fix: Ingress TLS support

Co-authored-by: Julien Salleyron <julien@containo.us>

docs/content/migration/v2.md

@@ -172,3 +172,133 @@ rules:
 ```
 
 After having both resources applied, Traefik will work properly.
+
+### Kubernetes Ingress
+
+To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
+
+#### Expose an Ingress on 80 and 443
+
+Define the default TLS configuration on the HTTPS entry point. 
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: "/foo"
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+    http:
+      tls: {}
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+  [entryPoints.websecure.http]
+    [entryPoints.websecure.http.tls]
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.tls=true
+--providers.kubernetesIngress=true
+```
+
+#### Use TLS only on one Ingress
+
+Define the TLS restriction with annotations.
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example-tls
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: ""
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--providers.kubernetesIngress=true
+```

docs/content/routing/providers/kubernetes-ingress.md

@@ -202,7 +202,7 @@ which in turn will create the resulting routers, services, handlers, etc.
     See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information.
 
     ```yaml
-    traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kuberntes-crd,cb@file
+    traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kuberntescrd,cb@file
     ```
 
 ??? info "`traefik.ingress.kubernetes.io/router.priority`"

integration/testdata/rawdata-ingress.json

@@ -45,7 +45,6 @@
 			],
 			"service": "default-whoami-http",
 			"rule": "Host(`whoami.test.https`) \u0026\u0026 PathPrefix(`/whoami`)",
-			"tls": {},
 			"status": "enabled",
 			"using": [
 				"web"

pkg/provider/kubernetes/ingress/fixtures/TLS-support_ingress.yml

@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1beta1
 metadata:
   name: ""
   namespace: testing
+  annotations:
+    traefik.ingress.kubernetes.io/router.tls: "true"
 
 spec:
   tls:

pkg/provider/kubernetes/ingress/kubernetes.go

@@ -265,10 +265,10 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
 
 				serviceName := provider.Normalize(ingress.Namespace + "-" + pa.Backend.ServiceName + "-" + pa.Backend.ServicePort.String())
 				conf.HTTP.Services[serviceName] = service
-				conf.HTTP.Services[serviceName] = service
 
 				routerKey := strings.TrimPrefix(provider.Normalize(ingress.Name+"-"+ingress.Namespace+"-"+rule.Host+pa.Path), "-")
-				conf.HTTP.Routers[routerKey] = loadRouter(ingress, rule, pa, rtConfig, serviceName)
+
+				conf.HTTP.Routers[routerKey] = loadRouter(rule, pa, rtConfig, serviceName)
 			}
 		}
 	}
@@ -526,7 +526,7 @@ func getProtocol(portSpec corev1.ServicePort, portName string, svcConfig *Servic
 	return protocol
 }
 
-func loadRouter(ingress *v1beta1.Ingress, rule v1beta1.IngressRule, pa v1beta1.HTTPIngressPath, rtConfig *RouterConfig, serviceName string) *dynamic.Router {
+func loadRouter(rule v1beta1.IngressRule, pa v1beta1.HTTPIngressPath, rtConfig *RouterConfig, serviceName string) *dynamic.Router {
 	var rules []string
 	if len(rule.Host) > 0 {
 		rules = []string{buildHostRule(rule.Host)}
@@ -546,11 +546,6 @@ func loadRouter(ingress *v1beta1.Ingress, rule v1beta1.IngressRule, pa v1beta1.H
 		Service: serviceName,
 	}
 
-	if len(ingress.Spec.TLS) > 0 {
-		// TLS enabled for this ingress, add TLS router
-		rt.TLS = &dynamic.RouterTLSConfig{}
-	}
-
 	if rtConfig != nil && rtConfig.Router != nil {
 		rt.Priority = rtConfig.Router.Priority
 		rt.EntryPoints = rtConfig.Router.EntryPoints