost(req.Context())
if len(reqHost) == 0 {
log.FromContext(req.Context()).Warnf("Could not retrieve CanonizedHost, rejecting %s", req.Host)
// If the request is an HTTP/1.0 request, then a Host may not be defined.
if req.ProtoAtLeast(1, 1) {
log.FromContext(req.Context()).Warnf("Could not retrieve CanonizedHost, rejecting %s", req.Host)
}
return false
}

18
pkg/server/configurationwatcher.go
View file

@ -12,6 +12,7 @@ import (
"github.com/traefik/traefik/v2/pkg/log"
"github.com/traefik/traefik/v2/pkg/provider"
"github.com/traefik/traefik/v2/pkg/safe"
"github.com/traefik/traefik/v2/pkg/tls"
)
// ConfigurationWatcher watches configuration changes.
@ -164,6 +165,16 @@ func (c *ConfigurationWatcher) preLoadConfiguration(configMsg dynamic.Message) {
if copyConf.TLS != nil {
copyConf.TLS.Certificates = nil
if copyConf.TLS.Options != nil {
cleanedOptions := make(map[string]tls.Options, len(copyConf.TLS.Options))
for name, option := range copyConf.TLS.Options {
option.ClientAuth.CAFiles = []tls.FileOrContent{}
cleanedOptions[name] = option
}
copyConf.TLS.Options = cleanedOptions
}
for k := range copyConf.TLS.Stores {
st := copyConf.TLS.Stores[k]
st.DefaultCertificate = nil
@ -171,6 +182,13 @@ func (c *ConfigurationWatcher) preLoadConfiguration(configMsg dynamic.Message) {
}
}
if copyConf.HTTP != nil {
for _, transport := range copyConf.HTTP.ServersTransports {
transport.Certificates = tls.Certificates{}
transport.RootCAs = []tls.FileOrContent{}
}
}
jsonConf, err := json.Marshal(copyConf)
if err != nil {
logger.Errorf("Could not marshal dynamic configuration: %v", err)

8
pkg/server/service/roundtripper.go
View file

@ -132,13 +132,19 @@ func createRoundTripper(cfg *dynamic.ServersTransport) (http.RoundTripper, error
transport.IdleConnTimeout = time.Duration(cfg.ForwardingTimeouts.IdleConnTimeout)
}
if cfg.InsecureSkipVerify || len(cfg.RootCAs) > 0 || len(cfg.ServerName) > 0 || len(cfg.Certificates) > 0 {
if cfg.InsecureSkipVerify || len(cfg.RootCAs) > 0 || len(cfg.ServerName) > 0 || len(cfg.Certificates) > 0 || cfg.PeerCertURI != "" {
transport.TLSClientConfig = &tls.Config{
ServerName: cfg.ServerName,
InsecureSkipVerify: cfg.InsecureSkipVerify,
RootCAs: createRootCACertPool(cfg.RootCAs),
Certificates: cfg.Certificates.GetCertificates(),
}
if cfg.PeerCertURI != "" {
transport.TLSClientConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
return traefiktls.VerifyPeerCertificate(cfg.PeerCertURI, transport.TLSClientConfig, rawCerts)
}
}
}
// Return directly HTTP/1.1 transport when HTTP/2 is disabled

85
pkg/tls/certificate.go
View file

@ -3,7 +3,9 @@ package tls
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"net/url"
"os"
"sort"
"strings"
@ -273,3 +275,86 @@ func (c *Certificates) Set(value string) error {
func (c *Certificates) Type() string {
return "certificates"
}
// VerifyPeerCertificate verifies the chain certificates and their URI.
func VerifyPeerCertificate(uri string, cfg *tls.Config, rawCerts [][]byte) error {
// TODO: Refactor to avoid useless verifyChain (ex: when insecureskipverify is false)
cert, err := verifyChain(cfg.RootCAs, rawCerts)
if err != nil {
return err
}
if len(uri) > 0 {
return verifyServerCertMatchesURI(uri, cert)
}
return nil
}
// verifyServerCertMatchesURI is used on tls connections dialed to a server
// to ensure that the certificate it presented has the correct URI.
func verifyServerCertMatchesURI(uri string, cert *x509.Certificate) error {
if cert == nil {
return errors.New("peer certificate mismatch: no peer certificate presented")
}
// Our certs will only ever have a single URI for now so only check that
if len(cert.URIs) < 1 {
return errors.New("peer certificate mismatch: peer certificate invalid")
}
gotURI := cert.URIs[0]
// Override the hostname since we rely on x509 constraints to limit ability to spoof the trust domain if needed
// (i.e. because a root is shared with other PKI or Consul clusters).
// This allows for seamless migrations between trust domains.
expectURI := &url.URL{}
id, err := url.Parse(uri)
if err != nil {
return fmt.Errorf("%q is not a valid URI", uri)
}
*expectURI = *id
expectURI.Host = gotURI.Host
if strings.EqualFold(gotURI.String(), expectURI.String()) {
return nil
}
return fmt.Errorf("peer certificate mismatch got %s, want %s", gotURI, uri)
}
// verifyChain performs standard TLS verification without enforcing remote hostname matching.
func verifyChain(rootCAs *x509.CertPool, rawCerts [][]byte) (*x509.Certificate, error) {
// Fetch leaf and intermediates. This is based on code form tls handshake.
if len(rawCerts) < 1 {
return nil, errors.New("tls: no certificates from peer")
}
certs := make([]*x509.Certificate, len(rawCerts))
for i, asn1Data := range rawCerts {
cert, err := x509.ParseCertificate(asn1Data)
if err != nil {
return nil, fmt.Errorf("tls: failed to parse certificate from peer: %w", err)
}
certs[i] = cert
}
opts := x509.VerifyOptions{
Roots: rootCAs,
Intermediates: x509.NewCertPool(),
}
// All but the first cert are intermediates
for _, cert := range certs[1:] {
opts.Intermediates.AddCert(cert)
}
_, err := certs[0].Verify(opts)
if err != nil {
return nil, err
}
return certs[0], nil
}

6
script/gcg/traefik-bugfix.toml
View file

@ -4,11 +4,11 @@ RepositoryName = "traefik"
OutputType = "file"
FileName = "traefik_changelog.md"
# example new bugfix v2.4.9
# example new bugfix v2.4.11
CurrentRef = "v2.4"
PreviousRef = "v2.4.8"
PreviousRef = "v2.4.9"
BaseBranch = "v2.4"
FutureCurrentRefName = "v2.4.9"
FutureCurrentRefName = "v2.4.11"
ThresholdPreviousRef = 10
ThresholdCurrentRef = 10

2
webui/src/components/_commons/PanelMiddlewares.vue
View file

@ -1131,7 +1131,7 @@ export default {
return exData
},
getProviderLogoPath (provider) {
const name = provider.name.toLowerCase()
const name = provider.toLowerCase()
if (name.includes('plugin-')) {
return 'statics/providers/plugin.svg'