From 94141233f0613a5b19fc67533d2596f998e6920c Mon Sep 17 00:00:00 2001 From: mloiseleur <97035654+mloiseleur@users.noreply.github.com> Date: Fri, 24 Jun 2022 12:40:08 +0200 Subject: [PATCH] Add documentation to Traefik CRD properties Co-authored-by: Romain Co-authored-by: Kevin Pollet --- docs/content/providers/kubernetes-crd.md | 15 +- .../kubernetes-crd-definition-v1.yml | 2236 ++++++++++++++++- .../dynamic-configuration/kubernetes-crd.md | 10 +- .../traefik.containo.us_ingressroutes.yaml | 121 +- .../traefik.containo.us_ingressroutetcps.yaml | 76 +- .../traefik.containo.us_ingressrouteudps.yaml | 24 +- .../traefik.containo.us_middlewares.yaml | 483 +++- .../traefik.containo.us_middlewaretcps.yaml | 14 +- ...traefik.containo.us_serverstransports.yaml | 40 +- .../traefik.containo.us_tlsoptions.yaml | 32 +- .../traefik.containo.us_tlsstores.yaml | 10 +- .../traefik.containo.us_traefikservices.yaml | 213 +- .../routing/providers/kubernetes-crd.md | 132 +- .../user-guides/crd-acme/05-tlsoption.yml | 17 + docs/content/user-guides/crd-acme/index.md | 36 +- integration/fixtures/k8s/01-traefik-crd.yml | 1013 ++++++-- pkg/config/dynamic/http_config.go | 19 +- pkg/config/dynamic/middlewares.go | 402 ++- pkg/config/dynamic/tcp_config.go | 4 +- pkg/config/dynamic/tcp_middlewares.go | 11 +- .../kubernetes/crd/kubernetes_http.go | 4 +- .../crd/traefik/v1alpha1/ingressroute.go | 146 +- .../crd/traefik/v1alpha1/ingressroutetcp.go | 104 +- .../crd/traefik/v1alpha1/ingressrouteudp.go | 49 +- .../crd/traefik/v1alpha1/middleware.go | 166 +- .../crd/traefik/v1alpha1/middlewaretcp.go | 18 +- .../crd/traefik/v1alpha1/objectreference.go | 4 +- .../crd/traefik/v1alpha1/serverstransport.go | 39 +- .../crd/traefik/v1alpha1/service.go | 57 +- .../crd/traefik/v1alpha1/tlsoption.go | 52 +- .../crd/traefik/v1alpha1/tlsstore.go | 19 +- .../traefik/v1alpha1/zz_generated.deepcopy.go | 68 +- .../testdata/anonymized-dynamic-config.json | 4 +- .../testdata/secured-dynamic-config.json | 4 +- script/code-gen.sh | 5 +- 35 files changed, 4755 insertions(+), 892 deletions(-) create mode 100644 docs/content/user-guides/crd-acme/05-tlsoption.yml diff --git a/docs/content/providers/kubernetes-crd.md b/docs/content/providers/kubernetes-crd.md index 3859fed59..e9e848f11 100644 --- a/docs/content/providers/kubernetes-crd.md +++ b/docs/content/providers/kubernetes-crd.md @@ -31,15 +31,14 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead. -??? example "Initializing Resource Definition and RBAC" +!!! example "Installing Resource Definition and RBAC" - ```yaml tab="Traefik Resource Definition" - # All resources definition must be declared - --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" - ``` - - ```yaml tab="RBAC for Traefik CRD" - --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" + ```bash + # Install Traefik Resource Definitions: + kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml + + # Install RBAC for Traefik: + kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml ``` ## Resource Configuration diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml index 69a939498..6dfff51b9 100644 --- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml +++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml @@ -1,9 +1,2227 @@ ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml" ---8<-- "content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml" + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutes.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRoute is the CRD implementation of a Traefik HTTP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the desired state of IngressRoute. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: Route holds the HTTP route configuration. + properties: + kind: + description: Kind defines the kind of the route. Rule is the + only supported kind. + enum: + - Rule + type: string + match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule' + type: string + middlewares: + description: 'Middlewares defines the list of references to + Middleware resources. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware' + items: + description: MiddlewareRef is a reference to a Middleware + resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority' + type: integer + services: + description: Services defines the list of Service. It can contain + any combination of TraefikService and/or reference to a Kubernetes + Service. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + passHostHeader: + description: PassHostHeader defines whether the client + Host header is forwarded to the upstream Kubernetes + Service. By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to + the client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, + in milliseconds, in between flushes to the client + while copying the response body. A negative value + means to flush immediately after each write to the + client. This configuration is ignored when ReverseProxy + recognizes a response as a streaming response; for + such responses, writes are flushed to the client + immediately. Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the + request to the upstream Kubernetes Service. It defaults + to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as + JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie + can only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only + be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round + Robin). + type: integer + required: + - name + type: object + type: array + required: + - kind + - match + type: object + type: array + tls: + description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls' + properties: + certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers' + type: string + domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains' + items: + description: Domain holds a domain name with SANs. + properties: + main: + type: string + sans: + items: + type: string + type: array + type: object + type: array + options: + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' + properties: + name: + description: 'Name defines the name of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption' + type: string + namespace: + description: 'Namespace defines the namespace of the referenced + TLSOption. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption' + type: string + required: + - name + type: object + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. + properties: + name: + description: 'Name defines the name of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore' + type: string + namespace: + description: 'Namespace defines the namespace of the referenced + TLSStore. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore' + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutetcps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRouteTCP + listKind: IngressRouteTCPList + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteTCP holds the TCP route configuration. + properties: + match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1' + type: string + middlewares: + description: Middlewares defines the list of references to MiddlewareTCP + resources. + items: + description: ObjectReference is a generic reference to a Traefik + resource. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: array + priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1' + type: integer + services: + description: Services defines the list of TCP services. + items: + description: ServiceTCP defines an upstream TCP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + proxyProtocol: + description: 'ProxyProtocol defines the PROXY protocol + configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol' + properties: + version: + description: Version defines the PROXY Protocol version + to use. + type: integer + type: object + terminationDelay: + description: TerminationDelay defines the deadline that + the proxy sets, after one of its connected peers indicates + it has closed the writing capability of its connection, + to close the reading capability as well, hence fully + terminating the connection. It is a duration in milliseconds, + defaulting to 100. A negative value means an infinite + deadline (i.e. the reading capability is never closed). + type: integer + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + required: + - match + type: object + type: array + tls: + description: 'TLS defines the TLS configuration on a layer 4 / TCP + Route. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1' + properties: + certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers' + type: string + domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains' + items: + description: Domain holds a domain name with SANs. + properties: + main: + type: string + sans: + items: + type: string + type: array + type: object + type: array + options: + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + passthrough: + description: Passthrough defines whether a TLS router will terminate + the TLS connection. + type: boolean + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressrouteudps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRouteUDP + listKind: IngressRouteUDPList + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteUDP holds the UDP route configuration. + properties: + services: + description: Services defines the list of UDP services. + items: + description: ServiceUDP defines an upstream UDP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + type: object + type: array + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewares.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: Middleware + listKind: MiddlewareList + plural: middlewares + singular: middleware + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'Middleware is the CRD implementation of a Traefik Middleware. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareSpec defines the desired state of a Middleware. + properties: + addPrefix: + description: 'AddPrefix holds the add prefix middleware configuration. + This middleware updates the path of a request before forwarding + it. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/' + properties: + prefix: + description: Prefix is the string to add before the current path + in the requested URL. It should include a leading slash (/). + type: string + type: object + basicAuth: + description: 'BasicAuth holds the basic auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/' + properties: + headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield' + type: string + realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' + type: string + removeHeader: + description: 'RemoveHeader sets the removeHeader option to true + to remove the authorization header before forwarding the request + to your service. Default: false.' + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + buffering: + description: 'Buffering holds the buffering middleware configuration. + This middleware retries or limits the size of requests that can + be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes' + properties: + maxRequestBodyBytes: + description: 'MaxRequestBodyBytes defines the maximum allowed + body size for the request (in bytes). If the request exceeds + the allowed size, it is not forwarded to the service, and the + client gets a 413 (Request Entity Too Large) response. Default: + 0 (no maximum).' + format: int64 + type: integer + maxResponseBodyBytes: + description: 'MaxResponseBodyBytes defines the maximum allowed + response size from the service (in bytes). If the response exceeds + the allowed size, it is not forwarded to the client. The client + gets a 500 (Internal Server Error) response instead. Default: + 0 (no maximum).' + format: int64 + type: integer + memRequestBodyBytes: + description: 'MemRequestBodyBytes defines the threshold (in bytes) + from which the request will be buffered on disk instead of in + memory. Default: 1048576 (1Mi).' + format: int64 + type: integer + memResponseBodyBytes: + description: 'MemResponseBodyBytes defines the threshold (in bytes) + from which the response will be buffered on disk instead of + in memory. Default: 1048576 (1Mi).' + format: int64 + type: integer + retryExpression: + description: 'RetryExpression defines the retry conditions. It + is a logical combination of functions with operators AND (&&) + and OR (||). More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression' + type: string + type: object + chain: + description: 'Chain holds the configuration of the chain middleware. + This middleware enables to define reusable combinations of other + pieces of middleware. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/' + properties: + middlewares: + description: Middlewares is the list of MiddlewareRef which composes + the chain. + items: + description: MiddlewareRef is a reference to a Middleware resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + type: object + circuitBreaker: + description: 'CircuitBreaker holds the circuit breaker middleware + configuration. This middleware protects the system from stacking + requests to unhealthy services, resulting in cascading failures. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/' + properties: + expression: + description: Expression defines the expression that, once matched, + opens the circuit breaker and applies the fallback mechanism + instead of calling the services. + type: string + type: object + compress: + description: 'Compress holds the compress middleware configuration. + This middleware compresses responses before sending them to the + client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/' + properties: + excludedContentTypes: + description: ExcludedContentTypes defines the list of content + types to compare the Content-Type header of the incoming requests + and responses before compressing. + items: + type: string + type: array + minResponseBodyBytes: + description: 'MinResponseBodyBytes defines the minimum amount + of bytes a response body must have to be compressed. Default: + 1024.' + type: integer + type: object + contentType: + description: ContentType holds the content-type middleware configuration. + This middleware exists to enable the correct behavior until at least + the default one can be changed in a future version. + properties: + autoDetect: + description: AutoDetect specifies whether to let the `Content-Type` + header, if it has not been set by the backend, be automatically + set to a value derived from the contents of the response. As + a proxy, the default behavior should be to leave the header + alone, regardless of what the backend did with it. However, + the historic default was to always auto-detect and set the header + if it was nil, and it is going to be kept that way in order + to support users currently relying on it. + type: boolean + type: object + digestAuth: + description: 'DigestAuth holds the digest auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/' + properties: + headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield' + type: string + realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' + type: string + removeHeader: + description: RemoveHeader defines whether to remove the authorization + header before forwarding the request to the backend. + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + errors: + description: 'ErrorPage holds the custom error middleware configuration. + This middleware returns a custom page in lieu of the default, according + to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/' + properties: + query: + description: Query defines the URL for the error page (hosted + by service). The {status} variable can be used in order to insert + the status code in the URL. + type: string + service: + description: 'Service defines the reference to a Kubernetes Service + that will serve the error page. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service' + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the + two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming + response; for such responses, writes are flushed to + the client immediately. Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes + Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can + be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported value + at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object (and + to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + status: + description: Status defines which status or range of statuses + should result in an error page. It can be either a status code + as a number (500), as multiple comma-separated numbers (500,502), + as ranges by separating two codes with a dash (500-599), or + a combination of the two (404,418,500-599). + items: + type: string + type: array + type: object + forwardAuth: + description: 'ForwardAuth holds the forward auth middleware configuration. + This middleware delegates the request authentication to a Service. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/' + properties: + address: + description: Address defines the authentication server address. + type: string + authRequestHeaders: + description: AuthRequestHeaders defines the list of the headers + to copy from the request to the authentication server. If not + set or empty then all request headers are passed. + items: + type: string + type: array + authResponseHeaders: + description: AuthResponseHeaders defines the list of headers to + copy from the authentication server response and set on forwarded + request, replacing any existing conflicting headers. + items: + type: string + type: array + authResponseHeadersRegex: + description: 'AuthResponseHeadersRegex defines the regex to match + headers to copy from the authentication server response and + set on forwarded request, after stripping all headers that match + the regex. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex' + type: string + tls: + description: TLS defines the configuration used to secure the + connection to the authentication server. + properties: + caOptional: + type: boolean + caSecret: + description: CASecret is the name of the referenced Kubernetes + Secret containing the CA to validate the server certificate. + The CA certificate is extracted from key `tls.ca` or `ca.crt`. + type: string + certSecret: + description: CertSecret is the name of the referenced Kubernetes + Secret containing the client certificate. The client certificate + is extracted from the keys `tls.crt` and `tls.key`. + type: string + insecureSkipVerify: + description: InsecureSkipVerify defines whether the server + certificates should be validated. + type: boolean + type: object + trustForwardHeader: + description: 'TrustForwardHeader defines whether to trust (ie: + forward) all X-Forwarded-* headers.' + type: boolean + type: object + headers: + description: 'Headers holds the headers middleware configuration. + This middleware manages the requests and responses headers. More + info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders' + properties: + accessControlAllowCredentials: + description: AccessControlAllowCredentials defines whether the + request can include user credentials. + type: boolean + accessControlAllowHeaders: + description: AccessControlAllowHeaders defines the Access-Control-Request-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlAllowMethods: + description: AccessControlAllowMethods defines the Access-Control-Request-Method + values sent in preflight response. + items: + type: string + type: array + accessControlAllowOriginList: + description: AccessControlAllowOriginList is a list of allowable + origins. Can also be a wildcard origin "*". + items: + type: string + type: array + accessControlAllowOriginListRegex: + description: AccessControlAllowOriginListRegex is a list of allowable + origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). + items: + type: string + type: array + accessControlExposeHeaders: + description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlMaxAge: + description: AccessControlMaxAge defines the time that a preflight + request may be cached. + format: int64 + type: integer + addVaryHeader: + description: AddVaryHeader defines whether the Vary header is + automatically added/updated when the AccessControlAllowOriginList + is set. + type: boolean + allowedHosts: + description: AllowedHosts defines the fully qualified list of + allowed domain names. + items: + type: string + type: array + browserXssFilter: + description: BrowserXSSFilter defines whether to add the X-XSS-Protection + header with the value 1; mode=block. + type: boolean + contentSecurityPolicy: + description: ContentSecurityPolicy defines the Content-Security-Policy + header value. + type: string + contentTypeNosniff: + description: ContentTypeNosniff defines whether to add the X-Content-Type-Options + header with the nosniff value. + type: boolean + customBrowserXSSValue: + description: CustomBrowserXSSValue defines the X-XSS-Protection + header value. This overrides the BrowserXssFilter option. + type: string + customFrameOptionsValue: + description: CustomFrameOptionsValue defines the X-Frame-Options + header value. This overrides the FrameDeny option. + type: string + customRequestHeaders: + additionalProperties: + type: string + description: CustomRequestHeaders defines the header names and + values to apply to the request. + type: object + customResponseHeaders: + additionalProperties: + type: string + description: CustomResponseHeaders defines the header names and + values to apply to the response. + type: object + featurePolicy: + description: 'Deprecated: use PermissionsPolicy instead.' + type: string + forceSTSHeader: + description: ForceSTSHeader defines whether to add the STS header + even when the connection is HTTP. + type: boolean + frameDeny: + description: FrameDeny defines whether to add the X-Frame-Options + header with the DENY value. + type: boolean + hostsProxyHeaders: + description: HostsProxyHeaders defines the header keys that may + hold a proxied hostname value for the request. + items: + type: string + type: array + isDevelopment: + description: IsDevelopment defines whether to mitigate the unwanted + effects of the AllowedHosts, SSL, and STS options when developing. + Usually testing takes place using HTTP, not HTTPS, and on localhost, + not your production domain. If you would like your development + environment to mimic production with complete Host blocking, + SSL redirects, and STS headers, leave this as false. + type: boolean + permissionsPolicy: + description: PermissionsPolicy defines the Permissions-Policy + header value. This allows sites to control browser features. + type: string + publicKey: + description: PublicKey is the public key that implements HPKP + to prevent MITM attacks with forged certificates. + type: string + referrerPolicy: + description: ReferrerPolicy defines the Referrer-Policy header + value. This allows sites to control whether browsers forward + the Referer header to other sites. + type: string + sslForceHost: + description: 'Deprecated: use RedirectRegex instead.' + type: boolean + sslHost: + description: 'Deprecated: use RedirectRegex instead.' + type: string + sslProxyHeaders: + additionalProperties: + type: string + description: 'SSLProxyHeaders defines the header keys with associated + values that would indicate a valid HTTPS request. It can be + useful when using other proxies (example: "X-Forwarded-Proto": + "https").' + type: object + sslRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + sslTemporaryRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + stsIncludeSubdomains: + description: STSIncludeSubdomains defines whether the includeSubDomains + directive is appended to the Strict-Transport-Security header. + type: boolean + stsPreload: + description: STSPreload defines whether the preload flag is appended + to the Strict-Transport-Security header. + type: boolean + stsSeconds: + description: STSSeconds defines the max-age of the Strict-Transport-Security + header. If set to 0, the header is not set. + format: int64 + type: integer + type: object + inFlightReq: + description: 'InFlightReq holds the in-flight request middleware configuration. + This middleware limits the number of requests being processed and + served concurrently. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/' + properties: + amount: + description: Amount defines the maximum amount of allowed simultaneous + in-flight request. The middleware responds with HTTP 429 Too + Many Requests if there are already amount requests in progress + (based on the same sourceCriterion strategy). + format: int64 + type: integer + sourceCriterion: + description: 'SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the requestHost. More + info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion' + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + ipWhiteList: + description: 'IPWhiteList holds the IP whitelist middleware configuration. + This middleware accepts / refuses requests based on the client IP. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/' + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration used + by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. + items: + type: string + type: array + type: object + sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + passTLSClientCert: + description: 'PassTLSClientCert holds the pass TLS client cert middleware + configuration. This middleware adds the selected data from the passed + client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/' + properties: + info: + description: Info selects the specific client certificate details + you want to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + issuer: + description: Issuer defines the client certificate issuer + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the issuer. + type: boolean + country: + description: Country defines whether to add the country + information into the issuer. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the issuer. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the issuer. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the issuer. + type: boolean + province: + description: Province defines whether to add the province + information into the issuer. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the issuer. + type: boolean + type: object + notAfter: + description: NotAfter defines whether to add the Not After + information from the Validity part. + type: boolean + notBefore: + description: NotBefore defines whether to add the Not Before + information from the Validity part. + type: boolean + sans: + description: Sans defines whether to add the Subject Alternative + Name information from the Subject Alternative Name part. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the client + serialNumber information. + type: boolean + subject: + description: Subject defines the client certificate subject + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the subject. + type: boolean + country: + description: Country defines whether to add the country + information into the subject. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the subject. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the subject. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the subject. + type: boolean + organizationalUnit: + description: OrganizationalUnit defines whether to add + the organizationalUnit information into the subject. + type: boolean + province: + description: Province defines whether to add the province + information into the subject. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the subject. + type: boolean + type: object + type: object + pem: + description: PEM sets the X-Forwarded-Tls-Client-Cert header with + the escaped certificate. + type: boolean + type: object + plugin: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + type: object + rateLimit: + description: 'RateLimit holds the rate limit configuration. This middleware + ensures that services will receive a fair amount of requests, and + allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/' + properties: + average: + description: Average is the maximum rate, by default in requests/s, + allowed for the given source. It defaults to 0, which means + no rate limiting. The rate is actually defined by dividing Average + by Period. So for a rate below 1req/s, one needs to define a + Period larger than a second. + format: int64 + type: integer + burst: + description: Burst is the maximum number of requests allowed to + arrive in the same arbitrarily small period of time. It defaults + to 1. + format: int64 + type: integer + period: + anyOf: + - type: integer + - type: string + description: 'Period, in combination with Average, defines the + actual maximum rate, such as: r = Average / Period. It defaults + to a second.' + x-kubernetes-int-or-string: true + sourceCriterion: + description: SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the request's remote + address field (as an ipStrategy). + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + redirectRegex: + description: 'RedirectRegex holds the redirect regex middleware configuration. + This middleware redirects a request using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex' + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + regex: + description: Regex defines the regex used to match and capture + elements from the request URL. + type: string + replacement: + description: Replacement defines how to modify the URL to have + the new target URL. + type: string + type: object + redirectScheme: + description: 'RedirectScheme holds the redirect scheme middleware + configuration. This middleware redirects requests from a scheme/port + to another. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/' + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + port: + description: Port defines the port of the new URL. + type: string + scheme: + description: Scheme defines the scheme of the new URL. + type: string + type: object + replacePath: + description: 'ReplacePath holds the replace path middleware configuration. + This middleware replaces the path of the request URL and store the + original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/' + properties: + path: + description: Path defines the path to use as replacement in the + request URL. + type: string + type: object + replacePathRegex: + description: 'ReplacePathRegex holds the replace path regex middleware + configuration. This middleware replaces the path of a URL using + regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/' + properties: + regex: + description: Regex defines the regular expression used to match + and capture the path from the request URL. + type: string + replacement: + description: Replacement defines the replacement path format, + which can include captured variables. + type: string + type: object + retry: + description: 'Retry holds the retry middleware configuration. This + middleware reissues requests a given number of times to a backend + server if that server does not reply. As soon as the server answers, + the middleware stops retrying, regardless of the response status. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/' + properties: + attempts: + description: Attempts defines how many times the request should + be retried. + type: integer + initialInterval: + anyOf: + - type: integer + - type: string + description: InitialInterval defines the first wait time in the + exponential backoff series. The maximum interval is calculated + as twice the initialInterval. If unspecified, requests will + be retried immediately. The value of initialInterval should + be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration. + x-kubernetes-int-or-string: true + type: object + stripPrefix: + description: 'StripPrefix holds the strip prefix middleware configuration. + This middleware removes the specified prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/' + properties: + forceSlash: + description: 'ForceSlash ensures that the resulting stripped path + is not the empty string, by replacing it with / when necessary. + Default: true.' + type: boolean + prefixes: + description: Prefixes defines the prefixes to strip from the request + URL. + items: + type: string + type: array + type: object + stripPrefixRegex: + description: 'StripPrefixRegex holds the strip prefix regex middleware + configuration. This middleware removes the matching prefixes from + the URL path. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/' + properties: + regex: + description: Regex defines the regular expression to match the + path prefix from the request URL. + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewaretcps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: MiddlewareTCP + listKind: MiddlewareTCPList + plural: middlewaretcps + singular: middlewaretcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. + properties: + inFlightConn: + description: InFlightConn defines the InFlightConn middleware configuration. + properties: + amount: + description: Amount defines the maximum amount of allowed simultaneous + connections. The middleware closes the connection if there are + already amount connections opened. + format: int64 + type: integer + type: object + ipWhiteList: + description: IPWhiteList defines the IPWhiteList middleware configuration. + properties: + sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: serverstransports.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: ServersTransport + listKind: ServersTransportList + plural: serverstransports + singular: serverstransport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'ServersTransport is the CRD implementation of a ServersTransport. + If no serversTransport is specified, the default@internal will be used. + The default@internal serversTransport is created from the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServersTransportSpec defines the desired state of a ServersTransport. + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + disableHTTP2: + description: DisableHTTP2 disables HTTP/2 for connections with backend + servers. + type: boolean + forwardingTimeouts: + description: ForwardingTimeouts defines the timeouts for requests + forwarded to the backend servers. + properties: + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a + connection to a backend server can be established. + x-kubernetes-int-or-string: true + idleConnTimeout: + anyOf: + - type: integer + - type: string + description: IdleConnTimeout is the maximum period for which an + idle HTTP keep-alive connection will remain open before closing + itself. + x-kubernetes-int-or-string: true + pingTimeout: + anyOf: + - type: integer + - type: string + description: PingTimeout is the timeout after which the HTTP/2 + connection will be closed if a response to ping is not received. + x-kubernetes-int-or-string: true + readIdleTimeout: + anyOf: + - type: integer + - type: string + description: ReadIdleTimeout is the timeout after which a health + check using ping frame will be carried out if no frame is received + on the HTTP/2 connection. + x-kubernetes-int-or-string: true + responseHeaderTimeout: + anyOf: + - type: integer + - type: string + description: ResponseHeaderTimeout is the amount of time to wait + for a server's response headers after fully writing the request + (including its body, if any). + x-kubernetes-int-or-string: true + type: object + insecureSkipVerify: + description: InsecureSkipVerify disables SSL certificate verification. + type: boolean + maxIdleConnsPerHost: + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. + type: integer + peerCertURI: + description: PeerCertURI defines the peer cert URI used to match against + SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to validate + self-signed certificate. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact the + server. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsoptions.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TLSOption + listKind: TLSOptionList + plural: tlsoptions + singular: tlsoption + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TLSOption is the CRD implementation of a Traefik TLS Option, + allowing to configure some parameters of the TLS connection. More info: + https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSOptionSpec defines the desired state of a TLSOption. + properties: + alpnProtocols: + description: 'ALPNProtocols defines the list of supported application + level protocols for the TLS handshake, in order of preference. More + info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols' + items: + type: string + type: array + cipherSuites: + description: 'CipherSuites defines the list of supported cipher suites + for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites' + items: + type: string + type: array + clientAuth: + description: ClientAuth defines the server's policy for TLS Client + Authentication. + properties: + clientAuthType: + description: ClientAuthType defines the client authentication + type to apply. + enum: + - NoClientCert + - RequestClientCert + - RequireAnyClientCert + - VerifyClientCertIfGiven + - RequireAndVerifyClientCert + type: string + secretNames: + description: SecretNames defines the names of the referenced Kubernetes + Secret storing certificate details. + items: + type: string + type: array + type: object + curvePreferences: + description: 'CurvePreferences defines the preferred elliptic curves + in a specific order. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences' + items: + type: string + type: array + maxVersion: + description: 'MaxVersion defines the maximum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: None.' + type: string + minVersion: + description: 'MinVersion defines the minimum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: VersionTLS10.' + type: string + preferServerCipherSuites: + description: PreferServerCipherSuites defines whether the server chooses + a cipher suite among his own instead of among the client's. It is + enabled automatically when minVersion or maxVersion are set. + type: boolean + sniStrict: + description: SniStrict defines whether Traefik allows connections + from clients connections that do not specify a server_name extension. + type: boolean + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsstores.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TLSStore + listKind: TLSStoreList + plural: tlsstores + singular: tlsstore + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For + the time being, only the TLSStore named default is supported. This means + that you cannot have two stores that are named default in different Kubernetes + namespaces. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSStoreSpec defines the desired state of a TLSStore. + properties: + defaultCertificate: + description: DefaultCertificate defines the default certificate configuration. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + required: + - defaultCertificate + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: traefikservices.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TraefikService + listKind: TraefikServiceList + plural: traefikservices + singular: traefikservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TraefikService is the CRD implementation of a Traefik Service. + TraefikService object allows to: - Apply weight to Services on load-balancing - + Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TraefikServiceSpec defines the desired state of a TraefikService. + properties: + mirroring: + description: Mirroring defines the Mirroring service configuration. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + maxBodySize: + description: MaxBodySize defines the maximum size allowed for + the body of the request. If the body is larger, the request + is not mirrored. Default value is -1, which means unlimited + size. + format: int64 + type: integer + mirrors: + description: Mirrors defines the list of mirrors where Traefik + will duplicate the traffic. + items: + description: MirrorService holds the mirror configuration. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + percent: + description: 'Percent defines the part of the traffic to + mirror. Supported values: 0 to 100.' + type: integer + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the two + is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + passHostHeader: + description: PassHostHeader defines whether the client Host header + is forwarded to the upstream Kubernetes Service. By default, + passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. This + can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards the + response from the upstream Kubernetes Service to the client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https when + Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy between + the servers. RoundRobin is the only supported value at the moment. + type: string + weight: + description: Weight defines the weight and should only be specified + when Name references a TraefikService object (and to be precise, + one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + weighted: + description: Weighted defines the Weighted Round Robin configuration. + properties: + services: + description: Services defines the list of Kubernetes Service and/or + TraefikService to load-balance, with weight. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + sticky: + description: 'Sticky defines whether sticky sessions are enabled. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd.md b/docs/content/reference/dynamic-configuration/kubernetes-crd.md index 42720d17c..29228f252 100644 --- a/docs/content/reference/dynamic-configuration/kubernetes-crd.md +++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.md @@ -8,13 +8,19 @@ description: "Learn about the definitions, resources, and RBAC of dynamic config Dynamic configuration with Kubernetes Custom Resource {: .subtitle } +!!! warning "Deprecated apiextensions.k8s.io/v1beta1 CRD" + + The `apiextensions.k8s.io/v1beta1` CustomResourceDefinition is deprecated in Kubernetes `v1.16+` and will be removed in `v1.22+`. + + For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead. + ## Definitions -```yaml tab="apiextensions.k8s.io/v1" +```yaml tab="apiextensions.k8s.io/v1 (Kubernetes v1.16+)" --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" ``` -```yaml tab="apiextensions.k8s.io/v1beta1" +```yaml tab="apiextensions.k8s.io/v1beta1 (Deprecated)" --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1beta1.yml" ``` diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml index 1f5545927..d79c4539d 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml @@ -19,7 +19,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: IngressRoute is an Ingress CRD specification. + description: IngressRoute is the CRD implementation of a Traefik HTTP Router. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,96 +34,151 @@ spec: metadata: type: object spec: - description: IngressRouteSpec is a specification for a IngressRouteSpec - resource. + description: IngressRouteSpec defines the desired state of IngressRoute. properties: entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' items: type: string type: array routes: + description: Routes defines the list of routes. items: - description: Route contains the set of routes. + description: Route holds the HTTP route configuration. properties: kind: + description: Kind defines the kind of the route. Rule is the + only supported kind. enum: - Rule type: string match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule' type: string middlewares: + description: 'Middlewares defines the list of references to + Middleware resources. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware' items: - description: MiddlewareRef is a ref to the Middleware resources. + description: MiddlewareRef is a reference to a Middleware + resource. properties: name: + description: Name defines the name of the referenced Middleware + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. type: string required: - name type: object type: array priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority' type: integer services: + description: Services defines the list of Service. It can contain + any combination of TraefikService and/or reference to a Kubernetes + Service. items: - description: Service defines an upstream to proxy traffic. + description: Service defines an upstream HTTP service to proxy + traffic to. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service - object (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The - differentiation between the two is specified in the - Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client + Host header is forwarded to the upstream Kubernetes + Service. By default, passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for - the forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to + the client. properties: flushInterval: + description: 'FlushInterval defines the interval, + in milliseconds, in between flushes to the client + while copying the response body. A negative value + means to flush immediately after each write to the + client. This configuration is ignored when ReverseProxy + recognizes a response as a streaming response; for + such responses, writes are flushed to the client + immediately. Default: 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the + request to the upstream Kubernetes Service. It defaults + to https when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration - based on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as + JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie + can only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. type: string weight: - description: Weight should only be specified when Name - references a TraefikService object (and to be precise, - one that embeds a Weighted Round Robin). + description: Weight defines the weight and should only + be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round + Robin). type: integer required: - name @@ -135,14 +190,16 @@ spec: type: object type: array tls: - description: "TLS contains the TLS certificates configuration of the - routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in - YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: - # block format" + description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls' properties: certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers' type: string domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains' items: description: Domain holds a domain name with SANs. properties: @@ -155,12 +212,17 @@ spec: type: object type: array options: - description: Options is a reference to a TLSOption, that specifies - the parameters of the TLS connection. + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' properties: name: + description: 'Name defines the name of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption' type: string namespace: + description: 'Namespace defines the namespace of the referenced + TLSOption. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption' type: string required: - name @@ -170,12 +232,17 @@ spec: Secret to specify the certificate details. type: string store: - description: Store is a reference to a TLSStore, that specifies - the parameters of the TLS store. + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. properties: name: + description: 'Name defines the name of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore' type: string namespace: + description: 'Namespace defines the namespace of the referenced + TLSStore. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore' type: string required: - name diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml index e20d612a7..1be022474 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml @@ -19,7 +19,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: IngressRouteTCP is an Ingress CRD specification. + description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,58 +34,89 @@ spec: metadata: type: object spec: - description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec - resource. + description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. properties: entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' items: type: string type: array routes: + description: Routes defines the list of routes. items: - description: RouteTCP contains the set of routes. + description: RouteTCP holds the TCP route configuration. properties: match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1' type: string middlewares: - description: Middlewares contains references to MiddlewareTCP + description: Middlewares defines the list of references to MiddlewareTCP resources. items: description: ObjectReference is a generic reference to a Traefik resource. properties: name: + description: Name defines the name of the referenced Traefik + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. type: string required: - name type: object type: array priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1' type: integer services: + description: Services defines the list of TCP services. items: - description: ServiceTCP defines an upstream to proxy traffic. + description: ServiceTCP defines an upstream TCP service to + proxy traffic to. properties: name: + description: Name defines the name of the referenced Kubernetes + Service. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. type: string port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true proxyProtocol: - description: ProxyProtocol holds the ProxyProtocol configuration. + description: 'ProxyProtocol defines the PROXY protocol + configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol' properties: version: + description: Version defines the PROXY Protocol version + to use. type: integer type: object terminationDelay: + description: TerminationDelay defines the deadline that + the proxy sets, after one of its connected peers indicates + it has closed the writing capability of its connection, + to close the reading capability as well, hence fully + terminating the connection. It is a duration in milliseconds, + defaulting to 100. A negative value means an infinite + deadline (i.e. the reading capability is never closed). type: integer weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. type: integer required: - name @@ -97,14 +128,17 @@ spec: type: object type: array tls: - description: "TLSTCP contains the TLS certificates configuration of - the routes. To enable Let's Encrypt, use an empty TLS struct, e.g. - in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: - # block format" + description: 'TLS defines the TLS configuration on a layer 4 / TCP + Route. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1' properties: certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers' type: string domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains' items: description: Domain holds a domain name with SANs. properties: @@ -117,29 +151,41 @@ spec: type: object type: array options: - description: Options is a reference to a TLSOption, that specifies - the parameters of the TLS connection. + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' properties: name: + description: Name defines the name of the referenced Traefik + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. type: string required: - name type: object passthrough: + description: Passthrough defines whether a TLS router will terminate + the TLS connection. type: boolean secretName: description: SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. type: string store: - description: Store is a reference to a TLSStore, that specifies - the parameters of the TLS store. + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. properties: name: + description: Name defines the name of the referenced Traefik + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. type: string required: - name diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml index 57fbaa7db..f183cd46a 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml @@ -19,7 +19,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: IngressRouteUDP is an Ingress CRD specification. + description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,31 +34,45 @@ spec: metadata: type: object spec: - description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec - resource. + description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. properties: entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' items: type: string type: array routes: + description: Routes defines the list of routes. items: - description: RouteUDP contains the set of routes. + description: RouteUDP holds the UDP route configuration. properties: services: + description: Services defines the list of UDP services. items: - description: ServiceUDP defines an upstream to proxy traffic. + description: ServiceUDP defines an upstream UDP service to + proxy traffic to. properties: name: + description: Name defines the name of the referenced Kubernetes + Service. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. type: string port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. type: integer required: - name diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml index 932e54010..1520b663b 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml @@ -19,7 +19,8 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Middleware is a specification for a Middleware resource. + description: 'Middleware is the CRD implementation of a Traefik Middleware. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,54 +35,99 @@ spec: metadata: type: object spec: - description: MiddlewareSpec holds the Middleware configuration. + description: MiddlewareSpec defines the desired state of a Middleware. properties: addPrefix: - description: AddPrefix holds the AddPrefix configuration. + description: 'AddPrefix holds the add prefix middleware configuration. + This middleware updates the path of a request before forwarding + it. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/' properties: prefix: + description: Prefix is the string to add before the current path + in the requested URL. It should include a leading slash (/). type: string type: object basicAuth: - description: BasicAuth holds the HTTP basic authentication configuration. + description: 'BasicAuth holds the basic auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/' properties: headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield' type: string realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' type: string removeHeader: + description: 'RemoveHeader sets the removeHeader option to true + to remove the authorization header before forwarding the request + to your service. Default: false.' type: boolean secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. type: string type: object buffering: - description: Buffering holds the request/response buffering configuration. + description: 'Buffering holds the buffering middleware configuration. + This middleware retries or limits the size of requests that can + be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes' properties: maxRequestBodyBytes: + description: 'MaxRequestBodyBytes defines the maximum allowed + body size for the request (in bytes). If the request exceeds + the allowed size, it is not forwarded to the service, and the + client gets a 413 (Request Entity Too Large) response. Default: + 0 (no maximum).' format: int64 type: integer maxResponseBodyBytes: + description: 'MaxResponseBodyBytes defines the maximum allowed + response size from the service (in bytes). If the response exceeds + the allowed size, it is not forwarded to the client. The client + gets a 500 (Internal Server Error) response instead. Default: + 0 (no maximum).' format: int64 type: integer memRequestBodyBytes: + description: 'MemRequestBodyBytes defines the threshold (in bytes) + from which the request will be buffered on disk instead of in + memory. Default: 1048576 (1Mi).' format: int64 type: integer memResponseBodyBytes: + description: 'MemResponseBodyBytes defines the threshold (in bytes) + from which the response will be buffered on disk instead of + in memory. Default: 1048576 (1Mi).' format: int64 type: integer retryExpression: + description: 'RetryExpression defines the retry conditions. It + is a logical combination of functions with operators AND (&&) + and OR (||). More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression' type: string type: object chain: - description: Chain holds a chain of middlewares. + description: 'Chain holds the configuration of the chain middleware. + This middleware enables to define reusable combinations of other + pieces of middleware. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/' properties: middlewares: + description: Middlewares is the list of MiddlewareRef which composes + the chain. items: - description: MiddlewareRef is a ref to the Middleware resources. + description: MiddlewareRef is a reference to a Middleware resource. properties: name: + description: Name defines the name of the referenced Middleware + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. type: string required: - name @@ -89,165 +135,261 @@ spec: type: array type: object circuitBreaker: - description: CircuitBreaker holds the circuit breaker configuration. + description: 'CircuitBreaker holds the circuit breaker middleware + configuration. This middleware protects the system from stacking + requests to unhealthy services, resulting in cascading failures. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/' properties: expression: + description: Expression defines the expression that, once matched, + opens the circuit breaker and applies the fallback mechanism + instead of calling the services. type: string type: object compress: - description: Compress holds the compress configuration. + description: 'Compress holds the compress middleware configuration. + This middleware compresses responses before sending them to the + client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/' properties: excludedContentTypes: + description: ExcludedContentTypes defines the list of content + types to compare the Content-Type header of the incoming requests + and responses before compressing. items: type: string type: array minResponseBodyBytes: + description: 'MinResponseBodyBytes defines the minimum amount + of bytes a response body must have to be compressed. Default: + 1024.' type: integer type: object contentType: - description: ContentType middleware - or rather its unique `autoDetect` - option - specifies whether to let the `Content-Type` header, if - it has not been set by the backend, be automatically set to a value - derived from the contents of the response. As a proxy, the default - behavior should be to leave the header alone, regardless of what - the backend did with it. However, the historic default was to always - auto-detect and set the header if it was nil, and it is going to - be kept that way in order to support users currently relying on - it. This middleware exists to enable the correct behavior until - at least the default one can be changed in a future version. + description: ContentType holds the content-type middleware configuration. + This middleware exists to enable the correct behavior until at least + the default one can be changed in a future version. properties: autoDetect: + description: AutoDetect specifies whether to let the `Content-Type` + header, if it has not been set by the backend, be automatically + set to a value derived from the contents of the response. As + a proxy, the default behavior should be to leave the header + alone, regardless of what the backend did with it. However, + the historic default was to always auto-detect and set the header + if it was nil, and it is going to be kept that way in order + to support users currently relying on it. type: boolean type: object digestAuth: - description: DigestAuth holds the Digest HTTP authentication configuration. + description: 'DigestAuth holds the digest auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/' properties: headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield' type: string realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' type: string removeHeader: + description: RemoveHeader defines whether to remove the authorization + header before forwarding the request to the backend. type: boolean secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. type: string type: object errors: - description: ErrorPage holds the custom error page configuration. + description: 'ErrorPage holds the custom error middleware configuration. + This middleware returns a custom page in lieu of the default, according + to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/' properties: query: + description: Query defines the URL for the error page (hosted + by service). The {status} variable can be used in order to insert + the status code in the URL. type: string service: - description: Service defines an upstream to proxy traffic. + description: 'Service defines the reference to a Kubernetes Service + that will serve the error page. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service' properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service object - (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the + two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for the - forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. properties: flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming + response; for such responses, writes are flushed to + the client immediately. Default: 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes + Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based - on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie can + be accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported value + at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be + specified when Name references a TraefikService object (and + to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object status: + description: Status defines which status or range of statuses + should result in an error page. It can be either a status code + as a number (500), as multiple comma-separated numbers (500,502), + as ranges by separating two codes with a dash (500-599), or + a combination of the two (404,418,500-599). items: type: string type: array type: object forwardAuth: - description: ForwardAuth holds the http forward authentication configuration. + description: 'ForwardAuth holds the forward auth middleware configuration. + This middleware delegates the request authentication to a Service. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/' properties: address: + description: Address defines the authentication server address. type: string authRequestHeaders: + description: AuthRequestHeaders defines the list of the headers + to copy from the request to the authentication server. If not + set or empty then all request headers are passed. items: type: string type: array authResponseHeaders: + description: AuthResponseHeaders defines the list of headers to + copy from the authentication server response and set on forwarded + request, replacing any existing conflicting headers. items: type: string type: array authResponseHeadersRegex: + description: 'AuthResponseHeadersRegex defines the regex to match + headers to copy from the authentication server response and + set on forwarded request, after stripping all headers that match + the regex. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex' type: string tls: - description: ClientTLS holds TLS specific configurations as client. + description: TLS defines the configuration used to secure the + connection to the authentication server. properties: caOptional: type: boolean caSecret: + description: CASecret is the name of the referenced Kubernetes + Secret containing the CA to validate the server certificate. + The CA certificate is extracted from key `tls.ca` or `ca.crt`. type: string certSecret: + description: CertSecret is the name of the referenced Kubernetes + Secret containing the client certificate. The client certificate + is extracted from the keys `tls.crt` and `tls.key`. type: string insecureSkipVerify: + description: InsecureSkipVerify defines whether the server + certificates should be validated. type: boolean type: object trustForwardHeader: + description: 'TrustForwardHeader defines whether to trust (ie: + forward) all X-Forwarded-* headers.' type: boolean type: object headers: - description: Headers holds the custom header configuration. + description: 'Headers holds the headers middleware configuration. + This middleware manages the requests and responses headers. More + info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders' properties: accessControlAllowCredentials: - description: AccessControlAllowCredentials is only valid if true. - false is ignored. + description: AccessControlAllowCredentials defines whether the + request can include user credentials. type: boolean accessControlAllowHeaders: - description: AccessControlAllowHeaders must be used in response - to a preflight request with Access-Control-Request-Headers set. + description: AccessControlAllowHeaders defines the Access-Control-Request-Headers + values sent in preflight response. items: type: string type: array accessControlAllowMethods: - description: AccessControlAllowMethods must be used in response - to a preflight request with Access-Control-Request-Method set. + description: AccessControlAllowMethods defines the Access-Control-Request-Method + values sent in preflight response. items: type: string type: array @@ -264,60 +406,96 @@ spec: type: string type: array accessControlExposeHeaders: - description: AccessControlExposeHeaders sets valid headers for - the response. + description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers + values sent in preflight response. items: type: string type: array accessControlMaxAge: - description: AccessControlMaxAge sets the time that a preflight + description: AccessControlMaxAge defines the time that a preflight request may be cached. format: int64 type: integer addVaryHeader: - description: AddVaryHeader controls if the Vary header is automatically - added/updated when the AccessControlAllowOriginList is set. + description: AddVaryHeader defines whether the Vary header is + automatically added/updated when the AccessControlAllowOriginList + is set. type: boolean allowedHosts: + description: AllowedHosts defines the fully qualified list of + allowed domain names. items: type: string type: array browserXssFilter: + description: BrowserXSSFilter defines whether to add the X-XSS-Protection + header with the value 1; mode=block. type: boolean contentSecurityPolicy: + description: ContentSecurityPolicy defines the Content-Security-Policy + header value. type: string contentTypeNosniff: + description: ContentTypeNosniff defines whether to add the X-Content-Type-Options + header with the nosniff value. type: boolean customBrowserXSSValue: + description: CustomBrowserXSSValue defines the X-XSS-Protection + header value. This overrides the BrowserXssFilter option. type: string customFrameOptionsValue: + description: CustomFrameOptionsValue defines the X-Frame-Options + header value. This overrides the FrameDeny option. type: string customRequestHeaders: additionalProperties: type: string + description: CustomRequestHeaders defines the header names and + values to apply to the request. type: object customResponseHeaders: additionalProperties: type: string + description: CustomResponseHeaders defines the header names and + values to apply to the response. type: object featurePolicy: description: 'Deprecated: use PermissionsPolicy instead.' type: string forceSTSHeader: + description: ForceSTSHeader defines whether to add the STS header + even when the connection is HTTP. type: boolean frameDeny: + description: FrameDeny defines whether to add the X-Frame-Options + header with the DENY value. type: boolean hostsProxyHeaders: + description: HostsProxyHeaders defines the header keys that may + hold a proxied hostname value for the request. items: type: string type: array isDevelopment: + description: IsDevelopment defines whether to mitigate the unwanted + effects of the AllowedHosts, SSL, and STS options when developing. + Usually testing takes place using HTTP, not HTTPS, and on localhost, + not your production domain. If you would like your development + environment to mimic production with complete Host blocking, + SSL redirects, and STS headers, leave this as false. type: boolean permissionsPolicy: + description: PermissionsPolicy defines the Permissions-Policy + header value. This allows sites to control browser features. type: string publicKey: + description: PublicKey is the public key that implements HPKP + to prevent MITM attacks with forged certificates. type: string referrerPolicy: + description: ReferrerPolicy defines the Referrer-Policy header + value. This allows sites to control whether browsers forward + the Referer header to other sites. type: string sslForceHost: description: 'Deprecated: use RedirectRegex instead.' @@ -328,6 +506,10 @@ spec: sslProxyHeaders: additionalProperties: type: string + description: 'SSLProxyHeaders defines the header keys with associated + values that would indicate a valid HTTPS request. It can be + useful when using other proxies (example: "X-Forwarded-Proto": + "https").' type: object sslRedirect: description: 'Deprecated: use EntryPoint redirection or RedirectScheme @@ -338,119 +520,192 @@ spec: instead.' type: boolean stsIncludeSubdomains: + description: STSIncludeSubdomains defines whether the includeSubDomains + directive is appended to the Strict-Transport-Security header. type: boolean stsPreload: + description: STSPreload defines whether the preload flag is appended + to the Strict-Transport-Security header. type: boolean stsSeconds: + description: STSSeconds defines the max-age of the Strict-Transport-Security + header. If set to 0, the header is not set. format: int64 type: integer type: object inFlightReq: - description: InFlightReq limits the number of requests being processed - and served concurrently. + description: 'InFlightReq holds the in-flight request middleware configuration. + This middleware limits the number of requests being processed and + served concurrently. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/' properties: amount: + description: Amount defines the maximum amount of allowed simultaneous + in-flight request. The middleware responds with HTTP 429 Too + Many Requests if there are already amount requests in progress + (based on the same sourceCriterion strategy). format: int64 type: integer sourceCriterion: - description: SourceCriterion defines what criterion is used to - group requests as originating from a common source. If none - are set, the default is to use the request's remote address - field. All fields are mutually exclusive. + description: 'SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the requestHost. More + info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion' properties: ipStrategy: - description: IPStrategy holds the ip strategy configuration. + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' properties: depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). type: integer excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. items: type: string type: array type: object requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. type: string requestHost: + description: RequestHost defines whether to consider the request + Host as the source. type: boolean type: object type: object ipWhiteList: - description: IPWhiteList holds the ip white list configuration. + description: 'IPWhiteList holds the IP whitelist middleware configuration. + This middleware accepts / refuses requests based on the client IP. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/' properties: ipStrategy: - description: IPStrategy holds the ip strategy configuration. + description: 'IPStrategy holds the IP strategy configuration used + by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' properties: depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). type: integer excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. items: type: string type: array type: object sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). items: type: string type: array type: object passTLSClientCert: - description: PassTLSClientCert holds the TLS client cert headers configuration. + description: 'PassTLSClientCert holds the pass TLS client cert middleware + configuration. This middleware adds the selected data from the passed + client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/' properties: info: - description: TLSClientCertificateInfo holds the client TLS certificate - info configuration. + description: Info selects the specific client certificate details + you want to add to the X-Forwarded-Tls-Client-Cert-Info header. properties: issuer: - description: TLSClientCertificateIssuerDNInfo holds the client - TLS certificate distinguished name info configuration. cf - https://tools.ietf.org/html/rfc3739 + description: Issuer defines the client certificate issuer + details to add to the X-Forwarded-Tls-Client-Cert-Info header. properties: commonName: + description: CommonName defines whether to add the organizationalUnit + information into the issuer. type: boolean country: + description: Country defines whether to add the country + information into the issuer. type: boolean domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the issuer. type: boolean locality: + description: Locality defines whether to add the locality + information into the issuer. type: boolean organization: + description: Organization defines whether to add the organization + information into the issuer. type: boolean province: + description: Province defines whether to add the province + information into the issuer. type: boolean serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the issuer. type: boolean type: object notAfter: + description: NotAfter defines whether to add the Not After + information from the Validity part. type: boolean notBefore: + description: NotBefore defines whether to add the Not Before + information from the Validity part. type: boolean sans: + description: Sans defines whether to add the Subject Alternative + Name information from the Subject Alternative Name part. type: boolean serialNumber: + description: SerialNumber defines whether to add the client + serialNumber information. type: boolean subject: - description: TLSClientCertificateSubjectDNInfo holds the client - TLS certificate distinguished name info configuration. cf - https://tools.ietf.org/html/rfc3739 + description: Subject defines the client certificate subject + details to add to the X-Forwarded-Tls-Client-Cert-Info header. properties: commonName: + description: CommonName defines whether to add the organizationalUnit + information into the subject. type: boolean country: + description: Country defines whether to add the country + information into the subject. type: boolean domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the subject. type: boolean locality: + description: Locality defines whether to add the locality + information into the subject. type: boolean organization: + description: Organization defines whether to add the organization + information into the subject. type: boolean organizationalUnit: + description: OrganizationalUnit defines whether to add + the organizationalUnit information into the subject. type: boolean province: + description: Province defines whether to add the province + information into the subject. type: boolean serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the subject. type: boolean type: object type: object pem: + description: PEM sets the X-Forwarded-Tls-Client-Cert header with + the escaped certificate. type: boolean type: object plugin: @@ -458,101 +713,171 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object rateLimit: - description: RateLimit holds the rate limiting configuration for a - given router. + description: 'RateLimit holds the rate limit configuration. This middleware + ensures that services will receive a fair amount of requests, and + allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/' properties: average: + description: Average is the maximum rate, by default in requests/s, + allowed for the given source. It defaults to 0, which means + no rate limiting. The rate is actually defined by dividing Average + by Period. So for a rate below 1req/s, one needs to define a + Period larger than a second. format: int64 type: integer burst: + description: Burst is the maximum number of requests allowed to + arrive in the same arbitrarily small period of time. It defaults + to 1. format: int64 type: integer period: anyOf: - type: integer - type: string + description: 'Period, in combination with Average, defines the + actual maximum rate, such as: r = Average / Period. It defaults + to a second.' x-kubernetes-int-or-string: true sourceCriterion: description: SourceCriterion defines what criterion is used to - group requests as originating from a common source. If none - are set, the default is to use the request's remote address - field. All fields are mutually exclusive. + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the request's remote + address field (as an ipStrategy). properties: ipStrategy: - description: IPStrategy holds the ip strategy configuration. + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' properties: depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). type: integer excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. items: type: string type: array type: object requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. type: string requestHost: + description: RequestHost defines whether to consider the request + Host as the source. type: boolean type: object type: object redirectRegex: - description: RedirectRegex holds the redirection configuration. + description: 'RedirectRegex holds the redirect regex middleware configuration. + This middleware redirects a request using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex' properties: permanent: + description: Permanent defines whether the redirection is permanent + (301). type: boolean regex: + description: Regex defines the regex used to match and capture + elements from the request URL. type: string replacement: + description: Replacement defines how to modify the URL to have + the new target URL. type: string type: object redirectScheme: - description: RedirectScheme holds the scheme redirection configuration. + description: 'RedirectScheme holds the redirect scheme middleware + configuration. This middleware redirects requests from a scheme/port + to another. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/' properties: permanent: + description: Permanent defines whether the redirection is permanent + (301). type: boolean port: + description: Port defines the port of the new URL. type: string scheme: + description: Scheme defines the scheme of the new URL. type: string type: object replacePath: - description: ReplacePath holds the ReplacePath configuration. + description: 'ReplacePath holds the replace path middleware configuration. + This middleware replaces the path of the request URL and store the + original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/' properties: path: + description: Path defines the path to use as replacement in the + request URL. type: string type: object replacePathRegex: - description: ReplacePathRegex holds the ReplacePathRegex configuration. + description: 'ReplacePathRegex holds the replace path regex middleware + configuration. This middleware replaces the path of a URL using + regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/' properties: regex: + description: Regex defines the regular expression used to match + and capture the path from the request URL. type: string replacement: + description: Replacement defines the replacement path format, + which can include captured variables. type: string type: object retry: - description: Retry holds the retry configuration. + description: 'Retry holds the retry middleware configuration. This + middleware reissues requests a given number of times to a backend + server if that server does not reply. As soon as the server answers, + the middleware stops retrying, regardless of the response status. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/' properties: attempts: + description: Attempts defines how many times the request should + be retried. type: integer initialInterval: anyOf: - type: integer - type: string + description: InitialInterval defines the first wait time in the + exponential backoff series. The maximum interval is calculated + as twice the initialInterval. If unspecified, requests will + be retried immediately. The value of initialInterval should + be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration. x-kubernetes-int-or-string: true type: object stripPrefix: - description: StripPrefix holds the StripPrefix configuration. + description: 'StripPrefix holds the strip prefix middleware configuration. + This middleware removes the specified prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/' properties: forceSlash: + description: 'ForceSlash ensures that the resulting stripped path + is not the empty string, by replacing it with / when necessary. + Default: true.' type: boolean prefixes: + description: Prefixes defines the prefixes to strip from the request + URL. items: type: string type: array type: object stripPrefixRegex: - description: StripPrefixRegex holds the StripPrefixRegex configuration. + description: 'StripPrefixRegex holds the strip prefix regex middleware + configuration. This middleware removes the matching prefixes from + the URL path. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/' properties: regex: + description: Regex defines the regular expression to match the + path prefix from the request URL. items: type: string type: array diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml index 35aa98931..da8bfe74d 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml @@ -19,7 +19,8 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: MiddlewareTCP is a specification for a MiddlewareTCP resource. + description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,19 +35,24 @@ spec: metadata: type: object spec: - description: MiddlewareTCPSpec holds the MiddlewareTCP configuration. + description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. properties: inFlightConn: - description: TCPInFlightConn holds the TCP in flight connection configuration. + description: InFlightConn defines the InFlightConn middleware configuration. properties: amount: + description: Amount defines the maximum amount of allowed simultaneous + connections. The middleware closes the connection if there are + already amount connections opened. format: int64 type: integer type: object ipWhiteList: - description: TCPIPWhiteList holds the TCP ip white list configuration. + description: IPWhiteList defines the IPWhiteList middleware configuration. properties: sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). items: type: string type: array diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml index aac46790b..04be0daab 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml @@ -19,7 +19,10 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ServersTransport is a specification for a ServersTransport resource. + description: 'ServersTransport is the CRD implementation of a ServersTransport. + If no serversTransport is specified, the default@internal will be used. + The default@internal serversTransport is created from the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,27 +37,28 @@ spec: metadata: type: object spec: - description: ServersTransportSpec options to configure communication between - Traefik and the servers. + description: ServersTransportSpec defines the desired state of a ServersTransport. properties: certificatesSecrets: - description: Certificates for mTLS. + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. items: type: string type: array disableHTTP2: - description: Disable HTTP/2 for connections with backend servers. + description: DisableHTTP2 disables HTTP/2 for connections with backend + servers. type: boolean forwardingTimeouts: - description: Timeouts for requests forwarded to the backend servers. + description: ForwardingTimeouts defines the timeouts for requests + forwarded to the backend servers. properties: dialTimeout: anyOf: - type: integer - type: string description: DialTimeout is the amount of time to wait until a - connection to a backend server can be established. If zero, - no timeout exists. + connection to a backend server can be established. x-kubernetes-int-or-string: true idleConnTimeout: anyOf: @@ -77,7 +81,7 @@ spec: - type: string description: ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received - on the HTTP/2 connection. If zero, no health check is performed. + on the HTTP/2 connection. x-kubernetes-int-or-string: true responseHeaderTimeout: anyOf: @@ -85,27 +89,29 @@ spec: - type: string description: ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request - (including its body, if any). If zero, no timeout exists. + (including its body, if any). x-kubernetes-int-or-string: true type: object insecureSkipVerify: - description: Disable SSL certificate verification. + description: InsecureSkipVerify disables SSL certificate verification. type: boolean maxIdleConnsPerHost: - description: If non-zero, controls the maximum idle (keep-alive) to - keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. type: integer peerCertURI: - description: URI used to match against SAN URI during the peer certificate - verification. + description: PeerCertURI defines the peer cert URI used to match against + SAN URI during the peer certificate verification. type: string rootCAsSecrets: - description: Add cert file for self-signed certificate. + description: RootCAsSecrets defines a list of CA secret used to validate + self-signed certificate. items: type: string type: array serverName: - description: ServerName used to contact the server. + description: ServerName defines the server name used to contact the + server. type: string type: object required: diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml index 40e813de1..6b20b9ba3 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml @@ -19,7 +19,9 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: TLSOption is a specification for a TLSOption resource. + description: 'TLSOption is the CRD implementation of a Traefik TLS Option, + allowing to configure some parameters of the TLS connection. More info: + https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,19 +36,24 @@ spec: metadata: type: object spec: - description: TLSOptionSpec configures TLS for an entry point. + description: TLSOptionSpec defines the desired state of a TLSOption. properties: alpnProtocols: + description: 'ALPNProtocols defines the list of supported application + level protocols for the TLS handshake, in order of preference. More + info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols' items: type: string type: array cipherSuites: + description: 'CipherSuites defines the list of supported cipher suites + for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites' items: type: string type: array clientAuth: - description: ClientAuth defines the parameters of the client authentication - part of the TLS connection, if any. + description: ClientAuth defines the server's policy for TLS Client + Authentication. properties: clientAuthType: description: ClientAuthType defines the client authentication @@ -59,23 +66,36 @@ spec: - RequireAndVerifyClientCert type: string secretNames: - description: SecretName is the name of the referenced Kubernetes - Secret to specify the certificate details. + description: SecretNames defines the names of the referenced Kubernetes + Secret storing certificate details. items: type: string type: array type: object curvePreferences: + description: 'CurvePreferences defines the preferred elliptic curves + in a specific order. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences' items: type: string type: array maxVersion: + description: 'MaxVersion defines the maximum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: None.' type: string minVersion: + description: 'MinVersion defines the minimum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: VersionTLS10.' type: string preferServerCipherSuites: + description: PreferServerCipherSuites defines whether the server chooses + a cipher suite among his own instead of among the client's. It is + enabled automatically when minVersion or maxVersion are set. type: boolean sniStrict: + description: SniStrict defines whether Traefik allows connections + from clients connections that do not specify a server_name extension. type: boolean type: object required: diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml index eef5f1f77..7d8ec0f5c 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml @@ -19,7 +19,10 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: TLSStore is a specification for a TLSStore resource. + description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For + the time being, only the TLSStore named default is supported. This means + that you cannot have two stores that are named default in different Kubernetes + namespaces. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,11 +37,10 @@ spec: metadata: type: object spec: - description: TLSStoreSpec configures a TLSStore resource. + description: TLSStoreSpec defines the desired state of a TLSStore. properties: defaultCertificate: - description: DefaultCertificate holds a secret name for the TLSOption - resource. + description: DefaultCertificate defines the default certificate configuration. properties: secretName: description: SecretName is the name of the referenced Kubernetes diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml index 61f2aa93c..b312ee117 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml @@ -19,10 +19,9 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: TraefikService is the specification for a service (that an IngressRoute - refers to) that is usually not a terminal service (i.e. not a pod of servers), - as opposed to a Kubernetes Service. That is to say, it usually refers to - other (children) services, which themselves can be TraefikServices or Services. + description: 'TraefikService is the CRD implementation of a Traefik Service. + TraefikService object allows to: - Apply weight to Services on load-balancing - + Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -37,220 +36,332 @@ spec: metadata: type: object spec: - description: ServiceSpec defines whether a TraefikService is a load-balancer - of services or a mirroring service. + description: TraefikServiceSpec defines the desired state of a TraefikService. properties: mirroring: - description: Mirroring defines a mirroring service, which is composed - of a main load-balancer, and a list of mirrors. + description: Mirroring defines the Mirroring service configuration. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string maxBodySize: + description: MaxBodySize defines the maximum size allowed for + the body of the request. If the body is larger, the request + is not mirrored. Default value is -1, which means unlimited + size. format: int64 type: integer mirrors: + description: Mirrors defines the list of mirrors where Traefik + will duplicate the traffic. items: - description: MirrorService defines one of the mirrors of a Mirroring - service. + description: MirrorService holds the mirror configuration. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service - object (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. type: boolean percent: + description: 'Percent defines the part of the traffic to + mirror. Supported values: 0 to 100.' type: integer port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for - the forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. properties: flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based - on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object type: array name: - description: Name is a reference to a Kubernetes Service object - (for a load-balancer of servers), or to a TraefikService object - (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the two + is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host header + is forwarded to the upstream Kubernetes Service. By default, + passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. This + can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for the forward - of the response. + description: ResponseForwarding defines how Traefik forwards the + response from the upstream Kubernetes Service to the client. properties: flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https when + Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based on - cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy between + the servers. RoundRobin is the only supported value at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be specified + when Name references a TraefikService object (and to be precise, + one that embeds a Weighted Round Robin). type: integer required: - name type: object weighted: - description: WeightedRoundRobin defines a load-balancer of services. + description: Weighted defines the Weighted Round Robin configuration. properties: services: + description: Services defines the list of Kubernetes Service and/or + TraefikService to load-balance, with weight. items: - description: Service defines an upstream to proxy traffic. + description: Service defines an upstream HTTP service to proxy + traffic to. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service - object (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for - the forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. properties: flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based - on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object type: array sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines whether sticky sessions are enabled. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing' properties: cookie: - description: Cookie holds the sticky configuration based on - cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). type: boolean type: object type: object diff --git a/docs/content/routing/providers/kubernetes-crd.md b/docs/content/routing/providers/kubernetes-crd.md index 809b51637..1f55b9ed8 100644 --- a/docs/content/routing/providers/kubernetes-crd.md +++ b/docs/content/routing/providers/kubernetes-crd.md @@ -298,10 +298,10 @@ You can find an excerpt of the available custom resources in the table below: | Kind | Purpose | Concept Behind | |--------------------------------------------|--------------------------------------------------------------------|----------------------------------------------------------------| | [IngressRoute](#kind-ingressroute) | HTTP Routing | [HTTP router](../routers/index.md#configuring-http-routers) | -| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) | +| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) | | [TraefikService](#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring | [HTTP service](../services/index.md#configuring-http-services) | | [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) | -| [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) | +| [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) | | [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing | [UDP router](../routers/index.md#configuring-udp-routers) | | [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) | | [TLSStores](#kind-tlsstore) | Allows to configure the default TLS store | [TLSStores](../../https/tls.md#certificates-stores) | @@ -583,6 +583,62 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne - port: 80 ``` +#### Load Balancing + +More information in the dedicated server [load balancing](../services/index.md#load-balancing) section. + +!!! info "Declaring and using Kubernetes Service Load Balancing" + + ```yaml tab="IngressRoute" + apiVersion: traefik.containo.us/v1alpha1 + kind: IngressRoute + metadata: + name: ingressroutebar + namespace: default + + spec: + entryPoints: + - web + routes: + - match: Host(`example.com`) && PathPrefix(`/foo`) + kind: Rule + services: + - name: svc1 + namespace: default + - name: svc2 + namespace: default + ``` + + ```yaml tab="K8s Service" + apiVersion: v1 + kind: Service + metadata: + name: svc1 + namespace: default + + spec: + ports: + - name: http + port: 80 + selector: + app: traefiklabs + task: app1 + --- + apiVersion: v1 + kind: Service + metadata: + name: svc2 + namespace: default + + spec: + ports: + - name: http + port: 80 + selector: + app: traefiklabs + task: app2 + ``` + ### Kind: `Middleware` `Middleware` is the CRD implementation of a [Traefik middleware](../../middlewares/http/overview.md). @@ -642,7 +698,7 @@ More information about available middlewares in the dedicated [middlewares secti Register the `TraefikService` [kind](../../reference/dynamic-configuration/kubernetes-crd.md#definitions) in the Kubernetes cluster before creating `TraefikService` objects, referencing services in the [`IngressRoute`](#kind-ingressroute) objects, or recursively in others `TraefikService` objects. -!!! info "Disambiguate Traefik and Kubernetes Services " +!!! info "Disambiguate Traefik and Kubernetes Services" As the field `name` can reference different types of objects, use the field `kind` to avoid any ambiguity. @@ -653,65 +709,8 @@ referencing services in the [`IngressRoute`](#kind-ingressroute) objects, or rec `TraefikService` object allows to use any (valid) combinations of: -* servers [load balancing](#server-load-balancing). -* services [Weighted Round Robin](#weighted-round-robin) load balancing. -* services [mirroring](#mirroring). - -#### Server Load Balancing - -More information in the dedicated server [load balancing](../services/index.md#load-balancing) section. - -??? "Declaring and Using Server Load Balancing" - - ```yaml tab="IngressRoute" - apiVersion: traefik.containo.us/v1alpha1 - kind: IngressRoute - metadata: - name: ingressroutebar - namespace: default - - spec: - entryPoints: - - web - routes: - - match: Host(`example.com`) && PathPrefix(`/foo`) - kind: Rule - services: - - name: svc1 - namespace: default - - name: svc2 - namespace: default - ``` - - ```yaml tab="K8s Service" - apiVersion: v1 - kind: Service - metadata: - name: svc1 - namespace: default - - spec: - ports: - - name: http - port: 80 - selector: - app: traefiklabs - task: app1 - --- - apiVersion: v1 - kind: Service - metadata: - name: svc2 - namespace: default - - spec: - ports: - - name: http - port: 80 - selector: - app: traefiklabs - task: app2 - ``` +* [Weighted Round Robin](#weighted-round-robin) load balancing. +* [Mirroring](#mirroring). #### Weighted Round Robin @@ -1074,7 +1073,7 @@ and there is a second level because each whoami service is a `replicaset` and is assuming `10.42.0.6` is the IP address of one of the replicas (a pod then) of the `whoami1` service. -### Kind `IngressRouteTCP` +### Kind: `IngressRouteTCP` `IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../routers/index.md#configuring-tcp-routers). @@ -1327,7 +1326,7 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern More information about available TCP middlewares in the dedicated [middlewares section](../../middlewares/tcp/overview.md). -### Kind `IngressRouteUDP` +### Kind: `IngressRouteUDP` `IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../routers/index.md#configuring-udp-routers). @@ -1616,9 +1615,8 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres !!! important "Default TLS Store" Traefik currently only uses the [TLS Store named "default"](../../https/tls.md#certificates-stores). - This means that if you have two stores that are named default in different kubernetes namespaces, - they may be randomly chosen. - For the time being, please only configure one TLSSTore named default. + This means that you cannot have two stores that are named default in different Kubernetes namespaces. + For the time being, please only configure one TLSStore named default. !!! info "TLSStore Attributes" diff --git a/docs/content/user-guides/crd-acme/05-tlsoption.yml b/docs/content/user-guides/crd-acme/05-tlsoption.yml new file mode 100644 index 000000000..f29d9bcd7 --- /dev/null +++ b/docs/content/user-guides/crd-acme/05-tlsoption.yml @@ -0,0 +1,17 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: default +spec: + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2 + - TLS_AES_256_GCM_SHA384 # TLS 1.3 + - TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3 + curvePreferences: + - CurveP521 + - CurveP384 + sniStrict: true diff --git a/docs/content/user-guides/crd-acme/index.md b/docs/content/user-guides/crd-acme/index.md index 91079bbd7..bc3142108 100644 --- a/docs/content/user-guides/crd-acme/index.md +++ b/docs/content/user-guides/crd-acme/index.md @@ -44,20 +44,25 @@ Let's now have a look (in the order they should be applied, if using `kubectl ap ### IngressRoute Definition -First, the definition of the `IngressRoute` and the `Middleware` kinds. -Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on. +First, you will need to install Traefik CRDs containing the definition of the `IngressRoute` and the `Middleware` kinds, +and the RBAC authorization resources which will be referenced through the `serviceAccountName` of the deployment. -```yaml ---8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" +```bash +# Install Traefik Resource Definitions: +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml ---- ---8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" +# Install RBAC for Traefik: +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml ``` ### Services Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/traefik/whoami). +```bash +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/02-services.yml +``` + ```yaml --8<-- "content/user-guides/crd-acme/02-services.yml" ``` @@ -67,6 +72,10 @@ Then, the services. One for Traefik itself, and one for the app it routes for, i Next, the deployments, i.e. the actual pods behind the services. Again, one pod for Traefik, and one for the whoami app. +```bash +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/03-deployments.yml +``` + ```yaml --8<-- "content/user-guides/crd-acme/03-deployments.yml" ``` @@ -91,7 +100,7 @@ Look it up. We can now finally apply the actual ingressRoutes, with: ```bash -kubectl apply -f 04-ingressroutes.yml +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/04-ingressroutes.yml ``` ```yaml @@ -110,3 +119,16 @@ curl http://your.example.com:8000/notls ``` Note that you'll have to use `-k` as long as you're using the staging server of Let's Encrypt, since it is not an authorized certificate authority on systems where it hasn't been manually added. + +### Force TLS v1.2+ + +Nowadays, TLS v1.0 and v1.1 are deprecated. +In order to force TLS v1.2 or later on all your IngressRoute, you can define the `default` TLSOption: + +```bash +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/05-tlsoption.yml +``` + +```yaml +--8<-- "content/user-guides/crd-acme/05-tlsoption.yml" +``` diff --git a/integration/fixtures/k8s/01-traefik-crd.yml b/integration/fixtures/k8s/01-traefik-crd.yml index 51c471a3d..6dfff51b9 100644 --- a/integration/fixtures/k8s/01-traefik-crd.yml +++ b/integration/fixtures/k8s/01-traefik-crd.yml @@ -19,7 +19,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: IngressRoute is an Ingress CRD specification. + description: IngressRoute is the CRD implementation of a Traefik HTTP Router. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -34,96 +34,151 @@ spec: metadata: type: object spec: - description: IngressRouteSpec is a specification for a IngressRouteSpec - resource. + description: IngressRouteSpec defines the desired state of IngressRoute. properties: entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' items: type: string type: array routes: + description: Routes defines the list of routes. items: - description: Route contains the set of routes. + description: Route holds the HTTP route configuration. properties: kind: + description: Kind defines the kind of the route. Rule is the + only supported kind. enum: - Rule type: string match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule' type: string middlewares: + description: 'Middlewares defines the list of references to + Middleware resources. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware' items: - description: MiddlewareRef is a ref to the Middleware resources. + description: MiddlewareRef is a reference to a Middleware + resource. properties: name: + description: Name defines the name of the referenced Middleware + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. type: string required: - name type: object type: array priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority' type: integer services: + description: Services defines the list of Service. It can contain + any combination of TraefikService and/or reference to a Kubernetes + Service. items: - description: Service defines an upstream to proxy traffic. + description: Service defines an upstream HTTP service to proxy + traffic to. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service - object (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The - differentiation between the two is specified in the - Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client + Host header is forwarded to the upstream Kubernetes + Service. By default, passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for - the forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to + the client. properties: flushInterval: + description: 'FlushInterval defines the interval, + in milliseconds, in between flushes to the client + while copying the response body. A negative value + means to flush immediately after each write to the + client. This configuration is ignored when ReverseProxy + recognizes a response as a streaming response; for + such responses, writes are flushed to the client + immediately. Default: 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the + request to the upstream Kubernetes Service. It defaults + to https when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration - based on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as + JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie + can only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. type: string weight: - description: Weight should only be specified when Name - references a TraefikService object (and to be precise, - one that embeds a Weighted Round Robin). + description: Weight defines the weight and should only + be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round + Robin). type: integer required: - name @@ -135,14 +190,16 @@ spec: type: object type: array tls: - description: "TLS contains the TLS certificates configuration of the - routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in - YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: - # block format" + description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls' properties: certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers' type: string domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains' items: description: Domain holds a domain name with SANs. properties: @@ -155,12 +212,17 @@ spec: type: object type: array options: - description: Options is a reference to a TLSOption, that specifies - the parameters of the TLS connection. + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' properties: name: + description: 'Name defines the name of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption' type: string namespace: + description: 'Namespace defines the namespace of the referenced + TLSOption. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption' type: string required: - name @@ -170,12 +232,17 @@ spec: Secret to specify the certificate details. type: string store: - description: Store is a reference to a TLSStore, that specifies - the parameters of the TLS store. + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. properties: name: + description: 'Name defines the name of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore' type: string namespace: + description: 'Namespace defines the namespace of the referenced + TLSStore. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore' type: string required: - name @@ -217,7 +284,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: IngressRouteTCP is an Ingress CRD specification. + description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -232,58 +299,89 @@ spec: metadata: type: object spec: - description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec - resource. + description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. properties: entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' items: type: string type: array routes: + description: Routes defines the list of routes. items: - description: RouteTCP contains the set of routes. + description: RouteTCP holds the TCP route configuration. properties: match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1' type: string middlewares: - description: Middlewares contains references to MiddlewareTCP + description: Middlewares defines the list of references to MiddlewareTCP resources. items: description: ObjectReference is a generic reference to a Traefik resource. properties: name: + description: Name defines the name of the referenced Traefik + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. type: string required: - name type: object type: array priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1' type: integer services: + description: Services defines the list of TCP services. items: - description: ServiceTCP defines an upstream to proxy traffic. + description: ServiceTCP defines an upstream TCP service to + proxy traffic to. properties: name: + description: Name defines the name of the referenced Kubernetes + Service. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. type: string port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true proxyProtocol: - description: ProxyProtocol holds the ProxyProtocol configuration. + description: 'ProxyProtocol defines the PROXY protocol + configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol' properties: version: + description: Version defines the PROXY Protocol version + to use. type: integer type: object terminationDelay: + description: TerminationDelay defines the deadline that + the proxy sets, after one of its connected peers indicates + it has closed the writing capability of its connection, + to close the reading capability as well, hence fully + terminating the connection. It is a duration in milliseconds, + defaulting to 100. A negative value means an infinite + deadline (i.e. the reading capability is never closed). type: integer weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. type: integer required: - name @@ -295,14 +393,17 @@ spec: type: object type: array tls: - description: "TLSTCP contains the TLS certificates configuration of - the routes. To enable Let's Encrypt, use an empty TLS struct, e.g. - in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: - # block format" + description: 'TLS defines the TLS configuration on a layer 4 / TCP + Route. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1' properties: certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers' type: string domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains' items: description: Domain holds a domain name with SANs. properties: @@ -315,29 +416,41 @@ spec: type: object type: array options: - description: Options is a reference to a TLSOption, that specifies - the parameters of the TLS connection. + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' properties: name: + description: Name defines the name of the referenced Traefik + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. type: string required: - name type: object passthrough: + description: Passthrough defines whether a TLS router will terminate + the TLS connection. type: boolean secretName: description: SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. type: string store: - description: Store is a reference to a TLSStore, that specifies - the parameters of the TLS store. + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. properties: name: + description: Name defines the name of the referenced Traefik + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. type: string required: - name @@ -379,7 +492,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: IngressRouteUDP is an Ingress CRD specification. + description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -394,31 +507,45 @@ spec: metadata: type: object spec: - description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec - resource. + description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. properties: entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + Default: all.' items: type: string type: array routes: + description: Routes defines the list of routes. items: - description: RouteUDP contains the set of routes. + description: RouteUDP holds the UDP route configuration. properties: services: + description: Services defines the list of UDP services. items: - description: ServiceUDP defines an upstream to proxy traffic. + description: ServiceUDP defines an upstream UDP service to + proxy traffic to. properties: name: + description: Name defines the name of the referenced Kubernetes + Service. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. type: string port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. type: integer required: - name @@ -463,7 +590,8 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Middleware is a specification for a Middleware resource. + description: 'Middleware is the CRD implementation of a Traefik Middleware. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -478,54 +606,99 @@ spec: metadata: type: object spec: - description: MiddlewareSpec holds the Middleware configuration. + description: MiddlewareSpec defines the desired state of a Middleware. properties: addPrefix: - description: AddPrefix holds the AddPrefix configuration. + description: 'AddPrefix holds the add prefix middleware configuration. + This middleware updates the path of a request before forwarding + it. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/' properties: prefix: + description: Prefix is the string to add before the current path + in the requested URL. It should include a leading slash (/). type: string type: object basicAuth: - description: BasicAuth holds the HTTP basic authentication configuration. + description: 'BasicAuth holds the basic auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/' properties: headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield' type: string realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' type: string removeHeader: + description: 'RemoveHeader sets the removeHeader option to true + to remove the authorization header before forwarding the request + to your service. Default: false.' type: boolean secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. type: string type: object buffering: - description: Buffering holds the request/response buffering configuration. + description: 'Buffering holds the buffering middleware configuration. + This middleware retries or limits the size of requests that can + be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes' properties: maxRequestBodyBytes: + description: 'MaxRequestBodyBytes defines the maximum allowed + body size for the request (in bytes). If the request exceeds + the allowed size, it is not forwarded to the service, and the + client gets a 413 (Request Entity Too Large) response. Default: + 0 (no maximum).' format: int64 type: integer maxResponseBodyBytes: + description: 'MaxResponseBodyBytes defines the maximum allowed + response size from the service (in bytes). If the response exceeds + the allowed size, it is not forwarded to the client. The client + gets a 500 (Internal Server Error) response instead. Default: + 0 (no maximum).' format: int64 type: integer memRequestBodyBytes: + description: 'MemRequestBodyBytes defines the threshold (in bytes) + from which the request will be buffered on disk instead of in + memory. Default: 1048576 (1Mi).' format: int64 type: integer memResponseBodyBytes: + description: 'MemResponseBodyBytes defines the threshold (in bytes) + from which the response will be buffered on disk instead of + in memory. Default: 1048576 (1Mi).' format: int64 type: integer retryExpression: + description: 'RetryExpression defines the retry conditions. It + is a logical combination of functions with operators AND (&&) + and OR (||). More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression' type: string type: object chain: - description: Chain holds a chain of middlewares. + description: 'Chain holds the configuration of the chain middleware. + This middleware enables to define reusable combinations of other + pieces of middleware. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/' properties: middlewares: + description: Middlewares is the list of MiddlewareRef which composes + the chain. items: - description: MiddlewareRef is a ref to the Middleware resources. + description: MiddlewareRef is a reference to a Middleware resource. properties: name: + description: Name defines the name of the referenced Middleware + resource. type: string namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. type: string required: - name @@ -533,165 +706,261 @@ spec: type: array type: object circuitBreaker: - description: CircuitBreaker holds the circuit breaker configuration. + description: 'CircuitBreaker holds the circuit breaker middleware + configuration. This middleware protects the system from stacking + requests to unhealthy services, resulting in cascading failures. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/' properties: expression: + description: Expression defines the expression that, once matched, + opens the circuit breaker and applies the fallback mechanism + instead of calling the services. type: string type: object compress: - description: Compress holds the compress configuration. + description: 'Compress holds the compress middleware configuration. + This middleware compresses responses before sending them to the + client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/' properties: excludedContentTypes: + description: ExcludedContentTypes defines the list of content + types to compare the Content-Type header of the incoming requests + and responses before compressing. items: type: string type: array minResponseBodyBytes: + description: 'MinResponseBodyBytes defines the minimum amount + of bytes a response body must have to be compressed. Default: + 1024.' type: integer type: object contentType: - description: ContentType middleware - or rather its unique `autoDetect` - option - specifies whether to let the `Content-Type` header, if - it has not been set by the backend, be automatically set to a value - derived from the contents of the response. As a proxy, the default - behavior should be to leave the header alone, regardless of what - the backend did with it. However, the historic default was to always - auto-detect and set the header if it was nil, and it is going to - be kept that way in order to support users currently relying on - it. This middleware exists to enable the correct behavior until - at least the default one can be changed in a future version. + description: ContentType holds the content-type middleware configuration. + This middleware exists to enable the correct behavior until at least + the default one can be changed in a future version. properties: autoDetect: + description: AutoDetect specifies whether to let the `Content-Type` + header, if it has not been set by the backend, be automatically + set to a value derived from the contents of the response. As + a proxy, the default behavior should be to leave the header + alone, regardless of what the backend did with it. However, + the historic default was to always auto-detect and set the header + if it was nil, and it is going to be kept that way in order + to support users currently relying on it. type: boolean type: object digestAuth: - description: DigestAuth holds the Digest HTTP authentication configuration. + description: 'DigestAuth holds the digest auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/' properties: headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield' type: string realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' type: string removeHeader: + description: RemoveHeader defines whether to remove the authorization + header before forwarding the request to the backend. type: boolean secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. type: string type: object errors: - description: ErrorPage holds the custom error page configuration. + description: 'ErrorPage holds the custom error middleware configuration. + This middleware returns a custom page in lieu of the default, according + to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/' properties: query: + description: Query defines the URL for the error page (hosted + by service). The {status} variable can be used in order to insert + the status code in the URL. type: string service: - description: Service defines an upstream to proxy traffic. + description: 'Service defines the reference to a Kubernetes Service + that will serve the error page. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service' properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service object - (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the + two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for the - forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. properties: flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming + response; for such responses, writes are flushed to + the client immediately. Default: 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes + Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based - on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie can + be accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported value + at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be + specified when Name references a TraefikService object (and + to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object status: + description: Status defines which status or range of statuses + should result in an error page. It can be either a status code + as a number (500), as multiple comma-separated numbers (500,502), + as ranges by separating two codes with a dash (500-599), or + a combination of the two (404,418,500-599). items: type: string type: array type: object forwardAuth: - description: ForwardAuth holds the http forward authentication configuration. + description: 'ForwardAuth holds the forward auth middleware configuration. + This middleware delegates the request authentication to a Service. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/' properties: address: + description: Address defines the authentication server address. type: string authRequestHeaders: + description: AuthRequestHeaders defines the list of the headers + to copy from the request to the authentication server. If not + set or empty then all request headers are passed. items: type: string type: array authResponseHeaders: + description: AuthResponseHeaders defines the list of headers to + copy from the authentication server response and set on forwarded + request, replacing any existing conflicting headers. items: type: string type: array authResponseHeadersRegex: + description: 'AuthResponseHeadersRegex defines the regex to match + headers to copy from the authentication server response and + set on forwarded request, after stripping all headers that match + the regex. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex' type: string tls: - description: ClientTLS holds TLS specific configurations as client. + description: TLS defines the configuration used to secure the + connection to the authentication server. properties: caOptional: type: boolean caSecret: + description: CASecret is the name of the referenced Kubernetes + Secret containing the CA to validate the server certificate. + The CA certificate is extracted from key `tls.ca` or `ca.crt`. type: string certSecret: + description: CertSecret is the name of the referenced Kubernetes + Secret containing the client certificate. The client certificate + is extracted from the keys `tls.crt` and `tls.key`. type: string insecureSkipVerify: + description: InsecureSkipVerify defines whether the server + certificates should be validated. type: boolean type: object trustForwardHeader: + description: 'TrustForwardHeader defines whether to trust (ie: + forward) all X-Forwarded-* headers.' type: boolean type: object headers: - description: Headers holds the custom header configuration. + description: 'Headers holds the headers middleware configuration. + This middleware manages the requests and responses headers. More + info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders' properties: accessControlAllowCredentials: - description: AccessControlAllowCredentials is only valid if true. - false is ignored. + description: AccessControlAllowCredentials defines whether the + request can include user credentials. type: boolean accessControlAllowHeaders: - description: AccessControlAllowHeaders must be used in response - to a preflight request with Access-Control-Request-Headers set. + description: AccessControlAllowHeaders defines the Access-Control-Request-Headers + values sent in preflight response. items: type: string type: array accessControlAllowMethods: - description: AccessControlAllowMethods must be used in response - to a preflight request with Access-Control-Request-Method set. + description: AccessControlAllowMethods defines the Access-Control-Request-Method + values sent in preflight response. items: type: string type: array @@ -708,60 +977,96 @@ spec: type: string type: array accessControlExposeHeaders: - description: AccessControlExposeHeaders sets valid headers for - the response. + description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers + values sent in preflight response. items: type: string type: array accessControlMaxAge: - description: AccessControlMaxAge sets the time that a preflight + description: AccessControlMaxAge defines the time that a preflight request may be cached. format: int64 type: integer addVaryHeader: - description: AddVaryHeader controls if the Vary header is automatically - added/updated when the AccessControlAllowOriginList is set. + description: AddVaryHeader defines whether the Vary header is + automatically added/updated when the AccessControlAllowOriginList + is set. type: boolean allowedHosts: + description: AllowedHosts defines the fully qualified list of + allowed domain names. items: type: string type: array browserXssFilter: + description: BrowserXSSFilter defines whether to add the X-XSS-Protection + header with the value 1; mode=block. type: boolean contentSecurityPolicy: + description: ContentSecurityPolicy defines the Content-Security-Policy + header value. type: string contentTypeNosniff: + description: ContentTypeNosniff defines whether to add the X-Content-Type-Options + header with the nosniff value. type: boolean customBrowserXSSValue: + description: CustomBrowserXSSValue defines the X-XSS-Protection + header value. This overrides the BrowserXssFilter option. type: string customFrameOptionsValue: + description: CustomFrameOptionsValue defines the X-Frame-Options + header value. This overrides the FrameDeny option. type: string customRequestHeaders: additionalProperties: type: string + description: CustomRequestHeaders defines the header names and + values to apply to the request. type: object customResponseHeaders: additionalProperties: type: string + description: CustomResponseHeaders defines the header names and + values to apply to the response. type: object featurePolicy: description: 'Deprecated: use PermissionsPolicy instead.' type: string forceSTSHeader: + description: ForceSTSHeader defines whether to add the STS header + even when the connection is HTTP. type: boolean frameDeny: + description: FrameDeny defines whether to add the X-Frame-Options + header with the DENY value. type: boolean hostsProxyHeaders: + description: HostsProxyHeaders defines the header keys that may + hold a proxied hostname value for the request. items: type: string type: array isDevelopment: + description: IsDevelopment defines whether to mitigate the unwanted + effects of the AllowedHosts, SSL, and STS options when developing. + Usually testing takes place using HTTP, not HTTPS, and on localhost, + not your production domain. If you would like your development + environment to mimic production with complete Host blocking, + SSL redirects, and STS headers, leave this as false. type: boolean permissionsPolicy: + description: PermissionsPolicy defines the Permissions-Policy + header value. This allows sites to control browser features. type: string publicKey: + description: PublicKey is the public key that implements HPKP + to prevent MITM attacks with forged certificates. type: string referrerPolicy: + description: ReferrerPolicy defines the Referrer-Policy header + value. This allows sites to control whether browsers forward + the Referer header to other sites. type: string sslForceHost: description: 'Deprecated: use RedirectRegex instead.' @@ -772,6 +1077,10 @@ spec: sslProxyHeaders: additionalProperties: type: string + description: 'SSLProxyHeaders defines the header keys with associated + values that would indicate a valid HTTPS request. It can be + useful when using other proxies (example: "X-Forwarded-Proto": + "https").' type: object sslRedirect: description: 'Deprecated: use EntryPoint redirection or RedirectScheme @@ -782,119 +1091,192 @@ spec: instead.' type: boolean stsIncludeSubdomains: + description: STSIncludeSubdomains defines whether the includeSubDomains + directive is appended to the Strict-Transport-Security header. type: boolean stsPreload: + description: STSPreload defines whether the preload flag is appended + to the Strict-Transport-Security header. type: boolean stsSeconds: + description: STSSeconds defines the max-age of the Strict-Transport-Security + header. If set to 0, the header is not set. format: int64 type: integer type: object inFlightReq: - description: InFlightReq limits the number of requests being processed - and served concurrently. + description: 'InFlightReq holds the in-flight request middleware configuration. + This middleware limits the number of requests being processed and + served concurrently. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/' properties: amount: + description: Amount defines the maximum amount of allowed simultaneous + in-flight request. The middleware responds with HTTP 429 Too + Many Requests if there are already amount requests in progress + (based on the same sourceCriterion strategy). format: int64 type: integer sourceCriterion: - description: SourceCriterion defines what criterion is used to - group requests as originating from a common source. If none - are set, the default is to use the request's remote address - field. All fields are mutually exclusive. + description: 'SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the requestHost. More + info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion' properties: ipStrategy: - description: IPStrategy holds the ip strategy configuration. + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' properties: depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). type: integer excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. items: type: string type: array type: object requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. type: string requestHost: + description: RequestHost defines whether to consider the request + Host as the source. type: boolean type: object type: object ipWhiteList: - description: IPWhiteList holds the ip white list configuration. + description: 'IPWhiteList holds the IP whitelist middleware configuration. + This middleware accepts / refuses requests based on the client IP. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/' properties: ipStrategy: - description: IPStrategy holds the ip strategy configuration. + description: 'IPStrategy holds the IP strategy configuration used + by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' properties: depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). type: integer excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. items: type: string type: array type: object sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). items: type: string type: array type: object passTLSClientCert: - description: PassTLSClientCert holds the TLS client cert headers configuration. + description: 'PassTLSClientCert holds the pass TLS client cert middleware + configuration. This middleware adds the selected data from the passed + client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/' properties: info: - description: TLSClientCertificateInfo holds the client TLS certificate - info configuration. + description: Info selects the specific client certificate details + you want to add to the X-Forwarded-Tls-Client-Cert-Info header. properties: issuer: - description: TLSClientCertificateIssuerDNInfo holds the client - TLS certificate distinguished name info configuration. cf - https://tools.ietf.org/html/rfc3739 + description: Issuer defines the client certificate issuer + details to add to the X-Forwarded-Tls-Client-Cert-Info header. properties: commonName: + description: CommonName defines whether to add the organizationalUnit + information into the issuer. type: boolean country: + description: Country defines whether to add the country + information into the issuer. type: boolean domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the issuer. type: boolean locality: + description: Locality defines whether to add the locality + information into the issuer. type: boolean organization: + description: Organization defines whether to add the organization + information into the issuer. type: boolean province: + description: Province defines whether to add the province + information into the issuer. type: boolean serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the issuer. type: boolean type: object notAfter: + description: NotAfter defines whether to add the Not After + information from the Validity part. type: boolean notBefore: + description: NotBefore defines whether to add the Not Before + information from the Validity part. type: boolean sans: + description: Sans defines whether to add the Subject Alternative + Name information from the Subject Alternative Name part. type: boolean serialNumber: + description: SerialNumber defines whether to add the client + serialNumber information. type: boolean subject: - description: TLSClientCertificateSubjectDNInfo holds the client - TLS certificate distinguished name info configuration. cf - https://tools.ietf.org/html/rfc3739 + description: Subject defines the client certificate subject + details to add to the X-Forwarded-Tls-Client-Cert-Info header. properties: commonName: + description: CommonName defines whether to add the organizationalUnit + information into the subject. type: boolean country: + description: Country defines whether to add the country + information into the subject. type: boolean domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the subject. type: boolean locality: + description: Locality defines whether to add the locality + information into the subject. type: boolean organization: + description: Organization defines whether to add the organization + information into the subject. type: boolean organizationalUnit: + description: OrganizationalUnit defines whether to add + the organizationalUnit information into the subject. type: boolean province: + description: Province defines whether to add the province + information into the subject. type: boolean serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the subject. type: boolean type: object type: object pem: + description: PEM sets the X-Forwarded-Tls-Client-Cert header with + the escaped certificate. type: boolean type: object plugin: @@ -902,101 +1284,171 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object rateLimit: - description: RateLimit holds the rate limiting configuration for a - given router. + description: 'RateLimit holds the rate limit configuration. This middleware + ensures that services will receive a fair amount of requests, and + allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/' properties: average: + description: Average is the maximum rate, by default in requests/s, + allowed for the given source. It defaults to 0, which means + no rate limiting. The rate is actually defined by dividing Average + by Period. So for a rate below 1req/s, one needs to define a + Period larger than a second. format: int64 type: integer burst: + description: Burst is the maximum number of requests allowed to + arrive in the same arbitrarily small period of time. It defaults + to 1. format: int64 type: integer period: anyOf: - type: integer - type: string + description: 'Period, in combination with Average, defines the + actual maximum rate, such as: r = Average / Period. It defaults + to a second.' x-kubernetes-int-or-string: true sourceCriterion: description: SourceCriterion defines what criterion is used to - group requests as originating from a common source. If none - are set, the default is to use the request's remote address - field. All fields are mutually exclusive. + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the request's remote + address field (as an ipStrategy). properties: ipStrategy: - description: IPStrategy holds the ip strategy configuration. + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy' properties: depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). type: integer excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. items: type: string type: array type: object requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. type: string requestHost: + description: RequestHost defines whether to consider the request + Host as the source. type: boolean type: object type: object redirectRegex: - description: RedirectRegex holds the redirection configuration. + description: 'RedirectRegex holds the redirect regex middleware configuration. + This middleware redirects a request using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex' properties: permanent: + description: Permanent defines whether the redirection is permanent + (301). type: boolean regex: + description: Regex defines the regex used to match and capture + elements from the request URL. type: string replacement: + description: Replacement defines how to modify the URL to have + the new target URL. type: string type: object redirectScheme: - description: RedirectScheme holds the scheme redirection configuration. + description: 'RedirectScheme holds the redirect scheme middleware + configuration. This middleware redirects requests from a scheme/port + to another. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/' properties: permanent: + description: Permanent defines whether the redirection is permanent + (301). type: boolean port: + description: Port defines the port of the new URL. type: string scheme: + description: Scheme defines the scheme of the new URL. type: string type: object replacePath: - description: ReplacePath holds the ReplacePath configuration. + description: 'ReplacePath holds the replace path middleware configuration. + This middleware replaces the path of the request URL and store the + original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/' properties: path: + description: Path defines the path to use as replacement in the + request URL. type: string type: object replacePathRegex: - description: ReplacePathRegex holds the ReplacePathRegex configuration. + description: 'ReplacePathRegex holds the replace path regex middleware + configuration. This middleware replaces the path of a URL using + regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/' properties: regex: + description: Regex defines the regular expression used to match + and capture the path from the request URL. type: string replacement: + description: Replacement defines the replacement path format, + which can include captured variables. type: string type: object retry: - description: Retry holds the retry configuration. + description: 'Retry holds the retry middleware configuration. This + middleware reissues requests a given number of times to a backend + server if that server does not reply. As soon as the server answers, + the middleware stops retrying, regardless of the response status. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/' properties: attempts: + description: Attempts defines how many times the request should + be retried. type: integer initialInterval: anyOf: - type: integer - type: string + description: InitialInterval defines the first wait time in the + exponential backoff series. The maximum interval is calculated + as twice the initialInterval. If unspecified, requests will + be retried immediately. The value of initialInterval should + be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration. x-kubernetes-int-or-string: true type: object stripPrefix: - description: StripPrefix holds the StripPrefix configuration. + description: 'StripPrefix holds the strip prefix middleware configuration. + This middleware removes the specified prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/' properties: forceSlash: + description: 'ForceSlash ensures that the resulting stripped path + is not the empty string, by replacing it with / when necessary. + Default: true.' type: boolean prefixes: + description: Prefixes defines the prefixes to strip from the request + URL. items: type: string type: array type: object stripPrefixRegex: - description: StripPrefixRegex holds the StripPrefixRegex configuration. + description: 'StripPrefixRegex holds the strip prefix regex middleware + configuration. This middleware removes the matching prefixes from + the URL path. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/' properties: regex: + description: Regex defines the regular expression to match the + path prefix from the request URL. items: type: string type: array @@ -1035,7 +1487,8 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: MiddlewareTCP is a specification for a MiddlewareTCP resource. + description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. + More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -1050,19 +1503,24 @@ spec: metadata: type: object spec: - description: MiddlewareTCPSpec holds the MiddlewareTCP configuration. + description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. properties: inFlightConn: - description: TCPInFlightConn holds the TCP in flight connection configuration. + description: InFlightConn defines the InFlightConn middleware configuration. properties: amount: + description: Amount defines the maximum amount of allowed simultaneous + connections. The middleware closes the connection if there are + already amount connections opened. format: int64 type: integer type: object ipWhiteList: - description: TCPIPWhiteList holds the TCP ip white list configuration. + description: IPWhiteList defines the IPWhiteList middleware configuration. properties: sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). items: type: string type: array @@ -1101,7 +1559,10 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ServersTransport is a specification for a ServersTransport resource. + description: 'ServersTransport is the CRD implementation of a ServersTransport. + If no serversTransport is specified, the default@internal will be used. + The default@internal serversTransport is created from the static configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -1116,27 +1577,28 @@ spec: metadata: type: object spec: - description: ServersTransportSpec options to configure communication between - Traefik and the servers. + description: ServersTransportSpec defines the desired state of a ServersTransport. properties: certificatesSecrets: - description: Certificates for mTLS. + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. items: type: string type: array disableHTTP2: - description: Disable HTTP/2 for connections with backend servers. + description: DisableHTTP2 disables HTTP/2 for connections with backend + servers. type: boolean forwardingTimeouts: - description: Timeouts for requests forwarded to the backend servers. + description: ForwardingTimeouts defines the timeouts for requests + forwarded to the backend servers. properties: dialTimeout: anyOf: - type: integer - type: string description: DialTimeout is the amount of time to wait until a - connection to a backend server can be established. If zero, - no timeout exists. + connection to a backend server can be established. x-kubernetes-int-or-string: true idleConnTimeout: anyOf: @@ -1159,7 +1621,7 @@ spec: - type: string description: ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received - on the HTTP/2 connection. If zero, no health check is performed. + on the HTTP/2 connection. x-kubernetes-int-or-string: true responseHeaderTimeout: anyOf: @@ -1167,27 +1629,29 @@ spec: - type: string description: ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request - (including its body, if any). If zero, no timeout exists. + (including its body, if any). x-kubernetes-int-or-string: true type: object insecureSkipVerify: - description: Disable SSL certificate verification. + description: InsecureSkipVerify disables SSL certificate verification. type: boolean maxIdleConnsPerHost: - description: If non-zero, controls the maximum idle (keep-alive) to - keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. type: integer peerCertURI: - description: URI used to match against SAN URI during the peer certificate - verification. + description: PeerCertURI defines the peer cert URI used to match against + SAN URI during the peer certificate verification. type: string rootCAsSecrets: - description: Add cert file for self-signed certificate. + description: RootCAsSecrets defines a list of CA secret used to validate + self-signed certificate. items: type: string type: array serverName: - description: ServerName used to contact the server. + description: ServerName defines the server name used to contact the + server. type: string type: object required: @@ -1223,7 +1687,9 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: TLSOption is a specification for a TLSOption resource. + description: 'TLSOption is the CRD implementation of a Traefik TLS Option, + allowing to configure some parameters of the TLS connection. More info: + https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -1238,19 +1704,24 @@ spec: metadata: type: object spec: - description: TLSOptionSpec configures TLS for an entry point. + description: TLSOptionSpec defines the desired state of a TLSOption. properties: alpnProtocols: + description: 'ALPNProtocols defines the list of supported application + level protocols for the TLS handshake, in order of preference. More + info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols' items: type: string type: array cipherSuites: + description: 'CipherSuites defines the list of supported cipher suites + for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites' items: type: string type: array clientAuth: - description: ClientAuth defines the parameters of the client authentication - part of the TLS connection, if any. + description: ClientAuth defines the server's policy for TLS Client + Authentication. properties: clientAuthType: description: ClientAuthType defines the client authentication @@ -1263,23 +1734,36 @@ spec: - RequireAndVerifyClientCert type: string secretNames: - description: SecretName is the name of the referenced Kubernetes - Secret to specify the certificate details. + description: SecretNames defines the names of the referenced Kubernetes + Secret storing certificate details. items: type: string type: array type: object curvePreferences: + description: 'CurvePreferences defines the preferred elliptic curves + in a specific order. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences' items: type: string type: array maxVersion: + description: 'MaxVersion defines the maximum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: None.' type: string minVersion: + description: 'MinVersion defines the minimum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: VersionTLS10.' type: string preferServerCipherSuites: + description: PreferServerCipherSuites defines whether the server chooses + a cipher suite among his own instead of among the client's. It is + enabled automatically when minVersion or maxVersion are set. type: boolean sniStrict: + description: SniStrict defines whether Traefik allows connections + from clients connections that do not specify a server_name extension. type: boolean type: object required: @@ -1315,7 +1799,10 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: TLSStore is a specification for a TLSStore resource. + description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For + the time being, only the TLSStore named default is supported. This means + that you cannot have two stores that are named default in different Kubernetes + namespaces. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -1330,11 +1817,10 @@ spec: metadata: type: object spec: - description: TLSStoreSpec configures a TLSStore resource. + description: TLSStoreSpec defines the desired state of a TLSStore. properties: defaultCertificate: - description: DefaultCertificate holds a secret name for the TLSOption - resource. + description: DefaultCertificate defines the default certificate configuration. properties: secretName: description: SecretName is the name of the referenced Kubernetes @@ -1379,10 +1865,9 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: TraefikService is the specification for a service (that an IngressRoute - refers to) that is usually not a terminal service (i.e. not a pod of servers), - as opposed to a Kubernetes Service. That is to say, it usually refers to - other (children) services, which themselves can be TraefikServices or Services. + description: 'TraefikService is the CRD implementation of a Traefik Service. + TraefikService object allows to: - Apply weight to Services on load-balancing - + Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -1397,220 +1882,332 @@ spec: metadata: type: object spec: - description: ServiceSpec defines whether a TraefikService is a load-balancer - of services or a mirroring service. + description: TraefikServiceSpec defines the desired state of a TraefikService. properties: mirroring: - description: Mirroring defines a mirroring service, which is composed - of a main load-balancer, and a list of mirrors. + description: Mirroring defines the Mirroring service configuration. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string maxBodySize: + description: MaxBodySize defines the maximum size allowed for + the body of the request. If the body is larger, the request + is not mirrored. Default value is -1, which means unlimited + size. format: int64 type: integer mirrors: + description: Mirrors defines the list of mirrors where Traefik + will duplicate the traffic. items: - description: MirrorService defines one of the mirrors of a Mirroring - service. + description: MirrorService holds the mirror configuration. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service - object (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. type: boolean percent: + description: 'Percent defines the part of the traffic to + mirror. Supported values: 0 to 100.' type: integer port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for - the forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. properties: flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based - on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object type: array name: - description: Name is a reference to a Kubernetes Service object - (for a load-balancer of servers), or to a TraefikService object - (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the two + is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host header + is forwarded to the upstream Kubernetes Service. By default, + passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. This + can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for the forward - of the response. + description: ResponseForwarding defines how Traefik forwards the + response from the upstream Kubernetes Service to the client. properties: flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https when + Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based on - cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy between + the servers. RoundRobin is the only supported value at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be specified + when Name references a TraefikService object (and to be precise, + one that embeds a Weighted Round Robin). type: integer required: - name type: object weighted: - description: WeightedRoundRobin defines a load-balancer of services. + description: Weighted defines the Weighted Round Robin configuration. properties: services: + description: Services defines the list of Kubernetes Service and/or + TraefikService to load-balance, with weight. items: - description: Service defines an upstream to proxy traffic. + description: Service defines an upstream HTTP service to proxy + traffic to. properties: kind: + description: Kind defines the kind of the Service. enum: - Service - TraefikService type: string name: - description: Name is a reference to a Kubernetes Service - object (for a load-balancer of servers), or to a TraefikService - object (service load-balancer, mirroring, etc). The differentiation - between the two is specified in the Kind field. + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. type: string namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. type: string passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. type: boolean port: anyOf: - type: integer - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. x-kubernetes-int-or-string: true responseForwarding: - description: ResponseForwarding holds configuration for - the forward of the response. + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. properties: flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' type: string type: object scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. type: string serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. type: string sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions' properties: cookie: - description: Cookie holds the sticky configuration based - on cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). type: boolean type: object type: object strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. type: string weight: - description: Weight should only be specified when Name references - a TraefikService object (and to be precise, one that embeds - a Weighted Round Robin). + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object type: array sticky: - description: Sticky holds the sticky configuration. + description: 'Sticky defines whether sticky sessions are enabled. + More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing' properties: cookie: - description: Cookie holds the sticky configuration based on - cookie. + description: Cookie defines the sticky cookie configuration. properties: httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. type: boolean name: + description: Name defines the Cookie name. type: string sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' type: string secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). type: boolean type: object type: object diff --git a/pkg/config/dynamic/http_config.go b/pkg/config/dynamic/http_config.go index e8305e6c8..7cf4f64ff 100644 --- a/pkg/config/dynamic/http_config.go +++ b/pkg/config/dynamic/http_config.go @@ -124,6 +124,7 @@ func (w *WRRService) SetDefaults() { // Sticky holds the sticky configuration. type Sticky struct { + // Cookie defines the sticky cookie configuration. Cookie *Cookie `json:"cookie,omitempty" toml:"cookie,omitempty" yaml:"cookie,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"` } @@ -131,9 +132,14 @@ type Sticky struct { // Cookie holds the sticky configuration based on cookie. type Cookie struct { - Name string `json:"name,omitempty" toml:"name,omitempty" yaml:"name,omitempty" export:"true"` - Secure bool `json:"secure,omitempty" toml:"secure,omitempty" yaml:"secure,omitempty" export:"true"` - HTTPOnly bool `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty" export:"true"` + // Name defines the Cookie name. + Name string `json:"name,omitempty" toml:"name,omitempty" yaml:"name,omitempty" export:"true"` + // Secure defines whether the cookie can only be transmitted over an encrypted connection (i.e. HTTPS). + Secure bool `json:"secure,omitempty" toml:"secure,omitempty" yaml:"secure,omitempty" export:"true"` + // HTTPOnly defines whether the cookie can be accessed by client-side APIs, such as JavaScript. + HTTPOnly bool `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty" export:"true"` + // SameSite defines the same site policy. + // More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite SameSite string `json:"sameSite,omitempty" toml:"sameSite,omitempty" yaml:"sameSite,omitempty" export:"true"` } @@ -178,8 +184,13 @@ func (l *ServersLoadBalancer) SetDefaults() { // +k8s:deepcopy-gen=true -// ResponseForwarding holds configuration for the forward of the response. +// ResponseForwarding holds the response forwarding configuration. type ResponseForwarding struct { + // FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + // A negative value means to flush immediately after each write to the client. + // This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + // for such responses, writes are flushed to the client immediately. + // Default: 100ms FlushInterval string `json:"flushInterval,omitempty" toml:"flushInterval,omitempty" yaml:"flushInterval,omitempty" export:"true"` } diff --git a/pkg/config/dynamic/middlewares.go b/pkg/config/dynamic/middlewares.go index d4e7d11fd..e97b9d8dd 100644 --- a/pkg/config/dynamic/middlewares.go +++ b/pkg/config/dynamic/middlewares.go @@ -40,153 +40,250 @@ type Middleware struct { // +k8s:deepcopy-gen=true -// ContentType middleware - or rather its unique `autoDetect` option - -// specifies whether to let the `Content-Type` header, -// if it has not been set by the backend, -// be automatically set to a value derived from the contents of the response. -// As a proxy, the default behavior should be to leave the header alone, -// regardless of what the backend did with it. -// However, the historic default was to always auto-detect and set the header if it was nil, -// and it is going to be kept that way in order to support users currently relying on it. +// ContentType holds the content-type middleware configuration. // This middleware exists to enable the correct behavior until at least the default one can be changed in a future version. type ContentType struct { + // AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend, + // be automatically set to a value derived from the contents of the response. + // As a proxy, the default behavior should be to leave the header alone, regardless of what the backend did with it. + // However, the historic default was to always auto-detect and set the header if it was nil, + // and it is going to be kept that way in order to support users currently relying on it. AutoDetect bool `json:"autoDetect,omitempty" toml:"autoDetect,omitempty" yaml:"autoDetect,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// AddPrefix holds the AddPrefix configuration. +// AddPrefix holds the add prefix middleware configuration. +// This middleware updates the path of a request before forwarding it. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/ type AddPrefix struct { + // Prefix is the string to add before the current path in the requested URL. + // It should include a leading slash (/). Prefix string `json:"prefix,omitempty" toml:"prefix,omitempty" yaml:"prefix,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// BasicAuth holds the HTTP basic authentication configuration. +// BasicAuth holds the basic auth middleware configuration. +// This middleware restricts access to your services to known users. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/ type BasicAuth struct { - Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"` - UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"` - Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"` - RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"` - HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"` + // Users is an array of authorized users. + // Each user must be declared using the name:hashed-password format. + // Tip: Use htpasswd to generate the passwords. + Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"` + // UsersFile is the path to an external file that contains the authorized users. + UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"` + // Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + // Default: traefik. + Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"` + // RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service. + // Default: false. + RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"` + // HeaderField defines a header field to store the authenticated user. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield + HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// Buffering holds the request/response buffering configuration. +// Buffering holds the buffering middleware configuration. +// This middleware retries or limits the size of requests that can be forwarded to backends. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes type Buffering struct { - MaxRequestBodyBytes int64 `json:"maxRequestBodyBytes,omitempty" toml:"maxRequestBodyBytes,omitempty" yaml:"maxRequestBodyBytes,omitempty" export:"true"` - MemRequestBodyBytes int64 `json:"memRequestBodyBytes,omitempty" toml:"memRequestBodyBytes,omitempty" yaml:"memRequestBodyBytes,omitempty" export:"true"` - MaxResponseBodyBytes int64 `json:"maxResponseBodyBytes,omitempty" toml:"maxResponseBodyBytes,omitempty" yaml:"maxResponseBodyBytes,omitempty" export:"true"` - MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"` - RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"` + // MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes). + // If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response. + // Default: 0 (no maximum). + MaxRequestBodyBytes int64 `json:"maxRequestBodyBytes,omitempty" toml:"maxRequestBodyBytes,omitempty" yaml:"maxRequestBodyBytes,omitempty" export:"true"` + // MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory. + // Default: 1048576 (1Mi). + MemRequestBodyBytes int64 `json:"memRequestBodyBytes,omitempty" toml:"memRequestBodyBytes,omitempty" yaml:"memRequestBodyBytes,omitempty" export:"true"` + // MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes). + // If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead. + // Default: 0 (no maximum). + MaxResponseBodyBytes int64 `json:"maxResponseBodyBytes,omitempty" toml:"maxResponseBodyBytes,omitempty" yaml:"maxResponseBodyBytes,omitempty" export:"true"` + // MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory. + // Default: 1048576 (1Mi). + MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"` + // RetryExpression defines the retry conditions. + // It is a logical combination of functions with operators AND (&&) and OR (||). + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression + RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// Chain holds a chain of middlewares. +// Chain holds the chain middleware configuration. +// This middleware enables to define reusable combinations of other pieces of middleware. type Chain struct { + // Middlewares is the list of middleware names which composes the chain. Middlewares []string `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// CircuitBreaker holds the circuit breaker configuration. +// CircuitBreaker holds the circuit breaker middleware configuration. +// This middleware protects the system from stacking requests to unhealthy services, resulting in cascading failures. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/ type CircuitBreaker struct { + // Expression defines the expression that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling the services. Expression string `json:"expression,omitempty" toml:"expression,omitempty" yaml:"expression,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// Compress holds the compress configuration. +// Compress holds the compress middleware configuration. +// This middleware compresses responses before sending them to the client, using gzip compression. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/ type Compress struct { + // ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing. ExcludedContentTypes []string `json:"excludedContentTypes,omitempty" toml:"excludedContentTypes,omitempty" yaml:"excludedContentTypes,omitempty" export:"true"` - MinResponseBodyBytes int `json:"minResponseBodyBytes,omitempty" toml:"minResponseBodyBytes,omitempty" yaml:"minResponseBodyBytes,omitempty" export:"true"` + // MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed. + // Default: 1024. + MinResponseBodyBytes int `json:"minResponseBodyBytes,omitempty" toml:"minResponseBodyBytes,omitempty" yaml:"minResponseBodyBytes,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// DigestAuth holds the Digest HTTP authentication configuration. +// DigestAuth holds the digest auth middleware configuration. +// This middleware restricts access to your services to known users. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/ type DigestAuth struct { - Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"` - UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"` - RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"` - Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"` - HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"` + // Users defines the authorized users. + // Each user should be declared using the name:realm:encoded-password format. + Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"` + // UsersFile is the path to an external file that contains the authorized users for the middleware. + UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"` + // RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend. + RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"` + // Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + // Default: traefik. + Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"` + // HeaderField defines a header field to store the authenticated user. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield + HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// ErrorPage holds the custom error page configuration. +// ErrorPage holds the custom error middleware configuration. +// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes. type ErrorPage struct { - Status []string `json:"status,omitempty" toml:"status,omitempty" yaml:"status,omitempty" export:"true"` - Service string `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"` - Query string `json:"query,omitempty" toml:"query,omitempty" yaml:"query,omitempty" export:"true"` + // Status defines which status or range of statuses should result in an error page. + // It can be either a status code as a number (500), + // as multiple comma-separated numbers (500,502), + // as ranges by separating two codes with a dash (500-599), + // or a combination of the two (404,418,500-599). + Status []string `json:"status,omitempty" toml:"status,omitempty" yaml:"status,omitempty" export:"true"` + // Service defines the name of the service that will serve the error page. + Service string `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"` + // Query defines the URL for the error page (hosted by service). + // The {status} variable can be used in order to insert the status code in the URL. + Query string `json:"query,omitempty" toml:"query,omitempty" yaml:"query,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// ForwardAuth holds the http forward authentication configuration. +// ForwardAuth holds the forward auth middleware configuration. +// This middleware delegates the request authentication to a Service. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/ type ForwardAuth struct { - Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"` - TLS *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"` - TrustForwardHeader bool `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"` - AuthResponseHeaders []string `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"` - AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"` - AuthRequestHeaders []string `json:"authRequestHeaders,omitempty" toml:"authRequestHeaders,omitempty" yaml:"authRequestHeaders,omitempty" export:"true"` + // Address defines the authentication server address. + Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"` + // TLS defines the configuration used to secure the connection to the authentication server. + TLS *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"` + // TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers. + TrustForwardHeader bool `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"` + // AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers. + AuthResponseHeaders []string `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"` + // AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex + AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"` + // AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server. + // If not set or empty then all request headers are passed. + AuthRequestHeaders []string `json:"authRequestHeaders,omitempty" toml:"authRequestHeaders,omitempty" yaml:"authRequestHeaders,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// Headers holds the custom header configuration. +// Headers holds the headers middleware configuration. +// This middleware manages the requests and responses headers. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders type Headers struct { - CustomRequestHeaders map[string]string `json:"customRequestHeaders,omitempty" toml:"customRequestHeaders,omitempty" yaml:"customRequestHeaders,omitempty" export:"true"` + // CustomRequestHeaders defines the header names and values to apply to the request. + CustomRequestHeaders map[string]string `json:"customRequestHeaders,omitempty" toml:"customRequestHeaders,omitempty" yaml:"customRequestHeaders,omitempty" export:"true"` + // CustomResponseHeaders defines the header names and values to apply to the response. CustomResponseHeaders map[string]string `json:"customResponseHeaders,omitempty" toml:"customResponseHeaders,omitempty" yaml:"customResponseHeaders,omitempty" export:"true"` - // AccessControlAllowCredentials is only valid if true. false is ignored. + // AccessControlAllowCredentials defines whether the request can include user credentials. AccessControlAllowCredentials bool `json:"accessControlAllowCredentials,omitempty" toml:"accessControlAllowCredentials,omitempty" yaml:"accessControlAllowCredentials,omitempty" export:"true"` - // AccessControlAllowHeaders must be used in response to a preflight request with Access-Control-Request-Headers set. + // AccessControlAllowHeaders defines the Access-Control-Request-Headers values sent in preflight response. AccessControlAllowHeaders []string `json:"accessControlAllowHeaders,omitempty" toml:"accessControlAllowHeaders,omitempty" yaml:"accessControlAllowHeaders,omitempty" export:"true"` - // AccessControlAllowMethods must be used in response to a preflight request with Access-Control-Request-Method set. + // AccessControlAllowMethods defines the Access-Control-Request-Method values sent in preflight response. AccessControlAllowMethods []string `json:"accessControlAllowMethods,omitempty" toml:"accessControlAllowMethods,omitempty" yaml:"accessControlAllowMethods,omitempty" export:"true"` // AccessControlAllowOriginList is a list of allowable origins. Can also be a wildcard origin "*". AccessControlAllowOriginList []string `json:"accessControlAllowOriginList,omitempty" toml:"accessControlAllowOriginList,omitempty" yaml:"accessControlAllowOriginList,omitempty"` // AccessControlAllowOriginListRegex is a list of allowable origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). AccessControlAllowOriginListRegex []string `json:"accessControlAllowOriginListRegex,omitempty" toml:"accessControlAllowOriginListRegex,omitempty" yaml:"accessControlAllowOriginListRegex,omitempty"` - // AccessControlExposeHeaders sets valid headers for the response. + // AccessControlExposeHeaders defines the Access-Control-Expose-Headers values sent in preflight response. AccessControlExposeHeaders []string `json:"accessControlExposeHeaders,omitempty" toml:"accessControlExposeHeaders,omitempty" yaml:"accessControlExposeHeaders,omitempty" export:"true"` - // AccessControlMaxAge sets the time that a preflight request may be cached. + // AccessControlMaxAge defines the time that a preflight request may be cached. AccessControlMaxAge int64 `json:"accessControlMaxAge,omitempty" toml:"accessControlMaxAge,omitempty" yaml:"accessControlMaxAge,omitempty" export:"true"` - // AddVaryHeader controls if the Vary header is automatically added/updated when the AccessControlAllowOriginList is set. + // AddVaryHeader defines whether the Vary header is automatically added/updated when the AccessControlAllowOriginList is set. AddVaryHeader bool `json:"addVaryHeader,omitempty" toml:"addVaryHeader,omitempty" yaml:"addVaryHeader,omitempty" export:"true"` - - AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"` + // AllowedHosts defines the fully qualified list of allowed domain names. + AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"` + // HostsProxyHeaders defines the header keys that may hold a proxied hostname value for the request. HostsProxyHeaders []string `json:"hostsProxyHeaders,omitempty" toml:"hostsProxyHeaders,omitempty" yaml:"hostsProxyHeaders,omitempty" export:"true"` // Deprecated: use EntryPoint redirection or RedirectScheme instead. SSLRedirect bool `json:"sslRedirect,omitempty" toml:"sslRedirect,omitempty" yaml:"sslRedirect,omitempty" export:"true"` // Deprecated: use EntryPoint redirection or RedirectScheme instead. SSLTemporaryRedirect bool `json:"sslTemporaryRedirect,omitempty" toml:"sslTemporaryRedirect,omitempty" yaml:"sslTemporaryRedirect,omitempty" export:"true"` // Deprecated: use RedirectRegex instead. - SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"` + SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"` + // SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request. + // It can be useful when using other proxies (example: "X-Forwarded-Proto": "https"). SSLProxyHeaders map[string]string `json:"sslProxyHeaders,omitempty" toml:"sslProxyHeaders,omitempty" yaml:"sslProxyHeaders,omitempty"` // Deprecated: use RedirectRegex instead. - SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"` - STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"` - STSIncludeSubdomains bool `json:"stsIncludeSubdomains,omitempty" toml:"stsIncludeSubdomains,omitempty" yaml:"stsIncludeSubdomains,omitempty" export:"true"` - STSPreload bool `json:"stsPreload,omitempty" toml:"stsPreload,omitempty" yaml:"stsPreload,omitempty" export:"true"` - ForceSTSHeader bool `json:"forceSTSHeader,omitempty" toml:"forceSTSHeader,omitempty" yaml:"forceSTSHeader,omitempty" export:"true"` - FrameDeny bool `json:"frameDeny,omitempty" toml:"frameDeny,omitempty" yaml:"frameDeny,omitempty" export:"true"` + SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"` + // STSSeconds defines the max-age of the Strict-Transport-Security header. + // If set to 0, the header is not set. + STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"` + // STSIncludeSubdomains defines whether the includeSubDomains directive is appended to the Strict-Transport-Security header. + STSIncludeSubdomains bool `json:"stsIncludeSubdomains,omitempty" toml:"stsIncludeSubdomains,omitempty" yaml:"stsIncludeSubdomains,omitempty" export:"true"` + // STSPreload defines whether the preload flag is appended to the Strict-Transport-Security header. + STSPreload bool `json:"stsPreload,omitempty" toml:"stsPreload,omitempty" yaml:"stsPreload,omitempty" export:"true"` + // ForceSTSHeader defines whether to add the STS header even when the connection is HTTP. + ForceSTSHeader bool `json:"forceSTSHeader,omitempty" toml:"forceSTSHeader,omitempty" yaml:"forceSTSHeader,omitempty" export:"true"` + // FrameDeny defines whether to add the X-Frame-Options header with the DENY value. + FrameDeny bool `json:"frameDeny,omitempty" toml:"frameDeny,omitempty" yaml:"frameDeny,omitempty" export:"true"` + // CustomFrameOptionsValue defines the X-Frame-Options header value. + // This overrides the FrameDeny option. CustomFrameOptionsValue string `json:"customFrameOptionsValue,omitempty" toml:"customFrameOptionsValue,omitempty" yaml:"customFrameOptionsValue,omitempty"` - ContentTypeNosniff bool `json:"contentTypeNosniff,omitempty" toml:"contentTypeNosniff,omitempty" yaml:"contentTypeNosniff,omitempty" export:"true"` - BrowserXSSFilter bool `json:"browserXssFilter,omitempty" toml:"browserXssFilter,omitempty" yaml:"browserXssFilter,omitempty" export:"true"` - CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"` - ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"` - PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"` - ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"` + // ContentTypeNosniff defines whether to add the X-Content-Type-Options header with the nosniff value. + ContentTypeNosniff bool `json:"contentTypeNosniff,omitempty" toml:"contentTypeNosniff,omitempty" yaml:"contentTypeNosniff,omitempty" export:"true"` + // BrowserXSSFilter defines whether to add the X-XSS-Protection header with the value 1; mode=block. + BrowserXSSFilter bool `json:"browserXssFilter,omitempty" toml:"browserXssFilter,omitempty" yaml:"browserXssFilter,omitempty" export:"true"` + // CustomBrowserXSSValue defines the X-XSS-Protection header value. + // This overrides the BrowserXssFilter option. + CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"` + // ContentSecurityPolicy defines the Content-Security-Policy header value. + ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"` + // PublicKey is the public key that implements HPKP to prevent MITM attacks with forged certificates. + PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"` + // ReferrerPolicy defines the Referrer-Policy header value. + // This allows sites to control whether browsers forward the Referer header to other sites. + ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"` // Deprecated: use PermissionsPolicy instead. - FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"` + FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"` + // PermissionsPolicy defines the Permissions-Policy header value. + // This allows sites to control browser features. PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"` - IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"` + // IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing. + // Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain. + // If you would like your development environment to mimic production with complete Host blocking, SSL redirects, + // and STS headers, leave this as false. + IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"` } // HasCustomHeadersDefined checks to see if any of the custom header elements have been set. @@ -235,9 +332,12 @@ func (h *Headers) HasSecureHeadersDefined() bool { // +k8s:deepcopy-gen=true -// IPStrategy holds the ip strategy configuration. +// IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy type IPStrategy struct { - Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"` + // Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right). + Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"` + // ExcludedIPs configures Traefik to scan the X-Forwarded-For header and select the first IP not in the list. ExcludedIPs []string `json:"excludedIPs,omitempty" toml:"excludedIPs,omitempty" yaml:"excludedIPs,omitempty"` // TODO(mpl): I think we should make RemoteAddr an explicit field. For one thing, it would yield better documentation. } @@ -272,25 +372,40 @@ func (s *IPStrategy) Get() (ip.Strategy, error) { // +k8s:deepcopy-gen=true -// IPWhiteList holds the ip white list configuration. +// IPWhiteList holds the IP whitelist middleware configuration. +// This middleware accepts / refuses requests based on the client IP. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/ type IPWhiteList struct { + // SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation). SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"` IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"` } // +k8s:deepcopy-gen=true -// InFlightReq limits the number of requests being processed and served concurrently. +// InFlightReq holds the in-flight request middleware configuration. +// This middleware limits the number of requests being processed and served concurrently. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/ type InFlightReq struct { - Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"` + // Amount defines the maximum amount of allowed simultaneous in-flight request. + // The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy). + Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"` + // SourceCriterion defines what criterion is used to group requests as originating from a common source. + // If several strategies are defined at the same time, an error will be raised. + // If none are set, the default is to use the requestHost. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// PassTLSClientCert holds the TLS client cert headers configuration. +// PassTLSClientCert holds the pass TLS client cert middleware configuration. +// This middleware adds the selected data from the passed client TLS certificate to a header. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/ type PassTLSClientCert struct { - PEM bool `json:"pem,omitempty" toml:"pem,omitempty" yaml:"pem,omitempty" export:"true"` + // PEM sets the X-Forwarded-Tls-Client-Cert header with the escaped certificate. + PEM bool `json:"pem,omitempty" toml:"pem,omitempty" yaml:"pem,omitempty" export:"true"` + // Info selects the specific client certificate details you want to add to the X-Forwarded-Tls-Client-Cert-Info header. Info *TLSClientCertificateInfo `json:"info,omitempty" toml:"info,omitempty" yaml:"info,omitempty" export:"true"` } @@ -300,14 +415,17 @@ type PassTLSClientCert struct { // If none are set, the default is to use the request's remote address field. // All fields are mutually exclusive. type SourceCriterion struct { - IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" export:"true"` - RequestHeaderName string `json:"requestHeaderName,omitempty" toml:"requestHeaderName,omitempty" yaml:"requestHeaderName,omitempty" export:"true"` - RequestHost bool `json:"requestHost,omitempty" toml:"requestHost,omitempty" yaml:"requestHost,omitempty" export:"true"` + IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" export:"true"` + // RequestHeaderName defines the name of the header used to group incoming requests. + RequestHeaderName string `json:"requestHeaderName,omitempty" toml:"requestHeaderName,omitempty" yaml:"requestHeaderName,omitempty" export:"true"` + // RequestHost defines whether to consider the request Host as the source. + RequestHost bool `json:"requestHost,omitempty" toml:"requestHost,omitempty" yaml:"requestHost,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// RateLimit holds the rate limiting configuration for a given router. +// RateLimit holds the rate limit configuration. +// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is. type RateLimit struct { // Average is the maximum rate, by default in requests/s, allowed for the given source. // It defaults to 0, which means no rate limiting. @@ -323,6 +441,9 @@ type RateLimit struct { // It defaults to 1. Burst int64 `json:"burst,omitempty" toml:"burst,omitempty" yaml:"burst,omitempty" export:"true"` + // SourceCriterion defines what criterion is used to group requests as originating from a common source. + // If several strategies are defined at the same time, an error will be raised. + // If none are set, the default is to use the request's remote address field (as an ipStrategy). SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"` } @@ -334,51 +455,82 @@ func (r *RateLimit) SetDefaults() { // +k8s:deepcopy-gen=true -// RedirectRegex holds the redirection configuration. +// RedirectRegex holds the redirect regex middleware configuration. +// This middleware redirects a request using regex matching and replacement. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex type RedirectRegex struct { - Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"` + // Regex defines the regex used to match and capture elements from the request URL. + Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"` + // Replacement defines how to modify the URL to have the new target URL. Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty"` - Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"` + // Permanent defines whether the redirection is permanent (301). + Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// RedirectScheme holds the scheme redirection configuration. +// RedirectScheme holds the redirect scheme middleware configuration. +// This middleware redirects requests from a scheme/port to another. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/ type RedirectScheme struct { - Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"` - Port string `json:"port,omitempty" toml:"port,omitempty" yaml:"port,omitempty" export:"true"` - Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"` + // Scheme defines the scheme of the new URL. + Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"` + // Port defines the port of the new URL. + Port string `json:"port,omitempty" toml:"port,omitempty" yaml:"port,omitempty" export:"true"` + // Permanent defines whether the redirection is permanent (301). + Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// ReplacePath holds the ReplacePath configuration. +// ReplacePath holds the replace path middleware configuration. +// This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/ type ReplacePath struct { + // Path defines the path to use as replacement in the request URL. Path string `json:"path,omitempty" toml:"path,omitempty" yaml:"path,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// ReplacePathRegex holds the ReplacePathRegex configuration. +// ReplacePathRegex holds the replace path regex middleware configuration. +// This middleware replaces the path of a URL using regex matching and replacement. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/ type ReplacePathRegex struct { - Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"` + // Regex defines the regular expression used to match and capture the path from the request URL. + Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"` + // Replacement defines the replacement path format, which can include captured variables. Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// Retry holds the retry configuration. +// Retry holds the retry middleware configuration. +// This middleware reissues requests a given number of times to a backend server if that server does not reply. +// As soon as the server answers, the middleware stops retrying, regardless of the response status. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/ type Retry struct { - Attempts int `json:"attempts,omitempty" toml:"attempts,omitempty" yaml:"attempts,omitempty" export:"true"` + // Attempts defines how many times the request should be retried. + Attempts int `json:"attempts,omitempty" toml:"attempts,omitempty" yaml:"attempts,omitempty" export:"true"` + // InitialInterval defines the first wait time in the exponential backoff series. + // The maximum interval is calculated as twice the initialInterval. + // If unspecified, requests will be retried immediately. + // The value of initialInterval should be provided in seconds or as a valid duration format, + // see https://pkg.go.dev/time#ParseDuration. InitialInterval ptypes.Duration `json:"initialInterval,omitempty" toml:"initialInterval,omitempty" yaml:"initialInterval,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// StripPrefix holds the StripPrefix configuration. +// StripPrefix holds the strip prefix middleware configuration. +// This middleware removes the specified prefixes from the URL path. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/ type StripPrefix struct { - Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"` - ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated + // Prefixes defines the prefixes to strip from the request URL. + Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"` + // ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary. + // Default: true. + ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated } // SetDefaults Default values for a StripPrefix. @@ -388,8 +540,11 @@ func (s *StripPrefix) SetDefaults() { // +k8s:deepcopy-gen=true -// StripPrefixRegex holds the StripPrefixRegex configuration. +// StripPrefixRegex holds the strip prefix regex middleware configuration. +// This middleware removes the matching prefixes from the URL path. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/ type StripPrefixRegex struct { + // Regex defines the regular expression to match the path prefix from the request URL. Regex []string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"` } @@ -397,12 +552,18 @@ type StripPrefixRegex struct { // TLSClientCertificateInfo holds the client TLS certificate info configuration. type TLSClientCertificateInfo struct { - NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty" export:"true"` - NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty" export:"true"` - Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty" export:"true"` - Subject *TLSClientCertificateSubjectDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"` - Issuer *TLSClientCertificateIssuerDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"` - SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` + // NotAfter defines whether to add the Not After information from the Validity part. + NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty" export:"true"` + // NotBefore defines whether to add the Not Before information from the Validity part. + NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty" export:"true"` + // Sans defines whether to add the Subject Alternative Name information from the Subject Alternative Name part. + Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty" export:"true"` + // SerialNumber defines whether to add the client serialNumber information. + SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` + // Subject defines the client certificate subject details to add to the X-Forwarded-Tls-Client-Cert-Info header. + Subject *TLSClientCertificateSubjectDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"` + // Issuer defines the client certificate issuer details to add to the X-Forwarded-Tls-Client-Cert-Info header. + Issuer *TLSClientCertificateIssuerDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"` } // +k8s:deepcopy-gen=true @@ -410,12 +571,19 @@ type TLSClientCertificateInfo struct { // TLSClientCertificateIssuerDNInfo holds the client TLS certificate distinguished name info configuration. // cf https://tools.ietf.org/html/rfc3739 type TLSClientCertificateIssuerDNInfo struct { - Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"` - Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"` - Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"` - Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"` - CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"` - SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` + // Country defines whether to add the country information into the issuer. + Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"` + // Province defines whether to add the province information into the issuer. + Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"` + // Locality defines whether to add the locality information into the issuer. + Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"` + // Organization defines whether to add the organization information into the issuer. + Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"` + // CommonName defines whether to add the organizationalUnit information into the issuer. + CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"` + // SerialNumber defines whether to add the serialNumber information into the issuer. + SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` + // DomainComponent defines whether to add the domainComponent information into the issuer. DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"` } @@ -424,14 +592,22 @@ type TLSClientCertificateIssuerDNInfo struct { // TLSClientCertificateSubjectDNInfo holds the client TLS certificate distinguished name info configuration. // cf https://tools.ietf.org/html/rfc3739 type TLSClientCertificateSubjectDNInfo struct { - Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"` - Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"` - Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"` - Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"` + // Country defines whether to add the country information into the subject. + Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"` + // Province defines whether to add the province information into the subject. + Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"` + // Locality defines whether to add the locality information into the subject. + Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"` + // Organization defines whether to add the organization information into the subject. + Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"` + // OrganizationalUnit defines whether to add the organizationalUnit information into the subject. OrganizationalUnit bool `json:"organizationalUnit,omitempty" toml:"organizationalUnit,omitempty" yaml:"organizationalUnit,omitempty" export:"true"` - CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"` - SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` - DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"` + // CommonName defines whether to add the organizationalUnit information into the subject. + CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"` + // SerialNumber defines whether to add the serialNumber information into the subject. + SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` + // DomainComponent defines whether to add the domainComponent information into the subject. + DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"` } // +k8s:deepcopy-gen=true diff --git a/pkg/config/dynamic/tcp_config.go b/pkg/config/dynamic/tcp_config.go index e16564411..66f5c71e2 100644 --- a/pkg/config/dynamic/tcp_config.go +++ b/pkg/config/dynamic/tcp_config.go @@ -113,8 +113,10 @@ type TCPServer struct { // +k8s:deepcopy-gen=true -// ProxyProtocol holds the ProxyProtocol configuration. +// ProxyProtocol holds the PROXY Protocol configuration. +// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol type ProxyProtocol struct { + // Version defines the PROXY Protocol version to use. Version int `json:"version,omitempty" toml:"version,omitempty" yaml:"version,omitempty" export:"true"` } diff --git a/pkg/config/dynamic/tcp_middlewares.go b/pkg/config/dynamic/tcp_middlewares.go index 57d313193..e42c06a80 100644 --- a/pkg/config/dynamic/tcp_middlewares.go +++ b/pkg/config/dynamic/tcp_middlewares.go @@ -10,14 +10,21 @@ type TCPMiddleware struct { // +k8s:deepcopy-gen=true -// TCPInFlightConn holds the TCP in flight connection configuration. +// TCPInFlightConn holds the TCP InFlightConn middleware configuration. +// This middleware prevents services from being overwhelmed with high load, +// by limiting the number of allowed simultaneous connections for one IP. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/tcp/inflightconn/ type TCPInFlightConn struct { + // Amount defines the maximum amount of allowed simultaneous connections. + // The middleware closes the connection if there are already amount connections opened. Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"` } // +k8s:deepcopy-gen=true -// TCPIPWhiteList holds the TCP ip white list configuration. +// TCPIPWhiteList holds the TCP IPWhiteList middleware configuration. +// This middleware accepts/refuses connections based on the client IP. type TCPIPWhiteList struct { + // SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation). SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"` } diff --git a/pkg/provider/kubernetes/crd/kubernetes_http.go b/pkg/provider/kubernetes/crd/kubernetes_http.go index 333ce148c..7377d7822 100644 --- a/pkg/provider/kubernetes/crd/kubernetes_http.go +++ b/pkg/provider/kubernetes/crd/kubernetes_http.go @@ -84,7 +84,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli serviceName := normalized if len(route.Services) > 1 { - spec := v1alpha1.ServiceSpec{ + spec := v1alpha1.TraefikServiceSpec{ Weighted: &v1alpha1.WeightedRoundRobin{ Services: route.Services, }, @@ -217,7 +217,7 @@ func (c configBuilder) buildTraefikService(ctx context.Context, tService *v1alph // buildServicesLB creates the configuration for the load-balancer of services named id, and defined in tService. // It adds it to the given conf map. -func (c configBuilder) buildServicesLB(ctx context.Context, namespace string, tService v1alpha1.ServiceSpec, id string, conf map[string]*dynamic.Service) error { +func (c configBuilder) buildServicesLB(ctx context.Context, namespace string, tService v1alpha1.TraefikServiceSpec, id string, conf map[string]*dynamic.Service) error { var wrrServices []dynamic.WRRService for _, service := range tService.Weighted.Services { diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroute.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroute.go index 0de26e8fa..ef7ea9626 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroute.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroute.go @@ -7,90 +7,130 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -// IngressRouteSpec is a specification for a IngressRouteSpec resource. +// IngressRouteSpec defines the desired state of IngressRoute. type IngressRouteSpec struct { - Routes []Route `json:"routes"` + // Routes defines the list of routes. + Routes []Route `json:"routes"` + // EntryPoints defines the list of entry point names to bind to. + // Entry points have to be configured in the static configuration. + // More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + // Default: all. EntryPoints []string `json:"entryPoints,omitempty"` - TLS *TLS `json:"tls,omitempty"` + // TLS defines the TLS configuration. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls + TLS *TLS `json:"tls,omitempty"` } -// Route contains the set of routes. +// Route holds the HTTP route configuration. type Route struct { + // Match defines the router's rule. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule Match string `json:"match"` + // Kind defines the kind of the route. + // Rule is the only supported kind. // +kubebuilder:validation:Enum=Rule - Kind string `json:"kind"` - Priority int `json:"priority,omitempty"` - Services []Service `json:"services,omitempty"` + Kind string `json:"kind"` + // Priority defines the router's priority. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority + Priority int `json:"priority,omitempty"` + // Services defines the list of Service. + // It can contain any combination of TraefikService and/or reference to a Kubernetes Service. + Services []Service `json:"services,omitempty"` + // Middlewares defines the list of references to Middleware resources. + // More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware Middlewares []MiddlewareRef `json:"middlewares,omitempty"` } -// TLS contains the TLS certificates configuration of the routes. -// To enable Let's Encrypt, use an empty TLS struct, -// e.g. in YAML: -// -// tls: {} # inline format -// -// tls: -// secretName: # block format +// TLS holds the TLS configuration. +// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls type TLS struct { - // SecretName is the name of the referenced Kubernetes Secret to specify the - // certificate details. + // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. SecretName string `json:"secretName,omitempty"` - // Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. + // Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. + // If not defined, the `default` TLSOption is used. + // More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options Options *TLSOptionRef `json:"options,omitempty"` - // Store is a reference to a TLSStore, that specifies the parameters of the TLS store. - Store *TLSStoreRef `json:"store,omitempty"` - CertResolver string `json:"certResolver,omitempty"` - Domains []types.Domain `json:"domains,omitempty"` + // Store defines the reference to the TLSStore, that will be used to store certificates. + // Please note that only `default` TLSStore can be used. + Store *TLSStoreRef `json:"store,omitempty"` + // CertResolver defines the name of the certificate resolver to use. + // Cert resolvers have to be configured in the static configuration. + // More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers + CertResolver string `json:"certResolver,omitempty"` + // Domains defines the list of domains that will be used to issue certificates. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains + Domains []types.Domain `json:"domains,omitempty"` } -// TLSOptionRef is a ref to the TLSOption resources. +// TLSOptionRef is a reference to a TLSOption resource. type TLSOptionRef struct { - Name string `json:"name"` + // Name defines the name of the referenced TLSOption. + // More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption + Name string `json:"name"` + // Namespace defines the namespace of the referenced TLSOption. + // More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption Namespace string `json:"namespace,omitempty"` } -// TLSStoreRef is a ref to the TLSStore resource. +// TLSStoreRef is a reference to a TLSStore resource. type TLSStoreRef struct { - Name string `json:"name"` + // Name defines the name of the referenced TLSStore. + // More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore + Name string `json:"name"` + // Namespace defines the namespace of the referenced TLSStore. + // More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore Namespace string `json:"namespace,omitempty"` } -// LoadBalancerSpec can reference either a Kubernetes Service object (a load-balancer of servers), -// or a TraefikService object (a traefik load-balancer of services). +// LoadBalancerSpec defines the desired state of LoadBalancer. +// It can reference either a Kubernetes Service object (a load-balancer of servers), +// or a TraefikService object (a load-balancer of Traefik services). type LoadBalancerSpec struct { - // Name is a reference to a Kubernetes Service object (for a load-balancer of servers), - // or to a TraefikService object (service load-balancer, mirroring, etc). + // Name defines the name of the referenced Kubernetes Service or TraefikService. // The differentiation between the two is specified in the Kind field. Name string `json:"name"` + // Kind defines the kind of the Service. // +kubebuilder:validation:Enum=Service;TraefikService - Kind string `json:"kind,omitempty"` - Namespace string `json:"namespace,omitempty"` - Sticky *dynamic.Sticky `json:"sticky,omitempty"` - - // Port and all the fields below are related to a servers load-balancer, - // and therefore should only be specified when Name references a Kubernetes Service. - - Port intstr.IntOrString `json:"port,omitempty"` - Scheme string `json:"scheme,omitempty"` - Strategy string `json:"strategy,omitempty"` - PassHostHeader *bool `json:"passHostHeader,omitempty"` + Kind string `json:"kind,omitempty"` + // Namespace defines the namespace of the referenced Kubernetes Service or TraefikService. + Namespace string `json:"namespace,omitempty"` + // Sticky defines the sticky sessions configuration. + // More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions + Sticky *dynamic.Sticky `json:"sticky,omitempty"` + // Port defines the port of a Kubernetes Service. + // This can be a reference to a named port. + Port intstr.IntOrString `json:"port,omitempty"` + // Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + // It defaults to https when Kubernetes Service port is 443, http otherwise. + Scheme string `json:"scheme,omitempty"` + // Strategy defines the load balancing strategy between the servers. + // RoundRobin is the only supported value at the moment. + Strategy string `json:"strategy,omitempty"` + // PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + // By default, passHostHeader is true. + PassHostHeader *bool `json:"passHostHeader,omitempty"` + // ResponseForwarding defines how Traefik forwards the response from the upstream Kubernetes Service to the client. ResponseForwarding *dynamic.ResponseForwarding `json:"responseForwarding,omitempty"` - ServersTransport string `json:"serversTransport,omitempty"` + // ServersTransport defines the name of ServersTransport resource to use. + // It allows to configure the transport between Traefik and your servers. + // Can only be used on a Kubernetes Service. + ServersTransport string `json:"serversTransport,omitempty"` - // Weight should only be specified when Name references a TraefikService object + // Weight defines the weight and should only be specified when Name references a TraefikService object // (and to be precise, one that embeds a Weighted Round Robin). Weight *int `json:"weight,omitempty"` } -// Service defines an upstream to proxy traffic. +// Service defines an upstream HTTP service to proxy traffic to. type Service struct { LoadBalancerSpec `json:",inline"` } -// MiddlewareRef is a ref to the Middleware resources. +// MiddlewareRef is a reference to a Middleware resource. type MiddlewareRef struct { - Name string `json:"name"` + // Name defines the name of the referenced Middleware resource. + Name string `json:"name"` + // Namespace defines the namespace of the referenced Middleware resource. Namespace string `json:"namespace,omitempty"` } @@ -98,9 +138,11 @@ type MiddlewareRef struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// IngressRoute is an Ingress CRD specification. +// IngressRoute is the CRD implementation of a Traefik HTTP Router. type IngressRoute struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec IngressRouteSpec `json:"spec"` @@ -108,9 +150,13 @@ type IngressRoute struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// IngressRouteList is a list of IngressRoutes. +// IngressRouteList is a collection of IngressRoute. type IngressRouteList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` - Items []IngressRoute `json:"items"` + + // Items is the list of IngressRoute. + Items []IngressRoute `json:"items"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroutetcp.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroutetcp.go index ef62542e8..53eeb8c28 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroutetcp.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroutetcp.go @@ -7,60 +7,88 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -// IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec resource. +// IngressRouteTCPSpec defines the desired state of IngressRouteTCP. type IngressRouteTCPSpec struct { - Routes []RouteTCP `json:"routes"` - EntryPoints []string `json:"entryPoints,omitempty"` - TLS *TLSTCP `json:"tls,omitempty"` + // Routes defines the list of routes. + Routes []RouteTCP `json:"routes"` + // EntryPoints defines the list of entry point names to bind to. + // Entry points have to be configured in the static configuration. + // More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + // Default: all. + EntryPoints []string `json:"entryPoints,omitempty"` + // TLS defines the TLS configuration on a layer 4 / TCP Route. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1 + TLS *TLSTCP `json:"tls,omitempty"` } -// RouteTCP contains the set of routes. +// RouteTCP holds the TCP route configuration. type RouteTCP struct { - Match string `json:"match"` - Priority int `json:"priority,omitempty"` + // Match defines the router's rule. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1 + Match string `json:"match"` + // Priority defines the router's priority. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1 + Priority int `json:"priority,omitempty"` + // Services defines the list of TCP services. Services []ServiceTCP `json:"services,omitempty"` - // Middlewares contains references to MiddlewareTCP resources. + // Middlewares defines the list of references to MiddlewareTCP resources. Middlewares []ObjectReference `json:"middlewares,omitempty"` } -// TLSTCP contains the TLS certificates configuration of the routes. -// To enable Let's Encrypt, use an empty TLS struct, -// e.g. in YAML: -// -// tls: {} # inline format -// -// tls: -// secretName: # block format +// TLSTCP holds the TLS configuration for an IngressRouteTCP. +// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1 type TLSTCP struct { - // SecretName is the name of the referenced Kubernetes Secret to specify the - // certificate details. - SecretName string `json:"secretName,omitempty"` - Passthrough bool `json:"passthrough,omitempty"` - // Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. + // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. + SecretName string `json:"secretName,omitempty"` + // Passthrough defines whether a TLS router will terminate the TLS connection. + Passthrough bool `json:"passthrough,omitempty"` + // Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. + // If not defined, the `default` TLSOption is used. + // More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options Options *ObjectReference `json:"options,omitempty"` - // Store is a reference to a TLSStore, that specifies the parameters of the TLS store. - Store *ObjectReference `json:"store,omitempty"` - CertResolver string `json:"certResolver,omitempty"` - Domains []types.Domain `json:"domains,omitempty"` + // Store defines the reference to the TLSStore, that will be used to store certificates. + // Please note that only `default` TLSStore can be used. + Store *ObjectReference `json:"store,omitempty"` + // CertResolver defines the name of the certificate resolver to use. + // Cert resolvers have to be configured in the static configuration. + // More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers + CertResolver string `json:"certResolver,omitempty"` + // Domains defines the list of domains that will be used to issue certificates. + // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains + Domains []types.Domain `json:"domains,omitempty"` } -// ServiceTCP defines an upstream to proxy traffic. +// ServiceTCP defines an upstream TCP service to proxy traffic to. type ServiceTCP struct { - Name string `json:"name"` - Namespace string `json:"namespace,omitempty"` - Port intstr.IntOrString `json:"port"` - Weight *int `json:"weight,omitempty"` - TerminationDelay *int `json:"terminationDelay,omitempty"` - ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"` + // Name defines the name of the referenced Kubernetes Service. + Name string `json:"name"` + // Namespace defines the namespace of the referenced Kubernetes Service. + Namespace string `json:"namespace,omitempty"` + // Port defines the port of a Kubernetes Service. + // This can be a reference to a named port. + Port intstr.IntOrString `json:"port"` + // Weight defines the weight used when balancing requests between multiple Kubernetes Service. + Weight *int `json:"weight,omitempty"` + // TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates + // it has closed the writing capability of its connection, to close the reading capability as well, + // hence fully terminating the connection. + // It is a duration in milliseconds, defaulting to 100. + // A negative value means an infinite deadline (i.e. the reading capability is never closed). + TerminationDelay *int `json:"terminationDelay,omitempty"` + // ProxyProtocol defines the PROXY protocol configuration. + // More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol + ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"` } // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// IngressRouteTCP is an Ingress CRD specification. +// IngressRouteTCP is the CRD implementation of a Traefik TCP Router. type IngressRouteTCP struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec IngressRouteTCPSpec `json:"spec"` @@ -68,9 +96,13 @@ type IngressRouteTCP struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// IngressRouteTCPList is a list of IngressRoutes. +// IngressRouteTCPList is a collection of IngressRouteTCP. type IngressRouteTCPList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` - Items []IngressRouteTCP `json:"items"` + + // Items is the list of IngressRouteTCP. + Items []IngressRouteTCP `json:"items"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressrouteudp.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressrouteudp.go index eb44cd64f..e05525314 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressrouteudp.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressrouteudp.go @@ -5,38 +5,45 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -// IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec resource. +// IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. type IngressRouteUDPSpec struct { - Routes []RouteUDP `json:"routes"` - EntryPoints []string `json:"entryPoints,omitempty"` + // Routes defines the list of routes. + Routes []RouteUDP `json:"routes"` + // EntryPoints defines the list of entry point names to bind to. + // Entry points have to be configured in the static configuration. + // More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/ + // Default: all. + EntryPoints []string `json:"entryPoints,omitempty"` } -// RouteUDP contains the set of routes. +// RouteUDP holds the UDP route configuration. type RouteUDP struct { + // Services defines the list of UDP services. Services []ServiceUDP `json:"services,omitempty"` } -// TLSOptionUDPRef is a ref to the TLSOption resources. -type TLSOptionUDPRef struct { - Name string `json:"name"` - Namespace string `json:"namespace,omitempty"` -} - -// ServiceUDP defines an upstream to proxy traffic. +// ServiceUDP defines an upstream UDP service to proxy traffic to. type ServiceUDP struct { - Name string `json:"name"` - Namespace string `json:"namespace,omitempty"` - Port intstr.IntOrString `json:"port"` - Weight *int `json:"weight,omitempty"` + // Name defines the name of the referenced Kubernetes Service. + Name string `json:"name"` + // Namespace defines the namespace of the referenced Kubernetes Service. + Namespace string `json:"namespace,omitempty"` + // Port defines the port of a Kubernetes Service. + // This can be a reference to a named port. + Port intstr.IntOrString `json:"port"` + // Weight defines the weight used when balancing requests between multiple Kubernetes Service. + Weight *int `json:"weight,omitempty"` } // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// IngressRouteUDP is an Ingress CRD specification. +// IngressRouteUDP is a CRD implementation of a Traefik UDP Router. type IngressRouteUDP struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec IngressRouteUDPSpec `json:"spec"` @@ -44,9 +51,13 @@ type IngressRouteUDP struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// IngressRouteUDPList is a list of IngressRoutes. +// IngressRouteUDPList is a collection of IngressRouteUDP. type IngressRouteUDPList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` - Items []IngressRouteUDP `json:"items"` + + // Items is the list of IngressRouteUDP. + Items []IngressRouteUDP `json:"items"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go index 2fff164a5..1f755ae7f 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go @@ -11,9 +11,12 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// Middleware is a specification for a Middleware resource. +// Middleware is the CRD implementation of a Traefik Middleware. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/ type Middleware struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec MiddlewareSpec `json:"spec"` @@ -21,7 +24,7 @@ type Middleware struct { // +k8s:deepcopy-gen=true -// MiddlewareSpec holds the Middleware configuration. +// MiddlewareSpec defines the desired state of a Middleware. type MiddlewareSpec struct { AddPrefix *dynamic.AddPrefix `json:"addPrefix,omitempty"` StripPrefix *dynamic.StripPrefix `json:"stripPrefix,omitempty"` @@ -50,84 +53,155 @@ type MiddlewareSpec struct { // +k8s:deepcopy-gen=true -// ErrorPage holds the custom error page configuration. +// ErrorPage holds the custom error middleware configuration. +// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/ type ErrorPage struct { - Status []string `json:"status,omitempty"` - Service Service `json:"service,omitempty"` - Query string `json:"query,omitempty"` + // Status defines which status or range of statuses should result in an error page. + // It can be either a status code as a number (500), + // as multiple comma-separated numbers (500,502), + // as ranges by separating two codes with a dash (500-599), + // or a combination of the two (404,418,500-599). + Status []string `json:"status,omitempty"` + // Service defines the reference to a Kubernetes Service that will serve the error page. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service + Service Service `json:"service,omitempty"` + // Query defines the URL for the error page (hosted by service). + // The {status} variable can be used in order to insert the status code in the URL. + Query string `json:"query,omitempty"` } // +k8s:deepcopy-gen=true -// Chain holds a chain of middlewares. +// Chain holds the configuration of the chain middleware. +// This middleware enables to define reusable combinations of other pieces of middleware. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/ type Chain struct { + // Middlewares is the list of MiddlewareRef which composes the chain. Middlewares []MiddlewareRef `json:"middlewares,omitempty"` } // +k8s:deepcopy-gen=true -// BasicAuth holds the HTTP basic authentication configuration. +// BasicAuth holds the basic auth middleware configuration. +// This middleware restricts access to your services to known users. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/ type BasicAuth struct { - Secret string `json:"secret,omitempty"` - Realm string `json:"realm,omitempty"` - RemoveHeader bool `json:"removeHeader,omitempty"` - HeaderField string `json:"headerField,omitempty"` + // Secret is the name of the referenced Kubernetes Secret containing user credentials. + Secret string `json:"secret,omitempty"` + // Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + // Default: traefik. + Realm string `json:"realm,omitempty"` + // RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service. + // Default: false. + RemoveHeader bool `json:"removeHeader,omitempty"` + // HeaderField defines a header field to store the authenticated user. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield + HeaderField string `json:"headerField,omitempty"` } // +k8s:deepcopy-gen=true -// DigestAuth holds the Digest HTTP authentication configuration. +// DigestAuth holds the digest auth middleware configuration. +// This middleware restricts access to your services to known users. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/ type DigestAuth struct { - Secret string `json:"secret,omitempty"` - RemoveHeader bool `json:"removeHeader,omitempty"` - Realm string `json:"realm,omitempty"` - HeaderField string `json:"headerField,omitempty"` + // Secret is the name of the referenced Kubernetes Secret containing user credentials. + Secret string `json:"secret,omitempty"` + // RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend. + RemoveHeader bool `json:"removeHeader,omitempty"` + // Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + // Default: traefik. + Realm string `json:"realm,omitempty"` + // HeaderField defines a header field to store the authenticated user. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield + HeaderField string `json:"headerField,omitempty"` } // +k8s:deepcopy-gen=true -// ForwardAuth holds the http forward authentication configuration. +// ForwardAuth holds the forward auth middleware configuration. +// This middleware delegates the request authentication to a Service. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/ type ForwardAuth struct { - Address string `json:"address,omitempty"` - TrustForwardHeader bool `json:"trustForwardHeader,omitempty"` - AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"` - AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty"` - AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"` - TLS *ClientTLS `json:"tls,omitempty"` + // Address defines the authentication server address. + Address string `json:"address,omitempty"` + // TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers. + TrustForwardHeader bool `json:"trustForwardHeader,omitempty"` + // AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers. + AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"` + // AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex. + // More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex + AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty"` + // AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server. + // If not set or empty then all request headers are passed. + AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"` + // TLS defines the configuration used to secure the connection to the authentication server. + TLS *ClientTLS `json:"tls,omitempty"` } -// ClientTLS holds TLS specific configurations as client. +// ClientTLS holds the client TLS configuration. type ClientTLS struct { - CASecret string `json:"caSecret,omitempty"` - CAOptional bool `json:"caOptional,omitempty"` - CertSecret string `json:"certSecret,omitempty"` - InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// MiddlewareList is a list of Middleware resources. -type MiddlewareList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - - Items []Middleware `json:"items"` + // CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate. + // The CA certificate is extracted from key `tls.ca` or `ca.crt`. + CASecret string `json:"caSecret,omitempty"` + // CertSecret is the name of the referenced Kubernetes Secret containing the client certificate. + // The client certificate is extracted from the keys `tls.crt` and `tls.key`. + CertSecret string `json:"certSecret,omitempty"` + // InsecureSkipVerify defines whether the server certificates should be validated. + InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` + CAOptional bool `json:"caOptional,omitempty"` } // +k8s:deepcopy-gen=true -// RateLimit holds the rate limiting configuration for a given router. +// RateLimit holds the rate limit configuration. +// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/ type RateLimit struct { - Average int64 `json:"average,omitempty"` - Period *intstr.IntOrString `json:"period,omitempty"` - Burst *int64 `json:"burst,omitempty"` + // Average is the maximum rate, by default in requests/s, allowed for the given source. + // It defaults to 0, which means no rate limiting. + // The rate is actually defined by dividing Average by Period. So for a rate below 1req/s, + // one needs to define a Period larger than a second. + Average int64 `json:"average,omitempty"` + // Period, in combination with Average, defines the actual maximum rate, such as: + // r = Average / Period. It defaults to a second. + Period *intstr.IntOrString `json:"period,omitempty"` + // Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time. + // It defaults to 1. + Burst *int64 `json:"burst,omitempty"` + // SourceCriterion defines what criterion is used to group requests as originating from a common source. + // If several strategies are defined at the same time, an error will be raised. + // If none are set, the default is to use the request's remote address field (as an ipStrategy). SourceCriterion *dynamic.SourceCriterion `json:"sourceCriterion,omitempty"` } // +k8s:deepcopy-gen=true -// Retry holds the retry configuration. +// Retry holds the retry middleware configuration. +// This middleware reissues requests a given number of times to a backend server if that server does not reply. +// As soon as the server answers, the middleware stops retrying, regardless of the response status. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/ type Retry struct { - Attempts int `json:"attempts,omitempty"` + // Attempts defines how many times the request should be retried. + Attempts int `json:"attempts,omitempty"` + // InitialInterval defines the first wait time in the exponential backoff series. + // The maximum interval is calculated as twice the initialInterval. + // If unspecified, requests will be retried immediately. + // The value of initialInterval should be provided in seconds or as a valid duration format, + // see https://pkg.go.dev/time#ParseDuration. InitialInterval intstr.IntOrString `json:"initialInterval,omitempty"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// MiddlewareList is a collection of Middleware resources. +type MiddlewareList struct { + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata"` + + // Items is the list of Middleware. + Items []Middleware `json:"items"` +} diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go index ff42921d0..5b70fd781 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go @@ -8,9 +8,12 @@ import ( // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// MiddlewareTCP is a specification for a MiddlewareTCP resource. +// MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. +// More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/ type MiddlewareTCP struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec MiddlewareTCPSpec `json:"spec"` @@ -18,18 +21,23 @@ type MiddlewareTCP struct { // +k8s:deepcopy-gen=true -// MiddlewareTCPSpec holds the MiddlewareTCP configuration. +// MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. type MiddlewareTCPSpec struct { + // InFlightConn defines the InFlightConn middleware configuration. InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"` - IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"` + // IPWhiteList defines the IPWhiteList middleware configuration. + IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// MiddlewareTCPList is a list of MiddlewareTCP resources. +// MiddlewareTCPList is a collection of MiddlewareTCP resources. type MiddlewareTCPList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` + // Items is the list of MiddlewareTCP. Items []MiddlewareTCP `json:"items"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/objectreference.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/objectreference.go index c28d4a96d..6334ab631 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/objectreference.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/objectreference.go @@ -2,6 +2,8 @@ package v1alpha1 // ObjectReference is a generic reference to a Traefik resource. type ObjectReference struct { - Name string `json:"name"` + // Name defines the name of the referenced Traefik resource. + Name string `json:"name"` + // Namespace defines the namespace of the referenced Traefik resource. Namespace string `json:"namespace,omitempty"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/serverstransport.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/serverstransport.go index 4fce5e0be..e850a4cb0 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/serverstransport.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/serverstransport.go @@ -9,9 +9,14 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// ServersTransport is a specification for a ServersTransport resource. +// ServersTransport is the CRD implementation of a ServersTransport. +// If no serversTransport is specified, the default@internal will be used. +// The default@internal serversTransport is created from the static configuration. +// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1 type ServersTransport struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec ServersTransportSpec `json:"spec"` @@ -19,38 +24,37 @@ type ServersTransport struct { // +k8s:deepcopy-gen=true -// ServersTransportSpec options to configure communication between Traefik and the servers. +// ServersTransportSpec defines the desired state of a ServersTransport. type ServersTransportSpec struct { - // ServerName used to contact the server. + // ServerName defines the server name used to contact the server. ServerName string `json:"serverName,omitempty"` - // Disable SSL certificate verification. + // InsecureSkipVerify disables SSL certificate verification. InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` - // Add cert file for self-signed certificate. + // RootCAsSecrets defines a list of CA secret used to validate self-signed certificate. RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"` - // Certificates for mTLS. + // CertificatesSecrets defines a list of secret storing client certificates for mTLS. CertificatesSecrets []string `json:"certificatesSecrets,omitempty"` - // If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. + // MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host. MaxIdleConnsPerHost int `json:"maxIdleConnsPerHost,omitempty"` - // Timeouts for requests forwarded to the backend servers. + // ForwardingTimeouts defines the timeouts for requests forwarded to the backend servers. ForwardingTimeouts *ForwardingTimeouts `json:"forwardingTimeouts,omitempty"` - // Disable HTTP/2 for connections with backend servers. + // DisableHTTP2 disables HTTP/2 for connections with backend servers. DisableHTTP2 bool `json:"disableHTTP2,omitempty"` - // URI used to match against SAN URI during the peer certificate verification. + // PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification. PeerCertURI string `json:"peerCertURI,omitempty"` } // +k8s:deepcopy-gen=true -// ForwardingTimeouts contains timeout configurations for forwarding requests to the backend servers. +// ForwardingTimeouts holds the timeout configurations for forwarding requests to the backend servers. type ForwardingTimeouts struct { - // DialTimeout is the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. + // DialTimeout is the amount of time to wait until a connection to a backend server can be established. DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"` // ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any). - // If zero, no timeout exists. ResponseHeaderTimeout *intstr.IntOrString `json:"responseHeaderTimeout,omitempty"` // IdleConnTimeout is the maximum period for which an idle HTTP keep-alive connection will remain open before closing itself. IdleConnTimeout *intstr.IntOrString `json:"idleConnTimeout,omitempty"` - // ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. If zero, no health check is performed. + // ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. ReadIdleTimeout *intstr.IntOrString `json:"readIdleTimeout,omitempty"` // PingTimeout is the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"` @@ -58,10 +62,13 @@ type ForwardingTimeouts struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// ServersTransportList is a list of ServersTransport resources. +// ServersTransportList is a collection of ServersTransport resources. type ServersTransportList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` + // Items is the list of ServersTransport. Items []ServersTransport `json:"items"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/service.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/service.go index fa70a253b..0d2737e5b 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/service.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/service.go @@ -9,60 +9,77 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// TraefikService is the specification for a service (that an IngressRoute refers -// to) that is usually not a terminal service (i.e. not a pod of servers), as -// opposed to a Kubernetes Service. That is to say, it usually refers to other -// (children) services, which themselves can be TraefikServices or Services. +// TraefikService is the CRD implementation of a Traefik Service. +// TraefikService object allows to: +// - Apply weight to Services on load-balancing +// - Mirror traffic on services +// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice type TraefikService struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` - Spec ServiceSpec `json:"spec"` + Spec TraefikServiceSpec `json:"spec"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// TraefikServiceList is a list of TraefikService resources. +// TraefikServiceList is a collection of TraefikService resources. type TraefikServiceList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` + // Items is the list of TraefikService. Items []TraefikService `json:"items"` } // +k8s:deepcopy-gen=true -// ServiceSpec defines whether a TraefikService is a load-balancer of services or a -// mirroring service. -type ServiceSpec struct { - Weighted *WeightedRoundRobin `json:"weighted,omitempty"` - Mirroring *Mirroring `json:"mirroring,omitempty"` +// TraefikServiceSpec defines the desired state of a TraefikService. +type TraefikServiceSpec struct { + // Weighted defines the Weighted Round Robin configuration. + Weighted *WeightedRoundRobin `json:"weighted,omitempty"` + // Mirroring defines the Mirroring service configuration. + Mirroring *Mirroring `json:"mirroring,omitempty"` } // +k8s:deepcopy-gen=true -// Mirroring defines a mirroring service, which is composed of a main -// load-balancer, and a list of mirrors. +// Mirroring holds the mirroring service configuration. +// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#mirroring-service type Mirroring struct { LoadBalancerSpec `json:",inline"` - MaxBodySize *int64 `json:"maxBodySize,omitempty"` - Mirrors []MirrorService `json:"mirrors,omitempty"` + // MaxBodySize defines the maximum size allowed for the body of the request. + // If the body is larger, the request is not mirrored. + // Default value is -1, which means unlimited size. + MaxBodySize *int64 `json:"maxBodySize,omitempty"` + // Mirrors defines the list of mirrors where Traefik will duplicate the traffic. + Mirrors []MirrorService `json:"mirrors,omitempty"` } // +k8s:deepcopy-gen=true -// MirrorService defines one of the mirrors of a Mirroring service. +// MirrorService holds the mirror configuration. type MirrorService struct { LoadBalancerSpec `json:",inline"` + // Percent defines the part of the traffic to mirror. + // Supported values: 0 to 100. Percent int `json:"percent,omitempty"` } // +k8s:deepcopy-gen=true -// WeightedRoundRobin defines a load-balancer of services. +// WeightedRoundRobin holds the weighted round-robin configuration. +// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#weighted-round-robin-service type WeightedRoundRobin struct { - Services []Service `json:"services,omitempty"` - Sticky *dynamic.Sticky `json:"sticky,omitempty"` + // Services defines the list of Kubernetes Service and/or TraefikService to load-balance, with weight. + Services []Service `json:"services,omitempty"` + // Sticky defines whether sticky sessions are enabled. + // More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing + Sticky *dynamic.Sticky `json:"sticky,omitempty"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go index 72c06f144..564c6698a 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go @@ -8,9 +8,12 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// TLSOption is a specification for a TLSOption resource. +// TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection. +// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options type TLSOption struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec TLSOptionSpec `json:"spec"` @@ -18,35 +21,54 @@ type TLSOption struct { // +k8s:deepcopy-gen=true -// TLSOptionSpec configures TLS for an entry point. +// TLSOptionSpec defines the desired state of a TLSOption. type TLSOptionSpec struct { - MinVersion string `json:"minVersion,omitempty"` - MaxVersion string `json:"maxVersion,omitempty"` - CipherSuites []string `json:"cipherSuites,omitempty"` - CurvePreferences []string `json:"curvePreferences,omitempty"` - ClientAuth ClientAuth `json:"clientAuth,omitempty"` - SniStrict bool `json:"sniStrict,omitempty"` - PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"` - ALPNProtocols []string `json:"alpnProtocols,omitempty"` + // MinVersion defines the minimum TLS version that Traefik will accept. + // Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + // Default: VersionTLS10. + MinVersion string `json:"minVersion,omitempty"` + // MaxVersion defines the maximum TLS version that Traefik will accept. + // Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + // Default: None. + MaxVersion string `json:"maxVersion,omitempty"` + // CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. + // More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites + CipherSuites []string `json:"cipherSuites,omitempty"` + // CurvePreferences defines the preferred elliptic curves in a specific order. + // More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences + CurvePreferences []string `json:"curvePreferences,omitempty"` + // ClientAuth defines the server's policy for TLS Client Authentication. + ClientAuth ClientAuth `json:"clientAuth,omitempty"` + // SniStrict defines whether Traefik allows connections from clients connections that do not specify a server_name extension. + SniStrict bool `json:"sniStrict,omitempty"` + // PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's. + // It is enabled automatically when minVersion or maxVersion are set. + PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"` + // ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference. + // More info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols + ALPNProtocols []string `json:"alpnProtocols,omitempty"` } // +k8s:deepcopy-gen=true -// ClientAuth defines the parameters of the client authentication part of the TLS connection, if any. +// ClientAuth holds the TLS client authentication configuration. type ClientAuth struct { - // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. + // SecretNames defines the names of the referenced Kubernetes Secret storing certificate details. SecretNames []string `json:"secretNames,omitempty"` - // +kubebuilder:validation:Enum=NoClientCert;RequestClientCert;RequireAnyClientCert;VerifyClientCertIfGiven;RequireAndVerifyClientCert // ClientAuthType defines the client authentication type to apply. + // +kubebuilder:validation:Enum=NoClientCert;RequestClientCert;RequireAnyClientCert;VerifyClientCertIfGiven;RequireAndVerifyClientCert ClientAuthType string `json:"clientAuthType,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// TLSOptionList is a list of TLSOption resources. +// TLSOptionList is a collection of TLSOption resources. type TLSOptionList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` + // Items is the list of TLSOption. Items []TLSOption `json:"items"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsstore.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsstore.go index 404f07f96..1777449d6 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsstore.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsstore.go @@ -8,9 +8,14 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:storageversion -// TLSStore is a specification for a TLSStore resource. +// TLSStore is the CRD implementation of a Traefik TLS Store. +// For the time being, only the TLSStore named default is supported. +// This means that you cannot have two stores that are named default in different Kubernetes namespaces. +// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores type TLSStore struct { - metav1.TypeMeta `json:",inline"` + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ObjectMeta `json:"metadata"` Spec TLSStoreSpec `json:"spec"` @@ -18,14 +23,15 @@ type TLSStore struct { // +k8s:deepcopy-gen=true -// TLSStoreSpec configures a TLSStore resource. +// TLSStoreSpec defines the desired state of a TLSStore. type TLSStoreSpec struct { + // DefaultCertificate defines the default certificate configuration. DefaultCertificate DefaultCertificate `json:"defaultCertificate"` } // +k8s:deepcopy-gen=true -// DefaultCertificate holds a secret name for the TLSOption resource. +// DefaultCertificate holds the default certificate configuration. type DefaultCertificate struct { // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. SecretName string `json:"secretName"` @@ -33,10 +39,13 @@ type DefaultCertificate struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// TLSStoreList is a list of TLSStore resources. +// TLSStoreList is a collection of TLSStore resources. type TLSStoreList struct { metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata metav1.ListMeta `json:"metadata"` + // Items is the list of TLSStore. Items []TLSStore `json:"items"` } diff --git a/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go b/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go index 9628ab921..bc7237838 100644 --- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go @@ -1140,32 +1140,6 @@ func (in *Service) DeepCopy() *Service { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ServiceSpec) DeepCopyInto(out *ServiceSpec) { - *out = *in - if in.Weighted != nil { - in, out := &in.Weighted, &out.Weighted - *out = new(WeightedRoundRobin) - (*in).DeepCopyInto(*out) - } - if in.Mirroring != nil { - in, out := &in.Mirroring, &out.Mirroring - *out = new(Mirroring) - (*in).DeepCopyInto(*out) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceSpec. -func (in *ServiceSpec) DeepCopy() *ServiceSpec { - if in == nil { - return nil - } - out := new(ServiceSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceTCP) DeepCopyInto(out *ServiceTCP) { *out = *in @@ -1361,22 +1335,6 @@ func (in *TLSOptionSpec) DeepCopy() *TLSOptionSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TLSOptionUDPRef) DeepCopyInto(out *TLSOptionUDPRef) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSOptionUDPRef. -func (in *TLSOptionUDPRef) DeepCopy() *TLSOptionUDPRef { - if in == nil { - return nil - } - out := new(TLSOptionUDPRef) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSStore) DeepCopyInto(out *TLSStore) { *out = *in @@ -1563,6 +1521,32 @@ func (in *TraefikServiceList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TraefikServiceSpec) DeepCopyInto(out *TraefikServiceSpec) { + *out = *in + if in.Weighted != nil { + in, out := &in.Weighted, &out.Weighted + *out = new(WeightedRoundRobin) + (*in).DeepCopyInto(*out) + } + if in.Mirroring != nil { + in, out := &in.Mirroring, &out.Mirroring + *out = new(Mirroring) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TraefikServiceSpec. +func (in *TraefikServiceSpec) DeepCopy() *TraefikServiceSpec { + if in == nil { + return nil + } + out := new(TraefikServiceSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WeightedRoundRobin) DeepCopyInto(out *WeightedRoundRobin) { *out = *in diff --git a/pkg/redactor/testdata/anonymized-dynamic-config.json b/pkg/redactor/testdata/anonymized-dynamic-config.json index c55b17a5b..8236dcde7 100644 --- a/pkg/redactor/testdata/anonymized-dynamic-config.json +++ b/pkg/redactor/testdata/anonymized-dynamic-config.json @@ -283,6 +283,7 @@ "notAfter": true, "notBefore": true, "sans": true, + "serialNumber": true, "subject": { "country": true, "province": true, @@ -301,8 +302,7 @@ "commonName": true, "serialNumber": true, "domainComponent": true - }, - "serialNumber": true + } } }, "retry": { diff --git a/pkg/redactor/testdata/secured-dynamic-config.json b/pkg/redactor/testdata/secured-dynamic-config.json index df5dc3795..cf71aab33 100644 --- a/pkg/redactor/testdata/secured-dynamic-config.json +++ b/pkg/redactor/testdata/secured-dynamic-config.json @@ -286,6 +286,7 @@ "notAfter": true, "notBefore": true, "sans": true, + "serialNumber": true, "subject": { "country": true, "province": true, @@ -304,8 +305,7 @@ "commonName": true, "serialNumber": true, "domainComponent": true - }, - "serialNumber": true + } } }, "retry": { diff --git a/script/code-gen.sh b/script/code-gen.sh index 4704fcec8..7a4c9b5e6 100755 --- a/script/code-gen.sh +++ b/script/code-gen.sh @@ -32,8 +32,9 @@ docker run --rm \ -w "/go/src/${PROJECT_MODULE}" \ "${IMAGE_NAME}" $cmd -echo "Concatenate the CRD definitions for the integration tests ..." -cat $(pwd)/docs/content/reference/dynamic-configuration/traefik.containo.us_*.yaml > $(pwd)/integration/fixtures/k8s/01-traefik-crd.yml +echo "Concatenate the CRD definitions for publication and integration tests ..." +cat $(pwd)/docs/content/reference/dynamic-configuration/traefik.containo.us_*.yaml > $(pwd)/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml +cp -f $(pwd)/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml $(pwd)/integration/fixtures/k8s/01-traefik-crd.yml cp -r $(pwd)/${MODULE_VERSION}/* $(pwd) rm -rf $(pwd)/${MODULE_VERSION}