baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Add documentation to Traefik CRD properties

Browse source 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
mloiseleur 2022-06-24 12:40:08 +02:00 committed by GitHub
parent ff17ac53df
commit 94141233f0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
35 changed files with 4755 additions and 892 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
docs/content/providers/kubernetes-crd.md
View file

@ -31,15 +31,14 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead. For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead.
??? example "Initializing Resource Definition and RBAC" !!! example "Installing Resource Definition and RBAC"
```yaml tab="Traefik Resource Definition" ```bash
# All resources definition must be declared # Install Traefik Resource Definitions:
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```
# Install RBAC for Traefik:
```yaml tab="RBAC for Traefik CRD" kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
``` ```
## Resource Configuration ## Resource Configuration

2236
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
View file

File diff suppressed because it is too large Load diff

10
docs/content/reference/dynamic-configuration/kubernetes-crd.md
View file

@ -8,13 +8,19 @@ description: "Learn about the definitions, resources, and RBAC of dynamic config
Dynamic configuration with Kubernetes Custom Resource Dynamic configuration with Kubernetes Custom Resource
{: .subtitle } {: .subtitle }
!!! warning "Deprecated apiextensions.k8s.io/v1beta1 CRD"
The `apiextensions.k8s.io/v1beta1` CustomResourceDefinition is deprecated in Kubernetes `v1.16+` and will be removed in `v1.22+`.
For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead.
## Definitions ## Definitions
```yaml tab="apiextensions.k8s.io/v1" ```yaml tab="apiextensions.k8s.io/v1 (Kubernetes v1.16+)"
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml"
``` ```
```yaml tab="apiextensions.k8s.io/v1beta1" ```yaml tab="apiextensions.k8s.io/v1beta1 (Deprecated)"
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1beta1.yml" --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1beta1.yml"
``` ```

121
docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml
View file

@ -19,7 +19,7 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: IngressRoute is an Ingress CRD specification. description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,96 +34,151 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: IngressRouteSpec is a specification for a IngressRouteSpec description: IngressRouteSpec defines the desired state of IngressRoute.
resource.
properties: properties:
entryPoints: entryPoints:
description: 'EntryPoints defines the list of entry point names to
bind to. Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
Default: all.'
items: items:
type: string type: string
type: array type: array
routes: routes:
description: Routes defines the list of routes.
items: items:
description: Route contains the set of routes. description: Route holds the HTTP route configuration.
properties: properties:
kind: kind:
description: Kind defines the kind of the route. Rule is the
only supported kind.
enum: enum:
- Rule - Rule
type: string type: string
match: match:
description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule'
type: string type: string
middlewares: middlewares:
description: 'Middlewares defines the list of references to
Middleware resources. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware'
items: items:
description: MiddlewareRef is a ref to the Middleware resources. description: MiddlewareRef is a reference to a Middleware
resource.
properties: properties:
name: name:
description: Name defines the name of the referenced Middleware
resource.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Middleware resource.
type: string type: string
required: required:
- name - name
type: object type: object
type: array type: array
priority: priority:
description: 'Priority defines the router''s priority. More
info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority'
type: integer type: integer
services: services:
description: Services defines the list of Service. It can contain
any combination of TraefikService and/or reference to a Kubernetes
Service.
items: items:
description: Service defines an upstream to proxy traffic. description: Service defines an upstream HTTP service to proxy
traffic to.
properties: properties:
kind: kind:
description: Kind defines the kind of the Service.
enum: enum:
- Service - Service
- TraefikService - TraefikService
type: string type: string
name: name:
description: Name is a reference to a Kubernetes Service description: Name defines the name of the referenced Kubernetes
object (for a load-balancer of servers), or to a TraefikService Service or TraefikService. The differentiation between
object (service load-balancer, mirroring, etc). The the two is specified in the Kind field.
differentiation between the two is specified in the
Kind field.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string type: string
passHostHeader: passHostHeader:
description: PassHostHeader defines whether the client
Host header is forwarded to the upstream Kubernetes
Service. By default, passHostHeader is true.
type: boolean type: boolean
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
responseForwarding: responseForwarding:
description: ResponseForwarding holds configuration for description: ResponseForwarding defines how Traefik forwards
the forward of the response. the response from the upstream Kubernetes Service to
the client.
properties: properties:
flushInterval: flushInterval:
description: 'FlushInterval defines the interval,
in milliseconds, in between flushes to the client
while copying the response body. A negative value
means to flush immediately after each write to the
client. This configuration is ignored when ReverseProxy
recognizes a response as a streaming response; for
such responses, writes are flushed to the client
immediately. Default: 100ms'
type: string type: string
type: object type: object
scheme: scheme:
description: Scheme defines the scheme to use for the
request to the upstream Kubernetes Service. It defaults
to https when Kubernetes Service port is 443, http otherwise.
type: string type: string
serversTransport: serversTransport:
description: ServersTransport defines the name of ServersTransport
resource to use. It allows to configure the transport
between Traefik and your servers. Can only be used on
a Kubernetes Service.
type: string type: string
sticky: sticky:
description: Sticky holds the sticky configuration. description: 'Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
properties: properties:
cookie: cookie:
description: Cookie holds the sticky configuration description: Cookie defines the sticky cookie configuration.
based on cookie.
properties: properties:
httpOnly: httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as
JavaScript.
type: boolean type: boolean
name: name:
description: Name defines the Cookie name.
type: string type: string
sameSite: sameSite:
description: 'SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
type: string type: string
secure: secure:
description: Secure defines whether the cookie
can only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean type: boolean
type: object type: object
type: object type: object
strategy: strategy:
description: Strategy defines the load balancing strategy
between the servers. RoundRobin is the only supported
value at the moment.
type: string type: string
weight: weight:
description: Weight should only be specified when Name description: Weight defines the weight and should only
references a TraefikService object (and to be precise, be specified when Name references a TraefikService object
one that embeds a Weighted Round Robin). (and to be precise, one that embeds a Weighted Round
Robin).
type: integer type: integer
required: required:
- name - name
@ -135,14 +190,16 @@ spec:
type: object type: object
type: array type: array
tls: tls:
description: "TLS contains the TLS certificates configuration of the description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls'
routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in
YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:
# block format"
properties: properties:
certResolver: certResolver:
description: 'CertResolver defines the name of the certificate
resolver to use. Cert resolvers have to be configured in the
static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers'
type: string type: string
domains: domains:
description: 'Domains defines the list of domains that will be
used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains'
items: items:
description: Domain holds a domain name with SANs. description: Domain holds a domain name with SANs.
properties: properties:
@ -155,12 +212,17 @@ spec:
type: object type: object
type: array type: array
options: options:
description: Options is a reference to a TLSOption, that specifies description: 'Options defines the reference to a TLSOption, that
the parameters of the TLS connection. specifies the parameters of the TLS connection. If not defined,
the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options'
properties: properties:
name: name:
description: 'Name defines the name of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption'
type: string type: string
namespace: namespace:
description: 'Namespace defines the namespace of the referenced
TLSOption. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption'
type: string type: string
required: required:
- name - name
@ -170,12 +232,17 @@ spec:
Secret to specify the certificate details. Secret to specify the certificate details.
type: string type: string
store: store:
description: Store is a reference to a TLSStore, that specifies description: Store defines the reference to the TLSStore, that
the parameters of the TLS store. will be used to store certificates. Please note that only `default`
TLSStore can be used.
properties: properties:
name: name:
description: 'Name defines the name of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore'
type: string type: string
namespace: namespace:
description: 'Namespace defines the namespace of the referenced
TLSStore. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore'
type: string type: string
required: required:
- name - name

76
docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
View file

@ -19,7 +19,7 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: IngressRouteTCP is an Ingress CRD specification. description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,58 +34,89 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
resource.
properties: properties:
entryPoints: entryPoints:
description: 'EntryPoints defines the list of entry point names to
bind to. Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
Default: all.'
items: items:
type: string type: string
type: array type: array
routes: routes:
description: Routes defines the list of routes.
items: items:
description: RouteTCP contains the set of routes. description: RouteTCP holds the TCP route configuration.
properties: properties:
match: match:
description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1'
type: string type: string
middlewares: middlewares:
description: Middlewares contains references to MiddlewareTCP description: Middlewares defines the list of references to MiddlewareTCP
resources. resources.
items: items:
description: ObjectReference is a generic reference to a Traefik description: ObjectReference is a generic reference to a Traefik
resource. resource.
properties: properties:
name: name:
description: Name defines the name of the referenced Traefik
resource.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string type: string
required: required:
- name - name
type: object type: object
type: array type: array
priority: priority:
description: 'Priority defines the router''s priority. More
info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1'
type: integer type: integer
services: services:
description: Services defines the list of TCP services.
items: items:
description: ServiceTCP defines an upstream to proxy traffic. description: ServiceTCP defines an upstream TCP service to
proxy traffic to.
properties: properties:
name: name:
description: Name defines the name of the referenced Kubernetes
Service.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service.
type: string type: string
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
proxyProtocol: proxyProtocol:
description: ProxyProtocol holds the ProxyProtocol configuration. description: 'ProxyProtocol defines the PROXY protocol
configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol'
properties: properties:
version: version:
description: Version defines the PROXY Protocol version
to use.
type: integer type: integer
type: object type: object
terminationDelay: terminationDelay:
description: TerminationDelay defines the deadline that
the proxy sets, after one of its connected peers indicates
it has closed the writing capability of its connection,
to close the reading capability as well, hence fully
terminating the connection. It is a duration in milliseconds,
defaulting to 100. A negative value means an infinite
deadline (i.e. the reading capability is never closed).
type: integer type: integer
weight: weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
type: integer type: integer
required: required:
- name - name
@ -97,14 +128,17 @@ spec:
type: object type: object
type: array type: array
tls: tls:
description: "TLSTCP contains the TLS certificates configuration of description: 'TLS defines the TLS configuration on a layer 4 / TCP
the routes. To enable Let's Encrypt, use an empty TLS struct, e.g. Route. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1'
in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:
# block format"
properties: properties:
certResolver: certResolver:
description: 'CertResolver defines the name of the certificate
resolver to use. Cert resolvers have to be configured in the
static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers'
type: string type: string
domains: domains:
description: 'Domains defines the list of domains that will be
used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains'
items: items:
description: Domain holds a domain name with SANs. description: Domain holds a domain name with SANs.
properties: properties:
@ -117,29 +151,41 @@ spec:
type: object type: object
type: array type: array
options: options:
description: Options is a reference to a TLSOption, that specifies description: 'Options defines the reference to a TLSOption, that
the parameters of the TLS connection. specifies the parameters of the TLS connection. If not defined,
the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options'
properties: properties:
name: name:
description: Name defines the name of the referenced Traefik
resource.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string type: string
required: required:
- name - name
type: object type: object
passthrough: passthrough:
description: Passthrough defines whether a TLS router will terminate
the TLS connection.
type: boolean type: boolean
secretName: secretName:
description: SecretName is the name of the referenced Kubernetes description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details. Secret to specify the certificate details.
type: string type: string
store: store:
description: Store is a reference to a TLSStore, that specifies description: Store defines the reference to the TLSStore, that
the parameters of the TLS store. will be used to store certificates. Please note that only `default`
TLSStore can be used.
properties: properties:
name: name:
description: Name defines the name of the referenced Traefik
resource.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Traefik resource.
type: string type: string
required: required:
- name - name

24
docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml
View file

@ -19,7 +19,7 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: IngressRouteUDP is an Ingress CRD specification. description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,31 +34,45 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
resource.
properties: properties:
entryPoints: entryPoints:
description: 'EntryPoints defines the list of entry point names to
bind to. Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
Default: all.'
items: items:
type: string type: string
type: array type: array
routes: routes:
description: Routes defines the list of routes.
items: items:
description: RouteUDP contains the set of routes. description: RouteUDP holds the UDP route configuration.
properties: properties:
services: services:
description: Services defines the list of UDP services.
items: items:
description: ServiceUDP defines an upstream to proxy traffic. description: ServiceUDP defines an upstream UDP service to
proxy traffic to.
properties: properties:
name: name:
description: Name defines the name of the referenced Kubernetes
Service.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service.
type: string type: string
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
weight: weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
type: integer type: integer
required: required:
- name - name

483
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
View file

@ -19,7 +19,8 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: Middleware is a specification for a Middleware resource. description: 'Middleware is the CRD implementation of a Traefik Middleware.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/'
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,54 +35,99 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: MiddlewareSpec holds the Middleware configuration. description: MiddlewareSpec defines the desired state of a Middleware.
properties: properties:
addPrefix: addPrefix:
description: AddPrefix holds the AddPrefix configuration. description: 'AddPrefix holds the add prefix middleware configuration.
This middleware updates the path of a request before forwarding
it. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/'
properties: properties:
prefix: prefix:
description: Prefix is the string to add before the current path
in the requested URL. It should include a leading slash (/).
type: string type: string
type: object type: object
basicAuth: basicAuth:
description: BasicAuth holds the HTTP basic authentication configuration. description: 'BasicAuth holds the basic auth middleware configuration.
This middleware restricts access to your services to known users.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/'
properties: properties:
headerField: headerField:
description: 'HeaderField defines a header field to store the
authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield'
type: string type: string
realm: realm:
description: 'Realm allows the protected resources on a server
to be partitioned into a set of protection spaces, each with
its own authentication scheme. Default: traefik.'
type: string type: string
removeHeader: removeHeader:
description: 'RemoveHeader sets the removeHeader option to true
to remove the authorization header before forwarding the request
to your service. Default: false.'
type: boolean type: boolean
secret: secret:
description: Secret is the name of the referenced Kubernetes Secret
containing user credentials.
type: string type: string
type: object type: object
buffering: buffering:
description: Buffering holds the request/response buffering configuration. description: 'Buffering holds the buffering middleware configuration.
This middleware retries or limits the size of requests that can
be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes'
properties: properties:
maxRequestBodyBytes: maxRequestBodyBytes:
description: 'MaxRequestBodyBytes defines the maximum allowed
body size for the request (in bytes). If the request exceeds
the allowed size, it is not forwarded to the service, and the
client gets a 413 (Request Entity Too Large) response. Default:
0 (no maximum).'
format: int64 format: int64
type: integer type: integer
maxResponseBodyBytes: maxResponseBodyBytes:
description: 'MaxResponseBodyBytes defines the maximum allowed
response size from the service (in bytes). If the response exceeds
the allowed size, it is not forwarded to the client. The client
gets a 500 (Internal Server Error) response instead. Default:
0 (no maximum).'
format: int64 format: int64
type: integer type: integer
memRequestBodyBytes: memRequestBodyBytes:
description: 'MemRequestBodyBytes defines the threshold (in bytes)
from which the request will be buffered on disk instead of in
memory. Default: 1048576 (1Mi).'
format: int64 format: int64
type: integer type: integer
memResponseBodyBytes: memResponseBodyBytes:
description: 'MemResponseBodyBytes defines the threshold (in bytes)
from which the response will be buffered on disk instead of
in memory. Default: 1048576 (1Mi).'
format: int64 format: int64
type: integer type: integer
retryExpression: retryExpression:
description: 'RetryExpression defines the retry conditions. It
is a logical combination of functions with operators AND (&&)
and OR (||). More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression'
type: string type: string
type: object type: object
chain: chain:
description: Chain holds a chain of middlewares. description: 'Chain holds the configuration of the chain middleware.
This middleware enables to define reusable combinations of other
pieces of middleware. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/'
properties: properties:
middlewares: middlewares:
description: Middlewares is the list of MiddlewareRef which composes
the chain.
items: items:
description: MiddlewareRef is a ref to the Middleware resources. description: MiddlewareRef is a reference to a Middleware resource.
properties: properties:
name: name:
description: Name defines the name of the referenced Middleware
resource.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Middleware resource.
type: string type: string
required: required:
- name - name
@ -89,165 +135,261 @@ spec:
type: array type: array
type: object type: object
circuitBreaker: circuitBreaker:
description: CircuitBreaker holds the circuit breaker configuration. description: 'CircuitBreaker holds the circuit breaker middleware
configuration. This middleware protects the system from stacking
requests to unhealthy services, resulting in cascading failures.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/'
properties: properties:
expression: expression:
description: Expression defines the expression that, once matched,
opens the circuit breaker and applies the fallback mechanism
instead of calling the services.
type: string type: string
type: object type: object
compress: compress:
description: Compress holds the compress configuration. description: 'Compress holds the compress middleware configuration.
This middleware compresses responses before sending them to the
client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/'
properties: properties:
excludedContentTypes: excludedContentTypes:
description: ExcludedContentTypes defines the list of content
types to compare the Content-Type header of the incoming requests
and responses before compressing.
items: items:
type: string type: string
type: array type: array
minResponseBodyBytes: minResponseBodyBytes:
description: 'MinResponseBodyBytes defines the minimum amount
of bytes a response body must have to be compressed. Default:
1024.'
type: integer type: integer
type: object type: object
contentType: contentType:
description: ContentType middleware - or rather its unique `autoDetect` description: ContentType holds the content-type middleware configuration.
option - specifies whether to let the `Content-Type` header, if This middleware exists to enable the correct behavior until at least
it has not been set by the backend, be automatically set to a value the default one can be changed in a future version.
derived from the contents of the response. As a proxy, the default
behavior should be to leave the header alone, regardless of what
the backend did with it. However, the historic default was to always
auto-detect and set the header if it was nil, and it is going to
be kept that way in order to support users currently relying on
it. This middleware exists to enable the correct behavior until
at least the default one can be changed in a future version.
properties: properties:
autoDetect: autoDetect:
description: AutoDetect specifies whether to let the `Content-Type`
header, if it has not been set by the backend, be automatically
set to a value derived from the contents of the response. As
a proxy, the default behavior should be to leave the header
alone, regardless of what the backend did with it. However,
the historic default was to always auto-detect and set the header
if it was nil, and it is going to be kept that way in order
to support users currently relying on it.
type: boolean type: boolean
type: object type: object
digestAuth: digestAuth:
description: DigestAuth holds the Digest HTTP authentication configuration. description: 'DigestAuth holds the digest auth middleware configuration.
This middleware restricts access to your services to known users.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/'
properties: properties:
headerField: headerField:
description: 'HeaderField defines a header field to store the
authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield'
type: string type: string
realm: realm:
description: 'Realm allows the protected resources on a server
to be partitioned into a set of protection spaces, each with
its own authentication scheme. Default: traefik.'
type: string type: string
removeHeader: removeHeader:
description: RemoveHeader defines whether to remove the authorization
header before forwarding the request to the backend.
type: boolean type: boolean
secret: secret:
description: Secret is the name of the referenced Kubernetes Secret
containing user credentials.
type: string type: string
type: object type: object
errors: errors:
description: ErrorPage holds the custom error page configuration. description: 'ErrorPage holds the custom error middleware configuration.
This middleware returns a custom page in lieu of the default, according
to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/'
properties: properties:
query: query:
description: Query defines the URL for the error page (hosted
by service). The {status} variable can be used in order to insert
the status code in the URL.
type: string type: string
service: service:
description: Service defines an upstream to proxy traffic. description: 'Service defines the reference to a Kubernetes Service
that will serve the error page. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service'
properties: properties:
kind: kind:
description: Kind defines the kind of the Service.
enum: enum:
- Service - Service
- TraefikService - TraefikService
type: string type: string
name: name:
description: Name is a reference to a Kubernetes Service object description: Name defines the name of the referenced Kubernetes
(for a load-balancer of servers), or to a TraefikService Service or TraefikService. The differentiation between the
object (service load-balancer, mirroring, etc). The differentiation two is specified in the Kind field.
between the two is specified in the Kind field.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string type: string
passHostHeader: passHostHeader:
description: PassHostHeader defines whether the client Host
header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean type: boolean
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
responseForwarding: responseForwarding:
description: ResponseForwarding holds configuration for the description: ResponseForwarding defines how Traefik forwards
forward of the response. the response from the upstream Kubernetes Service to the
client.
properties: properties:
flushInterval: flushInterval:
description: 'FlushInterval defines the interval, in milliseconds,
in between flushes to the client while copying the response
body. A negative value means to flush immediately after
each write to the client. This configuration is ignored
when ReverseProxy recognizes a response as a streaming
response; for such responses, writes are flushed to
the client immediately. Default: 100ms'
type: string type: string
type: object type: object
scheme: scheme:
description: Scheme defines the scheme to use for the request
to the upstream Kubernetes Service. It defaults to https
when Kubernetes Service port is 443, http otherwise.
type: string type: string
serversTransport: serversTransport:
description: ServersTransport defines the name of ServersTransport
resource to use. It allows to configure the transport between
Traefik and your servers. Can only be used on a Kubernetes
Service.
type: string type: string
sticky: sticky:
description: Sticky holds the sticky configuration. description: 'Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
properties: properties:
cookie: cookie:
description: Cookie holds the sticky configuration based description: Cookie defines the sticky cookie configuration.
on cookie.
properties: properties:
httpOnly: httpOnly:
description: HTTPOnly defines whether the cookie can
be accessed by client-side APIs, such as JavaScript.
type: boolean type: boolean
name: name:
description: Name defines the Cookie name.
type: string type: string
sameSite: sameSite:
description: 'SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
type: string type: string
secure: secure:
description: Secure defines whether the cookie can
only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean type: boolean
type: object type: object
type: object type: object
strategy: strategy:
description: Strategy defines the load balancing strategy
between the servers. RoundRobin is the only supported value
at the moment.
type: string type: string
weight: weight:
description: Weight should only be specified when Name references description: Weight defines the weight and should only be
a TraefikService object (and to be precise, one that embeds specified when Name references a TraefikService object (and
a Weighted Round Robin). to be precise, one that embeds a Weighted Round Robin).
type: integer type: integer
required: required:
- name - name
type: object type: object
status: status:
description: Status defines which status or range of statuses
should result in an error page. It can be either a status code
as a number (500), as multiple comma-separated numbers (500,502),
as ranges by separating two codes with a dash (500-599), or
a combination of the two (404,418,500-599).
items: items:
type: string type: string
type: array type: array
type: object type: object
forwardAuth: forwardAuth:
description: ForwardAuth holds the http forward authentication configuration. description: 'ForwardAuth holds the forward auth middleware configuration.
This middleware delegates the request authentication to a Service.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/'
properties: properties:
address: address:
description: Address defines the authentication server address.
type: string type: string
authRequestHeaders: authRequestHeaders:
description: AuthRequestHeaders defines the list of the headers
to copy from the request to the authentication server. If not
set or empty then all request headers are passed.
items: items:
type: string type: string
type: array type: array
authResponseHeaders: authResponseHeaders:
description: AuthResponseHeaders defines the list of headers to
copy from the authentication server response and set on forwarded
request, replacing any existing conflicting headers.
items: items:
type: string type: string
type: array type: array
authResponseHeadersRegex: authResponseHeadersRegex:
description: 'AuthResponseHeadersRegex defines the regex to match
headers to copy from the authentication server response and
set on forwarded request, after stripping all headers that match
the regex. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex'
type: string type: string
tls: tls:
description: ClientTLS holds TLS specific configurations as client. description: TLS defines the configuration used to secure the
connection to the authentication server.
properties: properties:
caOptional: caOptional:
type: boolean type: boolean
caSecret: caSecret:
description: CASecret is the name of the referenced Kubernetes
Secret containing the CA to validate the server certificate.
The CA certificate is extracted from key `tls.ca` or `ca.crt`.
type: string type: string
certSecret: certSecret:
description: CertSecret is the name of the referenced Kubernetes
Secret containing the client certificate. The client certificate
is extracted from the keys `tls.crt` and `tls.key`.
type: string type: string
insecureSkipVerify: insecureSkipVerify:
description: InsecureSkipVerify defines whether the server
certificates should be validated.
type: boolean type: boolean
type: object type: object
trustForwardHeader: trustForwardHeader:
description: 'TrustForwardHeader defines whether to trust (ie:
forward) all X-Forwarded-* headers.'
type: boolean type: boolean
type: object type: object
headers: headers:
description: Headers holds the custom header configuration. description: 'Headers holds the headers middleware configuration.
This middleware manages the requests and responses headers. More
info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders'
properties: properties:
accessControlAllowCredentials: accessControlAllowCredentials:
description: AccessControlAllowCredentials is only valid if true. description: AccessControlAllowCredentials defines whether the
false is ignored. request can include user credentials.
type: boolean type: boolean
accessControlAllowHeaders: accessControlAllowHeaders:
description: AccessControlAllowHeaders must be used in response description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
to a preflight request with Access-Control-Request-Headers set. values sent in preflight response.
items: items:
type: string type: string
type: array type: array
accessControlAllowMethods: accessControlAllowMethods:
description: AccessControlAllowMethods must be used in response description: AccessControlAllowMethods defines the Access-Control-Request-Method
to a preflight request with Access-Control-Request-Method set. values sent in preflight response.
items: items:
type: string type: string
type: array type: array
@ -264,60 +406,96 @@ spec:
type: string type: string
type: array type: array
accessControlExposeHeaders: accessControlExposeHeaders:
description: AccessControlExposeHeaders sets valid headers for description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
the response. values sent in preflight response.
items: items:
type: string type: string
type: array type: array
accessControlMaxAge: accessControlMaxAge:
description: AccessControlMaxAge sets the time that a preflight description: AccessControlMaxAge defines the time that a preflight
request may be cached. request may be cached.
format: int64 format: int64
type: integer type: integer
addVaryHeader: addVaryHeader:
description: AddVaryHeader controls if the Vary header is automatically description: AddVaryHeader defines whether the Vary header is
added/updated when the AccessControlAllowOriginList is set. automatically added/updated when the AccessControlAllowOriginList
is set.
type: boolean type: boolean
allowedHosts: allowedHosts:
description: AllowedHosts defines the fully qualified list of
allowed domain names.
items: items:
type: string type: string
type: array type: array
browserXssFilter: browserXssFilter:
description: BrowserXSSFilter defines whether to add the X-XSS-Protection
header with the value 1; mode=block.
type: boolean type: boolean
contentSecurityPolicy: contentSecurityPolicy:
description: ContentSecurityPolicy defines the Content-Security-Policy
header value.
type: string type: string
contentTypeNosniff: contentTypeNosniff:
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
header with the nosniff value.
type: boolean type: boolean
customBrowserXSSValue: customBrowserXSSValue:
description: CustomBrowserXSSValue defines the X-XSS-Protection
header value. This overrides the BrowserXssFilter option.
type: string type: string
customFrameOptionsValue: customFrameOptionsValue:
description: CustomFrameOptionsValue defines the X-Frame-Options
header value. This overrides the FrameDeny option.
type: string type: string
customRequestHeaders: customRequestHeaders:
additionalProperties: additionalProperties:
type: string type: string
description: CustomRequestHeaders defines the header names and
values to apply to the request.
type: object type: object
customResponseHeaders: customResponseHeaders:
additionalProperties: additionalProperties:
type: string type: string
description: CustomResponseHeaders defines the header names and
values to apply to the response.
type: object type: object
featurePolicy: featurePolicy:
description: 'Deprecated: use PermissionsPolicy instead.' description: 'Deprecated: use PermissionsPolicy instead.'
type: string type: string
forceSTSHeader: forceSTSHeader:
description: ForceSTSHeader defines whether to add the STS header
even when the connection is HTTP.
type: boolean type: boolean
frameDeny: frameDeny:
description: FrameDeny defines whether to add the X-Frame-Options
header with the DENY value.
type: boolean type: boolean
hostsProxyHeaders: hostsProxyHeaders:
description: HostsProxyHeaders defines the header keys that may
hold a proxied hostname value for the request.
items: items:
type: string type: string
type: array type: array
isDevelopment: isDevelopment:
description: IsDevelopment defines whether to mitigate the unwanted
effects of the AllowedHosts, SSL, and STS options when developing.
Usually testing takes place using HTTP, not HTTPS, and on localhost,
not your production domain. If you would like your development
environment to mimic production with complete Host blocking,
SSL redirects, and STS headers, leave this as false.
type: boolean type: boolean
permissionsPolicy: permissionsPolicy:
description: PermissionsPolicy defines the Permissions-Policy
header value. This allows sites to control browser features.
type: string type: string
publicKey: publicKey:
description: PublicKey is the public key that implements HPKP
to prevent MITM attacks with forged certificates.
type: string type: string
referrerPolicy: referrerPolicy:
description: ReferrerPolicy defines the Referrer-Policy header
value. This allows sites to control whether browsers forward
the Referer header to other sites.
type: string type: string
sslForceHost: sslForceHost:
description: 'Deprecated: use RedirectRegex instead.' description: 'Deprecated: use RedirectRegex instead.'
@ -328,6 +506,10 @@ spec:
sslProxyHeaders: sslProxyHeaders:
additionalProperties: additionalProperties:
type: string type: string
description: 'SSLProxyHeaders defines the header keys with associated
values that would indicate a valid HTTPS request. It can be
useful when using other proxies (example: "X-Forwarded-Proto":
"https").'
type: object type: object
sslRedirect: sslRedirect:
description: 'Deprecated: use EntryPoint redirection or RedirectScheme description: 'Deprecated: use EntryPoint redirection or RedirectScheme
@ -338,119 +520,192 @@ spec:
instead.' instead.'
type: boolean type: boolean
stsIncludeSubdomains: stsIncludeSubdomains:
description: STSIncludeSubdomains defines whether the includeSubDomains
directive is appended to the Strict-Transport-Security header.
type: boolean type: boolean
stsPreload: stsPreload:
description: STSPreload defines whether the preload flag is appended
to the Strict-Transport-Security header.
type: boolean type: boolean
stsSeconds: stsSeconds:
description: STSSeconds defines the max-age of the Strict-Transport-Security
header. If set to 0, the header is not set.
format: int64 format: int64
type: integer type: integer
type: object type: object
inFlightReq: inFlightReq:
description: InFlightReq limits the number of requests being processed description: 'InFlightReq holds the in-flight request middleware configuration.
and served concurrently. This middleware limits the number of requests being processed and
served concurrently. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/'
properties: properties:
amount: amount:
description: Amount defines the maximum amount of allowed simultaneous
in-flight request. The middleware responds with HTTP 429 Too
Many Requests if there are already amount requests in progress
(based on the same sourceCriterion strategy).
format: int64 format: int64
type: integer type: integer
sourceCriterion: sourceCriterion:
description: SourceCriterion defines what criterion is used to description: 'SourceCriterion defines what criterion is used to
group requests as originating from a common source. If none group requests as originating from a common source. If several
are set, the default is to use the request's remote address strategies are defined at the same time, an error will be raised.
field. All fields are mutually exclusive. If none are set, the default is to use the requestHost. More
info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion'
properties: properties:
ipStrategy: ipStrategy:
description: IPStrategy holds the ip strategy configuration. description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy'
properties: properties:
depth: depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position
(starting from the right).
type: integer type: integer
excludedIPs: excludedIPs:
description: ExcludedIPs configures Traefik to scan the
X-Forwarded-For header and select the first IP not in
the list.
items: items:
type: string type: string
type: array type: array
type: object type: object
requestHeaderName: requestHeaderName:
description: RequestHeaderName defines the name of the header
used to group incoming requests.
type: string type: string
requestHost: requestHost:
description: RequestHost defines whether to consider the request
Host as the source.
type: boolean type: boolean
type: object type: object
type: object type: object
ipWhiteList: ipWhiteList:
description: IPWhiteList holds the ip white list configuration. description: 'IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/'
properties: properties:
ipStrategy: ipStrategy:
description: IPStrategy holds the ip strategy configuration. description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy'
properties: properties:
depth: depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position (starting
from the right).
type: integer type: integer
excludedIPs: excludedIPs:
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
header and select the first IP not in the list.
items: items:
type: string type: string
type: array type: array
type: object type: object
sourceRange: sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
items: items:
type: string type: string
type: array type: array
type: object type: object
passTLSClientCert: passTLSClientCert:
description: PassTLSClientCert holds the TLS client cert headers configuration. description: 'PassTLSClientCert holds the pass TLS client cert middleware
configuration. This middleware adds the selected data from the passed
client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/'
properties: properties:
info: info:
description: TLSClientCertificateInfo holds the client TLS certificate description: Info selects the specific client certificate details
info configuration. you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
properties: properties:
issuer: issuer:
description: TLSClientCertificateIssuerDNInfo holds the client description: Issuer defines the client certificate issuer
TLS certificate distinguished name info configuration. cf details to add to the X-Forwarded-Tls-Client-Cert-Info header.
https://tools.ietf.org/html/rfc3739
properties: properties:
commonName: commonName:
description: CommonName defines whether to add the organizationalUnit
information into the issuer.
type: boolean type: boolean
country: country:
description: Country defines whether to add the country
information into the issuer.
type: boolean type: boolean
domainComponent: domainComponent:
description: DomainComponent defines whether to add the
domainComponent information into the issuer.
type: boolean type: boolean
locality: locality:
description: Locality defines whether to add the locality
information into the issuer.
type: boolean type: boolean
organization: organization:
description: Organization defines whether to add the organization
information into the issuer.
type: boolean type: boolean
province: province:
description: Province defines whether to add the province
information into the issuer.
type: boolean type: boolean
serialNumber: serialNumber:
description: SerialNumber defines whether to add the serialNumber
information into the issuer.
type: boolean type: boolean
type: object type: object
notAfter: notAfter:
description: NotAfter defines whether to add the Not After
information from the Validity part.
type: boolean type: boolean
notBefore: notBefore:
description: NotBefore defines whether to add the Not Before
information from the Validity part.
type: boolean type: boolean
sans: sans:
description: Sans defines whether to add the Subject Alternative
Name information from the Subject Alternative Name part.
type: boolean type: boolean
serialNumber: serialNumber:
description: SerialNumber defines whether to add the client
serialNumber information.
type: boolean type: boolean
subject: subject:
description: TLSClientCertificateSubjectDNInfo holds the client description: Subject defines the client certificate subject
TLS certificate distinguished name info configuration. cf details to add to the X-Forwarded-Tls-Client-Cert-Info header.
https://tools.ietf.org/html/rfc3739
properties: properties:
commonName: commonName:
description: CommonName defines whether to add the organizationalUnit
information into the subject.
type: boolean type: boolean
country: country:
description: Country defines whether to add the country
information into the subject.
type: boolean type: boolean
domainComponent: domainComponent:
description: DomainComponent defines whether to add the
domainComponent information into the subject.
type: boolean type: boolean
locality: locality:
description: Locality defines whether to add the locality
information into the subject.
type: boolean type: boolean
organization: organization:
description: Organization defines whether to add the organization
information into the subject.
type: boolean type: boolean
organizationalUnit: organizationalUnit:
description: OrganizationalUnit defines whether to add
the organizationalUnit information into the subject.
type: boolean type: boolean
province: province:
description: Province defines whether to add the province
information into the subject.
type: boolean type: boolean
serialNumber: serialNumber:
description: SerialNumber defines whether to add the serialNumber
information into the subject.
type: boolean type: boolean
type: object type: object
type: object type: object
pem: pem:
description: PEM sets the X-Forwarded-Tls-Client-Cert header with
the escaped certificate.
type: boolean type: boolean
type: object type: object
plugin: plugin:
@ -458,101 +713,171 @@ spec:
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
rateLimit: rateLimit:
description: RateLimit holds the rate limiting configuration for a description: 'RateLimit holds the rate limit configuration. This middleware
given router. ensures that services will receive a fair amount of requests, and
allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/'
properties: properties:
average: average:
description: Average is the maximum rate, by default in requests/s,
allowed for the given source. It defaults to 0, which means
no rate limiting. The rate is actually defined by dividing Average
by Period. So for a rate below 1req/s, one needs to define a
Period larger than a second.
format: int64 format: int64
type: integer type: integer
burst: burst:
description: Burst is the maximum number of requests allowed to
arrive in the same arbitrarily small period of time. It defaults
to 1.
format: int64 format: int64
type: integer type: integer
period: period:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: 'Period, in combination with Average, defines the
actual maximum rate, such as: r = Average / Period. It defaults
to a second.'
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
sourceCriterion: sourceCriterion:
description: SourceCriterion defines what criterion is used to description: SourceCriterion defines what criterion is used to
group requests as originating from a common source. If none group requests as originating from a common source. If several
are set, the default is to use the request's remote address strategies are defined at the same time, an error will be raised.
field. All fields are mutually exclusive. If none are set, the default is to use the request's remote
address field (as an ipStrategy).
properties: properties:
ipStrategy: ipStrategy:
description: IPStrategy holds the ip strategy configuration. description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy'
properties: properties:
depth: depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position
(starting from the right).
type: integer type: integer
excludedIPs: excludedIPs:
description: ExcludedIPs configures Traefik to scan the
X-Forwarded-For header and select the first IP not in
the list.
items: items:
type: string type: string
type: array type: array
type: object type: object
requestHeaderName: requestHeaderName:
description: RequestHeaderName defines the name of the header
used to group incoming requests.
type: string type: string
requestHost: requestHost:
description: RequestHost defines whether to consider the request
Host as the source.
type: boolean type: boolean
type: object type: object
type: object type: object
redirectRegex: redirectRegex:
description: RedirectRegex holds the redirection configuration. description: 'RedirectRegex holds the redirect regex middleware configuration.
This middleware redirects a request using regex matching and replacement.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex'
properties: properties:
permanent: permanent:
description: Permanent defines whether the redirection is permanent
(301).
type: boolean type: boolean
regex: regex:
description: Regex defines the regex used to match and capture
elements from the request URL.
type: string type: string
replacement: replacement:
description: Replacement defines how to modify the URL to have
the new target URL.
type: string type: string
type: object type: object
redirectScheme: redirectScheme:
description: RedirectScheme holds the scheme redirection configuration. description: 'RedirectScheme holds the redirect scheme middleware
configuration. This middleware redirects requests from a scheme/port
to another. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/'
properties: properties:
permanent: permanent:
description: Permanent defines whether the redirection is permanent
(301).
type: boolean type: boolean
port: port:
description: Port defines the port of the new URL.
type: string type: string
scheme: scheme:
description: Scheme defines the scheme of the new URL.
type: string type: string
type: object type: object
replacePath: replacePath:
description: ReplacePath holds the ReplacePath configuration. description: 'ReplacePath holds the replace path middleware configuration.
This middleware replaces the path of the request URL and store the
original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/'
properties: properties:
path: path:
description: Path defines the path to use as replacement in the
request URL.
type: string type: string
type: object type: object
replacePathRegex: replacePathRegex:
description: ReplacePathRegex holds the ReplacePathRegex configuration. description: 'ReplacePathRegex holds the replace path regex middleware
configuration. This middleware replaces the path of a URL using
regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/'
properties: properties:
regex: regex:
description: Regex defines the regular expression used to match
and capture the path from the request URL.
type: string type: string
replacement: replacement:
description: Replacement defines the replacement path format,
which can include captured variables.
type: string type: string
type: object type: object
retry: retry:
description: Retry holds the retry configuration. description: 'Retry holds the retry middleware configuration. This
middleware reissues requests a given number of times to a backend
server if that server does not reply. As soon as the server answers,
the middleware stops retrying, regardless of the response status.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/'
properties: properties:
attempts: attempts:
description: Attempts defines how many times the request should
be retried.
type: integer type: integer
initialInterval: initialInterval:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: InitialInterval defines the first wait time in the
exponential backoff series. The maximum interval is calculated
as twice the initialInterval. If unspecified, requests will
be retried immediately. The value of initialInterval should
be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
type: object type: object
stripPrefix: stripPrefix:
description: StripPrefix holds the StripPrefix configuration. description: 'StripPrefix holds the strip prefix middleware configuration.
This middleware removes the specified prefixes from the URL path.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/'
properties: properties:
forceSlash: forceSlash:
description: 'ForceSlash ensures that the resulting stripped path
is not the empty string, by replacing it with / when necessary.
Default: true.'
type: boolean type: boolean
prefixes: prefixes:
description: Prefixes defines the prefixes to strip from the request
URL.
items: items:
type: string type: string
type: array type: array
type: object type: object
stripPrefixRegex: stripPrefixRegex:
description: StripPrefixRegex holds the StripPrefixRegex configuration. description: 'StripPrefixRegex holds the strip prefix regex middleware
configuration. This middleware removes the matching prefixes from
the URL path. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/'
properties: properties:
regex: regex:
description: Regex defines the regular expression to match the
path prefix from the request URL.
items: items:
type: string type: string
type: array type: array

14
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
View file

@ -19,7 +19,8 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: MiddlewareTCP is a specification for a MiddlewareTCP resource. description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/'
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,19 +35,24 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: MiddlewareTCPSpec holds the MiddlewareTCP configuration. description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
properties: properties:
inFlightConn: inFlightConn:
description: TCPInFlightConn holds the TCP in flight connection configuration. description: InFlightConn defines the InFlightConn middleware configuration.
properties: properties:
amount: amount:
description: Amount defines the maximum amount of allowed simultaneous
connections. The middleware closes the connection if there are
already amount connections opened.
format: int64 format: int64
type: integer type: integer
type: object type: object
ipWhiteList: ipWhiteList:
description: TCPIPWhiteList holds the TCP ip white list configuration. description: IPWhiteList defines the IPWhiteList middleware configuration.
properties: properties:
sourceRange: sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
allowed IPs by using CIDR notation).
items: items:
type: string type: string
type: array type: array

40
docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
View file

@ -19,7 +19,10 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: ServersTransport is a specification for a ServersTransport resource. description: 'ServersTransport is the CRD implementation of a ServersTransport.
If no serversTransport is specified, the default@internal will be used.
The default@internal serversTransport is created from the static configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1'
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,27 +37,28 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: ServersTransportSpec options to configure communication between description: ServersTransportSpec defines the desired state of a ServersTransport.
Traefik and the servers.
properties: properties:
certificatesSecrets: certificatesSecrets:
description: Certificates for mTLS. description: CertificatesSecrets defines a list of secret storing
client certificates for mTLS.
items: items:
type: string type: string
type: array type: array
disableHTTP2: disableHTTP2:
description: Disable HTTP/2 for connections with backend servers. description: DisableHTTP2 disables HTTP/2 for connections with backend
servers.
type: boolean type: boolean
forwardingTimeouts: forwardingTimeouts:
description: Timeouts for requests forwarded to the backend servers. description: ForwardingTimeouts defines the timeouts for requests
forwarded to the backend servers.
properties: properties:
dialTimeout: dialTimeout:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: DialTimeout is the amount of time to wait until a description: DialTimeout is the amount of time to wait until a
connection to a backend server can be established. If zero, connection to a backend server can be established.
no timeout exists.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
idleConnTimeout: idleConnTimeout:
anyOf: anyOf:
@ -77,7 +81,7 @@ spec:
- type: string - type: string
description: ReadIdleTimeout is the timeout after which a health description: ReadIdleTimeout is the timeout after which a health
check using ping frame will be carried out if no frame is received check using ping frame will be carried out if no frame is received
on the HTTP/2 connection. If zero, no health check is performed. on the HTTP/2 connection.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
responseHeaderTimeout: responseHeaderTimeout:
anyOf: anyOf:
@ -85,27 +89,29 @@ spec:
- type: string - type: string
description: ResponseHeaderTimeout is the amount of time to wait description: ResponseHeaderTimeout is the amount of time to wait
for a server's response headers after fully writing the request for a server's response headers after fully writing the request
(including its body, if any). If zero, no timeout exists. (including its body, if any).
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
type: object type: object
insecureSkipVerify: insecureSkipVerify:
description: Disable SSL certificate verification. description: InsecureSkipVerify disables SSL certificate verification.
type: boolean type: boolean
maxIdleConnsPerHost: maxIdleConnsPerHost:
description: If non-zero, controls the maximum idle (keep-alive) to description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. to keep per-host.
type: integer type: integer
peerCertURI: peerCertURI:
description: URI used to match against SAN URI during the peer certificate description: PeerCertURI defines the peer cert URI used to match against
verification. SAN URI during the peer certificate verification.
type: string type: string
rootCAsSecrets: rootCAsSecrets:
description: Add cert file for self-signed certificate. description: RootCAsSecrets defines a list of CA secret used to validate
self-signed certificate.
items: items:
type: string type: string
type: array type: array
serverName: serverName:
description: ServerName used to contact the server. description: ServerName defines the server name used to contact the
server.
type: string type: string
type: object type: object
required: required:

32
docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
View file

@ -19,7 +19,9 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: TLSOption is a specification for a TLSOption resource. description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
allowing to configure some parameters of the TLS connection. More info:
https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options'
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,19 +36,24 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: TLSOptionSpec configures TLS for an entry point. description: TLSOptionSpec defines the desired state of a TLSOption.
properties: properties:
alpnProtocols: alpnProtocols:
description: 'ALPNProtocols defines the list of supported application
level protocols for the TLS handshake, in order of preference. More
info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols'
items: items:
type: string type: string
type: array type: array
cipherSuites: cipherSuites:
description: 'CipherSuites defines the list of supported cipher suites
for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites'
items: items:
type: string type: string
type: array type: array
clientAuth: clientAuth:
description: ClientAuth defines the parameters of the client authentication description: ClientAuth defines the server's policy for TLS Client
part of the TLS connection, if any. Authentication.
properties: properties:
clientAuthType: clientAuthType:
description: ClientAuthType defines the client authentication description: ClientAuthType defines the client authentication
@ -59,23 +66,36 @@ spec:
- RequireAndVerifyClientCert - RequireAndVerifyClientCert
type: string type: string
secretNames: secretNames:
description: SecretName is the name of the referenced Kubernetes description: SecretNames defines the names of the referenced Kubernetes
Secret to specify the certificate details. Secret storing certificate details.
items: items:
type: string type: string
type: array type: array
type: object type: object
curvePreferences: curvePreferences:
description: 'CurvePreferences defines the preferred elliptic curves
in a specific order. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences'
items: items:
type: string type: string
type: array type: array
maxVersion: maxVersion:
description: 'MaxVersion defines the maximum TLS version that Traefik
will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
VersionTLS13. Default: None.'
type: string type: string
minVersion: minVersion:
description: 'MinVersion defines the minimum TLS version that Traefik
will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
VersionTLS13. Default: VersionTLS10.'
type: string type: string
preferServerCipherSuites: preferServerCipherSuites:
description: PreferServerCipherSuites defines whether the server chooses
a cipher suite among his own instead of among the client's. It is
enabled automatically when minVersion or maxVersion are set.
type: boolean type: boolean
sniStrict: sniStrict:
description: SniStrict defines whether Traefik allows connections
from clients connections that do not specify a server_name extension.
type: boolean type: boolean
type: object type: object
required: required:

10
docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml
View file

@ -19,7 +19,10 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: TLSStore is a specification for a TLSStore resource. description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
the time being, only the TLSStore named default is supported. This means
that you cannot have two stores that are named default in different Kubernetes
namespaces. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores'
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -34,11 +37,10 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: TLSStoreSpec configures a TLSStore resource. description: TLSStoreSpec defines the desired state of a TLSStore.
properties: properties:
defaultCertificate: defaultCertificate:
description: DefaultCertificate holds a secret name for the TLSOption description: DefaultCertificate defines the default certificate configuration.
resource.
properties: properties:
secretName: secretName:
description: SecretName is the name of the referenced Kubernetes description: SecretName is the name of the referenced Kubernetes

213
docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml
View file

@ -19,10 +19,9 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: TraefikService is the specification for a service (that an IngressRoute description: 'TraefikService is the CRD implementation of a Traefik Service.
refers to) that is usually not a terminal service (i.e. not a pod of servers), TraefikService object allows to: - Apply weight to Services on load-balancing -
as opposed to a Kubernetes Service. That is to say, it usually refers to Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice'
other (children) services, which themselves can be TraefikServices or Services.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -37,220 +36,332 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
description: ServiceSpec defines whether a TraefikService is a load-balancer description: TraefikServiceSpec defines the desired state of a TraefikService.
of services or a mirroring service.
properties: properties:
mirroring: mirroring:
description: Mirroring defines a mirroring service, which is composed description: Mirroring defines the Mirroring service configuration.
of a main load-balancer, and a list of mirrors.
properties: properties:
kind: kind:
description: Kind defines the kind of the Service.
enum: enum:
- Service - Service
- TraefikService - TraefikService
type: string type: string
maxBodySize: maxBodySize:
description: MaxBodySize defines the maximum size allowed for
the body of the request. If the body is larger, the request
is not mirrored. Default value is -1, which means unlimited
size.
format: int64 format: int64
type: integer type: integer
mirrors: mirrors:
description: Mirrors defines the list of mirrors where Traefik
will duplicate the traffic.
items: items:
description: MirrorService defines one of the mirrors of a Mirroring description: MirrorService holds the mirror configuration.
service.
properties: properties:
kind: kind:
description: Kind defines the kind of the Service.
enum: enum:
- Service - Service
- TraefikService - TraefikService
type: string type: string
name: name:
description: Name is a reference to a Kubernetes Service description: Name defines the name of the referenced Kubernetes
object (for a load-balancer of servers), or to a TraefikService Service or TraefikService. The differentiation between
object (service load-balancer, mirroring, etc). The differentiation the two is specified in the Kind field.
between the two is specified in the Kind field.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string type: string
passHostHeader: passHostHeader:
description: PassHostHeader defines whether the client Host
header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean type: boolean
percent: percent:
description: 'Percent defines the part of the traffic to
mirror. Supported values: 0 to 100.'
type: integer type: integer
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
responseForwarding: responseForwarding:
description: ResponseForwarding holds configuration for description: ResponseForwarding defines how Traefik forwards
the forward of the response. the response from the upstream Kubernetes Service to the
client.
properties: properties:
flushInterval: flushInterval:
description: 'FlushInterval defines the interval, in
milliseconds, in between flushes to the client while
copying the response body. A negative value means
to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes
a response as a streaming response; for such responses,
writes are flushed to the client immediately. Default:
100ms'
type: string type: string
type: object type: object
scheme: scheme:
description: Scheme defines the scheme to use for the request
to the upstream Kubernetes Service. It defaults to https
when Kubernetes Service port is 443, http otherwise.
type: string type: string
serversTransport: serversTransport:
description: ServersTransport defines the name of ServersTransport
resource to use. It allows to configure the transport
between Traefik and your servers. Can only be used on
a Kubernetes Service.
type: string type: string
sticky: sticky:
description: Sticky holds the sticky configuration. description: 'Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
properties: properties:
cookie: cookie:
description: Cookie holds the sticky configuration based description: Cookie defines the sticky cookie configuration.
on cookie.
properties: properties:
httpOnly: httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean type: boolean
name: name:
description: Name defines the Cookie name.
type: string type: string
sameSite: sameSite:
description: 'SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
type: string type: string
secure: secure:
description: Secure defines whether the cookie can
only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean type: boolean
type: object type: object
type: object type: object
strategy: strategy:
description: Strategy defines the load balancing strategy
between the servers. RoundRobin is the only supported
value at the moment.
type: string type: string
weight: weight:
description: Weight should only be specified when Name references description: Weight defines the weight and should only be
a TraefikService object (and to be precise, one that embeds specified when Name references a TraefikService object
a Weighted Round Robin). (and to be precise, one that embeds a Weighted Round Robin).
type: integer type: integer
required: required:
- name - name
type: object type: object
type: array type: array
name: name:
description: Name is a reference to a Kubernetes Service object description: Name defines the name of the referenced Kubernetes
(for a load-balancer of servers), or to a TraefikService object Service or TraefikService. The differentiation between the two
(service load-balancer, mirroring, etc). The differentiation is specified in the Kind field.
between the two is specified in the Kind field.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string type: string
passHostHeader: passHostHeader:
description: PassHostHeader defines whether the client Host header
is forwarded to the upstream Kubernetes Service. By default,
passHostHeader is true.
type: boolean type: boolean
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: Port defines the port of a Kubernetes Service. This
can be a reference to a named port.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
responseForwarding: responseForwarding:
description: ResponseForwarding holds configuration for the forward description: ResponseForwarding defines how Traefik forwards the
of the response. response from the upstream Kubernetes Service to the client.
properties: properties:
flushInterval: flushInterval:
description: 'FlushInterval defines the interval, in milliseconds,
in between flushes to the client while copying the response
body. A negative value means to flush immediately after
each write to the client. This configuration is ignored
when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms'
type: string type: string
type: object type: object
scheme: scheme:
description: Scheme defines the scheme to use for the request
to the upstream Kubernetes Service. It defaults to https when
Kubernetes Service port is 443, http otherwise.
type: string type: string
serversTransport: serversTransport:
description: ServersTransport defines the name of ServersTransport
resource to use. It allows to configure the transport between
Traefik and your servers. Can only be used on a Kubernetes Service.
type: string type: string
sticky: sticky:
description: Sticky holds the sticky configuration. description: 'Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
properties: properties:
cookie: cookie:
description: Cookie holds the sticky configuration based on description: Cookie defines the sticky cookie configuration.
cookie.
properties: properties:
httpOnly: httpOnly:
description: HTTPOnly defines whether the cookie can be
accessed by client-side APIs, such as JavaScript.
type: boolean type: boolean
name: name:
description: Name defines the Cookie name.
type: string type: string
sameSite: sameSite:
description: 'SameSite defines the same site policy. More
info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
type: string type: string
secure: secure:
description: Secure defines whether the cookie can only
be transmitted over an encrypted connection (i.e. HTTPS).
type: boolean type: boolean
type: object type: object
type: object type: object
strategy: strategy:
description: Strategy defines the load balancing strategy between
the servers. RoundRobin is the only supported value at the moment.
type: string type: string
weight: weight:
description: Weight should only be specified when Name references description: Weight defines the weight and should only be specified
a TraefikService object (and to be precise, one that embeds when Name references a TraefikService object (and to be precise,
a Weighted Round Robin). one that embeds a Weighted Round Robin).
type: integer type: integer
required: required:
- name - name
type: object type: object
weighted: weighted:
description: WeightedRoundRobin defines a load-balancer of services. description: Weighted defines the Weighted Round Robin configuration.
properties: properties:
services: services:
description: Services defines the list of Kubernetes Service and/or
TraefikService to load-balance, with weight.
items: items:
description: Service defines an upstream to proxy traffic. description: Service defines an upstream HTTP service to proxy
traffic to.
properties: properties:
kind: kind:
description: Kind defines the kind of the Service.
enum: enum:
- Service - Service
- TraefikService - TraefikService
type: string type: string
name: name:
description: Name is a reference to a Kubernetes Service description: Name defines the name of the referenced Kubernetes
object (for a load-balancer of servers), or to a TraefikService Service or TraefikService. The differentiation between
object (service load-balancer, mirroring, etc). The differentiation the two is specified in the Kind field.
between the two is specified in the Kind field.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string type: string
passHostHeader: passHostHeader:
description: PassHostHeader defines whether the client Host
header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean type: boolean
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
responseForwarding: responseForwarding:
description: ResponseForwarding holds configuration for description: ResponseForwarding defines how Traefik forwards
the forward of the response. the response from the upstream Kubernetes Service to the
client.
properties: properties:
flushInterval: flushInterval:
description: 'FlushInterval defines the interval, in
milliseconds, in between flushes to the client while
copying the response body. A negative value means
to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes
a response as a streaming response; for such responses,
writes are flushed to the client immediately. Default:
100ms'
type: string type: string
type: object type: object
scheme: scheme:
description: Scheme defines the scheme to use for the request
to the upstream Kubernetes Service. It defaults to https
when Kubernetes Service port is 443, http otherwise.
type: string type: string
serversTransport: serversTransport:
description: ServersTransport defines the name of ServersTransport
resource to use. It allows to configure the transport
between Traefik and your servers. Can only be used on
a Kubernetes Service.
type: string type: string
sticky: sticky:
description: Sticky holds the sticky configuration. description: 'Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
properties: properties:
cookie: cookie:
description: Cookie holds the sticky configuration based description: Cookie defines the sticky cookie configuration.
on cookie.
properties: properties:
httpOnly: httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean type: boolean
name: name:
description: Name defines the Cookie name.
type: string type: string
sameSite: sameSite:
description: 'SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
type: string type: string
secure: secure:
description: Secure defines whether the cookie can
only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean type: boolean
type: object type: object
type: object type: object
strategy: strategy:
description: Strategy defines the load balancing strategy
between the servers. RoundRobin is the only supported
value at the moment.
type: string type: string
weight: weight:
description: Weight should only be specified when Name references description: Weight defines the weight and should only be
a TraefikService object (and to be precise, one that embeds specified when Name references a TraefikService object
a Weighted Round Robin). (and to be precise, one that embeds a Weighted Round Robin).
type: integer type: integer
required: required:
- name - name
type: object type: object
type: array type: array
sticky: sticky:
description: Sticky holds the sticky configuration. description: 'Sticky defines whether sticky sessions are enabled.
More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
properties: properties:
cookie: cookie:
description: Cookie holds the sticky configuration based on description: Cookie defines the sticky cookie configuration.
cookie.
properties: properties:
httpOnly: httpOnly:
description: HTTPOnly defines whether the cookie can be
accessed by client-side APIs, such as JavaScript.
type: boolean type: boolean
name: name:
description: Name defines the Cookie name.
type: string type: string
sameSite: sameSite:
description: 'SameSite defines the same site policy. More
info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
type: string type: string
secure: secure:
description: Secure defines whether the cookie can only
be transmitted over an encrypted connection (i.e. HTTPS).
type: boolean type: boolean
type: object type: object
type: object type: object

132
docs/content/routing/providers/kubernetes-crd.md
View file

@ -298,10 +298,10 @@ You can find an excerpt of the available custom resources in the table below:
| Kind | Purpose | Concept Behind | | Kind | Purpose | Concept Behind |
|--------------------------------------------|--------------------------------------------------------------------|----------------------------------------------------------------| |--------------------------------------------|--------------------------------------------------------------------|----------------------------------------------------------------|
| [IngressRoute](#kind-ingressroute) | HTTP Routing | [HTTP router](../routers/index.md#configuring-http-routers) | | [IngressRoute](#kind-ingressroute) | HTTP Routing | [HTTP router](../routers/index.md#configuring-http-routers) |
| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) | | [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) |
| [TraefikService](#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring | [HTTP service](../services/index.md#configuring-http-services) | | [TraefikService](#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring | [HTTP service](../services/index.md#configuring-http-services) |
| [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) | | [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) |
| [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) | | [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) |
| [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing | [UDP router](../routers/index.md#configuring-udp-routers) | | [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing | [UDP router](../routers/index.md#configuring-udp-routers) |
| [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) | | [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) |
| [TLSStores](#kind-tlsstore) | Allows to configure the default TLS store | [TLSStores](../../https/tls.md#certificates-stores) | | [TLSStores](#kind-tlsstore) | Allows to configure the default TLS store | [TLSStores](../../https/tls.md#certificates-stores) |
@ -583,6 +583,62 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
- port: 80 - port: 80
``` ```
#### Load Balancing
More information in the dedicated server [load balancing](../services/index.md#load-balancing) section.
!!! info "Declaring and using Kubernetes Service Load Balancing"
```yaml tab="IngressRoute"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: svc1
namespace: default
- name: svc2
namespace: default
```
```yaml tab="K8s Service"
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
---
apiVersion: v1
kind: Service
metadata:
name: svc2
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app2
```
### Kind: `Middleware` ### Kind: `Middleware`
`Middleware` is the CRD implementation of a [Traefik middleware](../../middlewares/http/overview.md). `Middleware` is the CRD implementation of a [Traefik middleware](../../middlewares/http/overview.md).
@ -642,7 +698,7 @@ More information about available middlewares in the dedicated [middlewares secti
Register the `TraefikService` [kind](../../reference/dynamic-configuration/kubernetes-crd.md#definitions) in the Kubernetes cluster before creating `TraefikService` objects, Register the `TraefikService` [kind](../../reference/dynamic-configuration/kubernetes-crd.md#definitions) in the Kubernetes cluster before creating `TraefikService` objects,
referencing services in the [`IngressRoute`](#kind-ingressroute) objects, or recursively in others `TraefikService` objects. referencing services in the [`IngressRoute`](#kind-ingressroute) objects, or recursively in others `TraefikService` objects.
!!! info "Disambiguate Traefik and Kubernetes Services " !!! info "Disambiguate Traefik and Kubernetes Services"
As the field `name` can reference different types of objects, use the field `kind` to avoid any ambiguity. As the field `name` can reference different types of objects, use the field `kind` to avoid any ambiguity.
@ -653,65 +709,8 @@ referencing services in the [`IngressRoute`](#kind-ingressroute) objects, or rec
`TraefikService` object allows to use any (valid) combinations of: `TraefikService` object allows to use any (valid) combinations of:
* servers [load balancing](#server-load-balancing). * [Weighted Round Robin](#weighted-round-robin) load balancing.
* services [Weighted Round Robin](#weighted-round-robin) load balancing. * [Mirroring](#mirroring).
* services [mirroring](#mirroring).
#### Server Load Balancing
More information in the dedicated server [load balancing](../services/index.md#load-balancing) section.
??? "Declaring and Using Server Load Balancing"
```yaml tab="IngressRoute"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: svc1
namespace: default
- name: svc2
namespace: default
```
```yaml tab="K8s Service"
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
---
apiVersion: v1
kind: Service
metadata:
name: svc2
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app2
```
#### Weighted Round Robin #### Weighted Round Robin
@ -1074,7 +1073,7 @@ and there is a second level because each whoami service is a `replicaset` and is
assuming `10.42.0.6` is the IP address of one of the replicas (a pod then) of the `whoami1` service. assuming `10.42.0.6` is the IP address of one of the replicas (a pod then) of the `whoami1` service.
### Kind `IngressRouteTCP` ### Kind: `IngressRouteTCP`
`IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../routers/index.md#configuring-tcp-routers). `IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../routers/index.md#configuring-tcp-routers).
@ -1327,7 +1326,7 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
More information about available TCP middlewares in the dedicated [middlewares section](../../middlewares/tcp/overview.md). More information about available TCP middlewares in the dedicated [middlewares section](../../middlewares/tcp/overview.md).
### Kind `IngressRouteUDP` ### Kind: `IngressRouteUDP`
`IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../routers/index.md#configuring-udp-routers). `IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../routers/index.md#configuring-udp-routers).
@ -1616,9 +1615,8 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
!!! important "Default TLS Store" !!! important "Default TLS Store"
Traefik currently only uses the [TLS Store named "default"](../../https/tls.md#certificates-stores). Traefik currently only uses the [TLS Store named "default"](../../https/tls.md#certificates-stores).
This means that if you have two stores that are named default in different kubernetes namespaces, This means that you cannot have two stores that are named default in different Kubernetes namespaces.
they may be randomly chosen. For the time being, please only configure one TLSStore named default.
For the time being, please only configure one TLSSTore named default.
!!! info "TLSStore Attributes" !!! info "TLSStore Attributes"

17
docs/content/user-guides/crd-acme/05-tlsoption.yml Normal file
View file

@ -0,0 +1,17 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
- TLS_AES_256_GCM_SHA384 # TLS 1.3
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true

36
docs/content/user-guides/crd-acme/index.md
View file

@ -44,20 +44,25 @@ Let's now have a look (in the order they should be applied, if using `kubectl ap
### IngressRoute Definition ### IngressRoute Definition
First, the definition of the `IngressRoute` and the `Middleware` kinds. First, you will need to install Traefik CRDs containing the definition of the `IngressRoute` and the `Middleware` kinds,
Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on. and the RBAC authorization resources which will be referenced through the `serviceAccountName` of the deployment.
```yaml ```bash
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml" # Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
--- # Install RBAC for Traefik:
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
``` ```
### Services ### Services
Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/traefik/whoami). Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/traefik/whoami).
```bash
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/02-services.yml
```
```yaml ```yaml
--8<-- "content/user-guides/crd-acme/02-services.yml" --8<-- "content/user-guides/crd-acme/02-services.yml"
``` ```
@ -67,6 +72,10 @@ Then, the services. One for Traefik itself, and one for the app it routes for, i
Next, the deployments, i.e. the actual pods behind the services. Next, the deployments, i.e. the actual pods behind the services.
Again, one pod for Traefik, and one for the whoami app. Again, one pod for Traefik, and one for the whoami app.
```bash
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/03-deployments.yml
```
```yaml ```yaml
--8<-- "content/user-guides/crd-acme/03-deployments.yml" --8<-- "content/user-guides/crd-acme/03-deployments.yml"
``` ```
@ -91,7 +100,7 @@ Look it up.
We can now finally apply the actual ingressRoutes, with: We can now finally apply the actual ingressRoutes, with:
```bash ```bash
kubectl apply -f 04-ingressroutes.yml kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/04-ingressroutes.yml
``` ```
```yaml ```yaml
@ -110,3 +119,16 @@ curl http://your.example.com:8000/notls
``` ```
Note that you'll have to use `-k` as long as you're using the staging server of Let's Encrypt, since it is not an authorized certificate authority on systems where it hasn't been manually added. Note that you'll have to use `-k` as long as you're using the staging server of Let's Encrypt, since it is not an authorized certificate authority on systems where it hasn't been manually added.
### Force TLS v1.2+
Nowadays, TLS v1.0 and v1.1 are deprecated.
In order to force TLS v1.2 or later on all your IngressRoute, you can define the `default` TLSOption:
```bash
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/05-tlsoption.yml
```
```yaml
--8<-- "content/user-guides/crd-acme/05-tlsoption.yml"
```

1013
integration/fixtures/k8s/01-traefik-crd.yml
View file

File diff suppressed because it is too large Load diff

19
pkg/config/dynamic/http_config.go
View file

@ -124,6 +124,7 @@ func (w *WRRService) SetDefaults() {
// Sticky holds the sticky configuration. // Sticky holds the sticky configuration.
type Sticky struct { type Sticky struct {
// Cookie defines the sticky cookie configuration.
Cookie *Cookie `json:"cookie,omitempty" toml:"cookie,omitempty" yaml:"cookie,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"` Cookie *Cookie `json:"cookie,omitempty" toml:"cookie,omitempty" yaml:"cookie,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
} }
@ -131,9 +132,14 @@ type Sticky struct {
// Cookie holds the sticky configuration based on cookie. // Cookie holds the sticky configuration based on cookie.
type Cookie struct { type Cookie struct {
Name string `json:"name,omitempty" toml:"name,omitempty" yaml:"name,omitempty" export:"true"` // Name defines the Cookie name.
Secure bool `json:"secure,omitempty" toml:"secure,omitempty" yaml:"secure,omitempty" export:"true"` Name string `json:"name,omitempty" toml:"name,omitempty" yaml:"name,omitempty" export:"true"`
HTTPOnly bool `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty" export:"true"` // Secure defines whether the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).
Secure bool `json:"secure,omitempty" toml:"secure,omitempty" yaml:"secure,omitempty" export:"true"`
// HTTPOnly defines whether the cookie can be accessed by client-side APIs, such as JavaScript.
HTTPOnly bool `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty" export:"true"`
// SameSite defines the same site policy.
// More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
SameSite string `json:"sameSite,omitempty" toml:"sameSite,omitempty" yaml:"sameSite,omitempty" export:"true"` SameSite string `json:"sameSite,omitempty" toml:"sameSite,omitempty" yaml:"sameSite,omitempty" export:"true"`
} }
@ -178,8 +184,13 @@ func (l *ServersLoadBalancer) SetDefaults() {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ResponseForwarding holds configuration for the forward of the response. // ResponseForwarding holds the response forwarding configuration.
type ResponseForwarding struct { type ResponseForwarding struct {
// FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
// A negative value means to flush immediately after each write to the client.
// This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
// for such responses, writes are flushed to the client immediately.
// Default: 100ms
FlushInterval string `json:"flushInterval,omitempty" toml:"flushInterval,omitempty" yaml:"flushInterval,omitempty" export:"true"` FlushInterval string `json:"flushInterval,omitempty" toml:"flushInterval,omitempty" yaml:"flushInterval,omitempty" export:"true"`
} }

402
pkg/config/dynamic/middlewares.go
View file

@ -40,153 +40,250 @@ type Middleware struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ContentType middleware - or rather its unique `autoDetect` option - // ContentType holds the content-type middleware configuration.
// specifies whether to let the `Content-Type` header,
// if it has not been set by the backend,
// be automatically set to a value derived from the contents of the response.
// As a proxy, the default behavior should be to leave the header alone,
// regardless of what the backend did with it.
// However, the historic default was to always auto-detect and set the header if it was nil,
// and it is going to be kept that way in order to support users currently relying on it.
// This middleware exists to enable the correct behavior until at least the default one can be changed in a future version. // This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
type ContentType struct { type ContentType struct {
// AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
// be automatically set to a value derived from the contents of the response.
// As a proxy, the default behavior should be to leave the header alone, regardless of what the backend did with it.
// However, the historic default was to always auto-detect and set the header if it was nil,
// and it is going to be kept that way in order to support users currently relying on it.
AutoDetect bool `json:"autoDetect,omitempty" toml:"autoDetect,omitempty" yaml:"autoDetect,omitempty" export:"true"` AutoDetect bool `json:"autoDetect,omitempty" toml:"autoDetect,omitempty" yaml:"autoDetect,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// AddPrefix holds the AddPrefix configuration. // AddPrefix holds the add prefix middleware configuration.
// This middleware updates the path of a request before forwarding it.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/
type AddPrefix struct { type AddPrefix struct {
// Prefix is the string to add before the current path in the requested URL.
// It should include a leading slash (/).
Prefix string `json:"prefix,omitempty" toml:"prefix,omitempty" yaml:"prefix,omitempty" export:"true"` Prefix string `json:"prefix,omitempty" toml:"prefix,omitempty" yaml:"prefix,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// BasicAuth holds the HTTP basic authentication configuration. // BasicAuth holds the basic auth middleware configuration.
// This middleware restricts access to your services to known users.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/
type BasicAuth struct { type BasicAuth struct {
Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"` // Users is an array of authorized users.
UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"` // Each user must be declared using the name:hashed-password format.
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"` // Tip: Use htpasswd to generate the passwords.
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"` Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"`
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"` // UsersFile is the path to an external file that contains the authorized users.
UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"`
// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
// Default: traefik.
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"`
// RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
// Default: false.
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"`
// HeaderField defines a header field to store the authenticated user.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Buffering holds the request/response buffering configuration. // Buffering holds the buffering middleware configuration.
// This middleware retries or limits the size of requests that can be forwarded to backends.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes
type Buffering struct { type Buffering struct {
MaxRequestBodyBytes int64 `json:"maxRequestBodyBytes,omitempty" toml:"maxRequestBodyBytes,omitempty" yaml:"maxRequestBodyBytes,omitempty" export:"true"` // MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).
MemRequestBodyBytes int64 `json:"memRequestBodyBytes,omitempty" toml:"memRequestBodyBytes,omitempty" yaml:"memRequestBodyBytes,omitempty" export:"true"` // If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.
MaxResponseBodyBytes int64 `json:"maxResponseBodyBytes,omitempty" toml:"maxResponseBodyBytes,omitempty" yaml:"maxResponseBodyBytes,omitempty" export:"true"` // Default: 0 (no maximum).
MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"` MaxRequestBodyBytes int64 `json:"maxRequestBodyBytes,omitempty" toml:"maxRequestBodyBytes,omitempty" yaml:"maxRequestBodyBytes,omitempty" export:"true"`
RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"` // MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.
// Default: 1048576 (1Mi).
MemRequestBodyBytes int64 `json:"memRequestBodyBytes,omitempty" toml:"memRequestBodyBytes,omitempty" yaml:"memRequestBodyBytes,omitempty" export:"true"`
// MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).
// If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.
// Default: 0 (no maximum).
MaxResponseBodyBytes int64 `json:"maxResponseBodyBytes,omitempty" toml:"maxResponseBodyBytes,omitempty" yaml:"maxResponseBodyBytes,omitempty" export:"true"`
// MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.
// Default: 1048576 (1Mi).
MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"`
// RetryExpression defines the retry conditions.
// It is a logical combination of functions with operators AND (&&) and OR (||).
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression
RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Chain holds a chain of middlewares. // Chain holds the chain middleware configuration.
// This middleware enables to define reusable combinations of other pieces of middleware.
type Chain struct { type Chain struct {
// Middlewares is the list of middleware names which composes the chain.
Middlewares []string `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"` Middlewares []string `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// CircuitBreaker holds the circuit breaker configuration. // CircuitBreaker holds the circuit breaker middleware configuration.
// This middleware protects the system from stacking requests to unhealthy services, resulting in cascading failures.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/
type CircuitBreaker struct { type CircuitBreaker struct {
// Expression defines the expression that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling the services.
Expression string `json:"expression,omitempty" toml:"expression,omitempty" yaml:"expression,omitempty" export:"true"` Expression string `json:"expression,omitempty" toml:"expression,omitempty" yaml:"expression,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Compress holds the compress configuration. // Compress holds the compress middleware configuration.
// This middleware compresses responses before sending them to the client, using gzip compression.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/
type Compress struct { type Compress struct {
// ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
ExcludedContentTypes []string `json:"excludedContentTypes,omitempty" toml:"excludedContentTypes,omitempty" yaml:"excludedContentTypes,omitempty" export:"true"` ExcludedContentTypes []string `json:"excludedContentTypes,omitempty" toml:"excludedContentTypes,omitempty" yaml:"excludedContentTypes,omitempty" export:"true"`
MinResponseBodyBytes int `json:"minResponseBodyBytes,omitempty" toml:"minResponseBodyBytes,omitempty" yaml:"minResponseBodyBytes,omitempty" export:"true"` // MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.
// Default: 1024.
MinResponseBodyBytes int `json:"minResponseBodyBytes,omitempty" toml:"minResponseBodyBytes,omitempty" yaml:"minResponseBodyBytes,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// DigestAuth holds the Digest HTTP authentication configuration. // DigestAuth holds the digest auth middleware configuration.
// This middleware restricts access to your services to known users.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/
type DigestAuth struct { type DigestAuth struct {
Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"` // Users defines the authorized users.
UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"` // Each user should be declared using the name:realm:encoded-password format.
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"` Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"`
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"` // UsersFile is the path to an external file that contains the authorized users for the middleware.
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"` UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"`
// RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend.
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"`
// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
// Default: traefik.
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"`
// HeaderField defines a header field to store the authenticated user.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ErrorPage holds the custom error page configuration. // ErrorPage holds the custom error middleware configuration.
// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
type ErrorPage struct { type ErrorPage struct {
Status []string `json:"status,omitempty" toml:"status,omitempty" yaml:"status,omitempty" export:"true"` // Status defines which status or range of statuses should result in an error page.
Service string `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"` // It can be either a status code as a number (500),
Query string `json:"query,omitempty" toml:"query,omitempty" yaml:"query,omitempty" export:"true"` // as multiple comma-separated numbers (500,502),
// as ranges by separating two codes with a dash (500-599),
// or a combination of the two (404,418,500-599).
Status []string `json:"status,omitempty" toml:"status,omitempty" yaml:"status,omitempty" export:"true"`
// Service defines the name of the service that will serve the error page.
Service string `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
// Query defines the URL for the error page (hosted by service).
// The {status} variable can be used in order to insert the status code in the URL.
Query string `json:"query,omitempty" toml:"query,omitempty" yaml:"query,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ForwardAuth holds the http forward authentication configuration. // ForwardAuth holds the forward auth middleware configuration.
// This middleware delegates the request authentication to a Service.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/
type ForwardAuth struct { type ForwardAuth struct {
Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"` // Address defines the authentication server address.
TLS *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"` Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
TrustForwardHeader bool `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"` // TLS defines the configuration used to secure the connection to the authentication server.
AuthResponseHeaders []string `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"` TLS *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"` // TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty" toml:"authRequestHeaders,omitempty" yaml:"authRequestHeaders,omitempty" export:"true"` TrustForwardHeader bool `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"`
// AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
AuthResponseHeaders []string `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"`
// AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"`
// AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
// If not set or empty then all request headers are passed.
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty" toml:"authRequestHeaders,omitempty" yaml:"authRequestHeaders,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Headers holds the custom header configuration. // Headers holds the headers middleware configuration.
// This middleware manages the requests and responses headers.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders
type Headers struct { type Headers struct {
CustomRequestHeaders map[string]string `json:"customRequestHeaders,omitempty" toml:"customRequestHeaders,omitempty" yaml:"customRequestHeaders,omitempty" export:"true"` // CustomRequestHeaders defines the header names and values to apply to the request.
CustomRequestHeaders map[string]string `json:"customRequestHeaders,omitempty" toml:"customRequestHeaders,omitempty" yaml:"customRequestHeaders,omitempty" export:"true"`
// CustomResponseHeaders defines the header names and values to apply to the response.
CustomResponseHeaders map[string]string `json:"customResponseHeaders,omitempty" toml:"customResponseHeaders,omitempty" yaml:"customResponseHeaders,omitempty" export:"true"` CustomResponseHeaders map[string]string `json:"customResponseHeaders,omitempty" toml:"customResponseHeaders,omitempty" yaml:"customResponseHeaders,omitempty" export:"true"`
// AccessControlAllowCredentials is only valid if true. false is ignored. // AccessControlAllowCredentials defines whether the request can include user credentials.
AccessControlAllowCredentials bool `json:"accessControlAllowCredentials,omitempty" toml:"accessControlAllowCredentials,omitempty" yaml:"accessControlAllowCredentials,omitempty" export:"true"` AccessControlAllowCredentials bool `json:"accessControlAllowCredentials,omitempty" toml:"accessControlAllowCredentials,omitempty" yaml:"accessControlAllowCredentials,omitempty" export:"true"`
// AccessControlAllowHeaders must be used in response to a preflight request with Access-Control-Request-Headers set. // AccessControlAllowHeaders defines the Access-Control-Request-Headers values sent in preflight response.
AccessControlAllowHeaders []string `json:"accessControlAllowHeaders,omitempty" toml:"accessControlAllowHeaders,omitempty" yaml:"accessControlAllowHeaders,omitempty" export:"true"` AccessControlAllowHeaders []string `json:"accessControlAllowHeaders,omitempty" toml:"accessControlAllowHeaders,omitempty" yaml:"accessControlAllowHeaders,omitempty" export:"true"`
// AccessControlAllowMethods must be used in response to a preflight request with Access-Control-Request-Method set. // AccessControlAllowMethods defines the Access-Control-Request-Method values sent in preflight response.
AccessControlAllowMethods []string `json:"accessControlAllowMethods,omitempty" toml:"accessControlAllowMethods,omitempty" yaml:"accessControlAllowMethods,omitempty" export:"true"` AccessControlAllowMethods []string `json:"accessControlAllowMethods,omitempty" toml:"accessControlAllowMethods,omitempty" yaml:"accessControlAllowMethods,omitempty" export:"true"`
// AccessControlAllowOriginList is a list of allowable origins. Can also be a wildcard origin "*". // AccessControlAllowOriginList is a list of allowable origins. Can also be a wildcard origin "*".
AccessControlAllowOriginList []string `json:"accessControlAllowOriginList,omitempty" toml:"accessControlAllowOriginList,omitempty" yaml:"accessControlAllowOriginList,omitempty"` AccessControlAllowOriginList []string `json:"accessControlAllowOriginList,omitempty" toml:"accessControlAllowOriginList,omitempty" yaml:"accessControlAllowOriginList,omitempty"`
// AccessControlAllowOriginListRegex is a list of allowable origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). // AccessControlAllowOriginListRegex is a list of allowable origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
AccessControlAllowOriginListRegex []string `json:"accessControlAllowOriginListRegex,omitempty" toml:"accessControlAllowOriginListRegex,omitempty" yaml:"accessControlAllowOriginListRegex,omitempty"` AccessControlAllowOriginListRegex []string `json:"accessControlAllowOriginListRegex,omitempty" toml:"accessControlAllowOriginListRegex,omitempty" yaml:"accessControlAllowOriginListRegex,omitempty"`
// AccessControlExposeHeaders sets valid headers for the response. // AccessControlExposeHeaders defines the Access-Control-Expose-Headers values sent in preflight response.
AccessControlExposeHeaders []string `json:"accessControlExposeHeaders,omitempty" toml:"accessControlExposeHeaders,omitempty" yaml:"accessControlExposeHeaders,omitempty" export:"true"` AccessControlExposeHeaders []string `json:"accessControlExposeHeaders,omitempty" toml:"accessControlExposeHeaders,omitempty" yaml:"accessControlExposeHeaders,omitempty" export:"true"`
// AccessControlMaxAge sets the time that a preflight request may be cached. // AccessControlMaxAge defines the time that a preflight request may be cached.
AccessControlMaxAge int64 `json:"accessControlMaxAge,omitempty" toml:"accessControlMaxAge,omitempty" yaml:"accessControlMaxAge,omitempty" export:"true"` AccessControlMaxAge int64 `json:"accessControlMaxAge,omitempty" toml:"accessControlMaxAge,omitempty" yaml:"accessControlMaxAge,omitempty" export:"true"`
// AddVaryHeader controls if the Vary header is automatically added/updated when the AccessControlAllowOriginList is set. // AddVaryHeader defines whether the Vary header is automatically added/updated when the AccessControlAllowOriginList is set.
AddVaryHeader bool `json:"addVaryHeader,omitempty" toml:"addVaryHeader,omitempty" yaml:"addVaryHeader,omitempty" export:"true"` AddVaryHeader bool `json:"addVaryHeader,omitempty" toml:"addVaryHeader,omitempty" yaml:"addVaryHeader,omitempty" export:"true"`
// AllowedHosts defines the fully qualified list of allowed domain names.
AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"` AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"`
// HostsProxyHeaders defines the header keys that may hold a proxied hostname value for the request.
HostsProxyHeaders []string `json:"hostsProxyHeaders,omitempty" toml:"hostsProxyHeaders,omitempty" yaml:"hostsProxyHeaders,omitempty" export:"true"` HostsProxyHeaders []string `json:"hostsProxyHeaders,omitempty" toml:"hostsProxyHeaders,omitempty" yaml:"hostsProxyHeaders,omitempty" export:"true"`
// Deprecated: use EntryPoint redirection or RedirectScheme instead. // Deprecated: use EntryPoint redirection or RedirectScheme instead.
SSLRedirect bool `json:"sslRedirect,omitempty" toml:"sslRedirect,omitempty" yaml:"sslRedirect,omitempty" export:"true"` SSLRedirect bool `json:"sslRedirect,omitempty" toml:"sslRedirect,omitempty" yaml:"sslRedirect,omitempty" export:"true"`
// Deprecated: use EntryPoint redirection or RedirectScheme instead. // Deprecated: use EntryPoint redirection or RedirectScheme instead.
SSLTemporaryRedirect bool `json:"sslTemporaryRedirect,omitempty" toml:"sslTemporaryRedirect,omitempty" yaml:"sslTemporaryRedirect,omitempty" export:"true"` SSLTemporaryRedirect bool `json:"sslTemporaryRedirect,omitempty" toml:"sslTemporaryRedirect,omitempty" yaml:"sslTemporaryRedirect,omitempty" export:"true"`
// Deprecated: use RedirectRegex instead. // Deprecated: use RedirectRegex instead.
SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"` SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"`
// SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.
// It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").
SSLProxyHeaders map[string]string `json:"sslProxyHeaders,omitempty" toml:"sslProxyHeaders,omitempty" yaml:"sslProxyHeaders,omitempty"` SSLProxyHeaders map[string]string `json:"sslProxyHeaders,omitempty" toml:"sslProxyHeaders,omitempty" yaml:"sslProxyHeaders,omitempty"`
// Deprecated: use RedirectRegex instead. // Deprecated: use RedirectRegex instead.
SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"` SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"`
STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"` // STSSeconds defines the max-age of the Strict-Transport-Security header.
STSIncludeSubdomains bool `json:"stsIncludeSubdomains,omitempty" toml:"stsIncludeSubdomains,omitempty" yaml:"stsIncludeSubdomains,omitempty" export:"true"` // If set to 0, the header is not set.
STSPreload bool `json:"stsPreload,omitempty" toml:"stsPreload,omitempty" yaml:"stsPreload,omitempty" export:"true"` STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"`
ForceSTSHeader bool `json:"forceSTSHeader,omitempty" toml:"forceSTSHeader,omitempty" yaml:"forceSTSHeader,omitempty" export:"true"` // STSIncludeSubdomains defines whether the includeSubDomains directive is appended to the Strict-Transport-Security header.
FrameDeny bool `json:"frameDeny,omitempty" toml:"frameDeny,omitempty" yaml:"frameDeny,omitempty" export:"true"` STSIncludeSubdomains bool `json:"stsIncludeSubdomains,omitempty" toml:"stsIncludeSubdomains,omitempty" yaml:"stsIncludeSubdomains,omitempty" export:"true"`
// STSPreload defines whether the preload flag is appended to the Strict-Transport-Security header.
STSPreload bool `json:"stsPreload,omitempty" toml:"stsPreload,omitempty" yaml:"stsPreload,omitempty" export:"true"`
// ForceSTSHeader defines whether to add the STS header even when the connection is HTTP.
ForceSTSHeader bool `json:"forceSTSHeader,omitempty" toml:"forceSTSHeader,omitempty" yaml:"forceSTSHeader,omitempty" export:"true"`
// FrameDeny defines whether to add the X-Frame-Options header with the DENY value.
FrameDeny bool `json:"frameDeny,omitempty" toml:"frameDeny,omitempty" yaml:"frameDeny,omitempty" export:"true"`
// CustomFrameOptionsValue defines the X-Frame-Options header value.
// This overrides the FrameDeny option.
CustomFrameOptionsValue string `json:"customFrameOptionsValue,omitempty" toml:"customFrameOptionsValue,omitempty" yaml:"customFrameOptionsValue,omitempty"` CustomFrameOptionsValue string `json:"customFrameOptionsValue,omitempty" toml:"customFrameOptionsValue,omitempty" yaml:"customFrameOptionsValue,omitempty"`
ContentTypeNosniff bool `json:"contentTypeNosniff,omitempty" toml:"contentTypeNosniff,omitempty" yaml:"contentTypeNosniff,omitempty" export:"true"` // ContentTypeNosniff defines whether to add the X-Content-Type-Options header with the nosniff value.
BrowserXSSFilter bool `json:"browserXssFilter,omitempty" toml:"browserXssFilter,omitempty" yaml:"browserXssFilter,omitempty" export:"true"` ContentTypeNosniff bool `json:"contentTypeNosniff,omitempty" toml:"contentTypeNosniff,omitempty" yaml:"contentTypeNosniff,omitempty" export:"true"`
CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"` // BrowserXSSFilter defines whether to add the X-XSS-Protection header with the value 1; mode=block.
ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"` BrowserXSSFilter bool `json:"browserXssFilter,omitempty" toml:"browserXssFilter,omitempty" yaml:"browserXssFilter,omitempty" export:"true"`
PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"` // CustomBrowserXSSValue defines the X-XSS-Protection header value.
ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"` // This overrides the BrowserXssFilter option.
CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"`
// ContentSecurityPolicy defines the Content-Security-Policy header value.
ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
// PublicKey is the public key that implements HPKP to prevent MITM attacks with forged certificates.
PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
// ReferrerPolicy defines the Referrer-Policy header value.
// This allows sites to control whether browsers forward the Referer header to other sites.
ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"`
// Deprecated: use PermissionsPolicy instead. // Deprecated: use PermissionsPolicy instead.
FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"` FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
// PermissionsPolicy defines the Permissions-Policy header value.
// This allows sites to control browser features.
PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"` PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"`
IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"` // IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing.
// Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain.
// If you would like your development environment to mimic production with complete Host blocking, SSL redirects,
// and STS headers, leave this as false.
IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"`
} }
// HasCustomHeadersDefined checks to see if any of the custom header elements have been set. // HasCustomHeadersDefined checks to see if any of the custom header elements have been set.
@ -235,9 +332,12 @@ func (h *Headers) HasSecureHeadersDefined() bool {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// IPStrategy holds the ip strategy configuration. // IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy
type IPStrategy struct { type IPStrategy struct {
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"` // Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
// ExcludedIPs configures Traefik to scan the X-Forwarded-For header and select the first IP not in the list.
ExcludedIPs []string `json:"excludedIPs,omitempty" toml:"excludedIPs,omitempty" yaml:"excludedIPs,omitempty"` ExcludedIPs []string `json:"excludedIPs,omitempty" toml:"excludedIPs,omitempty" yaml:"excludedIPs,omitempty"`
// TODO(mpl): I think we should make RemoteAddr an explicit field. For one thing, it would yield better documentation. // TODO(mpl): I think we should make RemoteAddr an explicit field. For one thing, it would yield better documentation.
} }
@ -272,25 +372,40 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// IPWhiteList holds the ip white list configuration. // IPWhiteList holds the IP whitelist middleware configuration.
// This middleware accepts / refuses requests based on the client IP.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/
type IPWhiteList struct { type IPWhiteList struct {
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"` SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"` IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// InFlightReq limits the number of requests being processed and served concurrently. // InFlightReq holds the in-flight request middleware configuration.
// This middleware limits the number of requests being processed and served concurrently.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/
type InFlightReq struct { type InFlightReq struct {
Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"` // Amount defines the maximum amount of allowed simultaneous in-flight request.
// The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).
Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"`
// SourceCriterion defines what criterion is used to group requests as originating from a common source.
// If several strategies are defined at the same time, an error will be raised.
// If none are set, the default is to use the requestHost.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion
SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"` SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// PassTLSClientCert holds the TLS client cert headers configuration. // PassTLSClientCert holds the pass TLS client cert middleware configuration.
// This middleware adds the selected data from the passed client TLS certificate to a header.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/
type PassTLSClientCert struct { type PassTLSClientCert struct {
PEM bool `json:"pem,omitempty" toml:"pem,omitempty" yaml:"pem,omitempty" export:"true"` // PEM sets the X-Forwarded-Tls-Client-Cert header with the escaped certificate.
PEM bool `json:"pem,omitempty" toml:"pem,omitempty" yaml:"pem,omitempty" export:"true"`
// Info selects the specific client certificate details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
Info *TLSClientCertificateInfo `json:"info,omitempty" toml:"info,omitempty" yaml:"info,omitempty" export:"true"` Info *TLSClientCertificateInfo `json:"info,omitempty" toml:"info,omitempty" yaml:"info,omitempty" export:"true"`
} }
@ -300,14 +415,17 @@ type PassTLSClientCert struct {
// If none are set, the default is to use the request's remote address field. // If none are set, the default is to use the request's remote address field.
// All fields are mutually exclusive. // All fields are mutually exclusive.
type SourceCriterion struct { type SourceCriterion struct {
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" export:"true"` IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" export:"true"`
RequestHeaderName string `json:"requestHeaderName,omitempty" toml:"requestHeaderName,omitempty" yaml:"requestHeaderName,omitempty" export:"true"` // RequestHeaderName defines the name of the header used to group incoming requests.
RequestHost bool `json:"requestHost,omitempty" toml:"requestHost,omitempty" yaml:"requestHost,omitempty" export:"true"` RequestHeaderName string `json:"requestHeaderName,omitempty" toml:"requestHeaderName,omitempty" yaml:"requestHeaderName,omitempty" export:"true"`
// RequestHost defines whether to consider the request Host as the source.
RequestHost bool `json:"requestHost,omitempty" toml:"requestHost,omitempty" yaml:"requestHost,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// RateLimit holds the rate limiting configuration for a given router. // RateLimit holds the rate limit configuration.
// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
type RateLimit struct { type RateLimit struct {
// Average is the maximum rate, by default in requests/s, allowed for the given source. // Average is the maximum rate, by default in requests/s, allowed for the given source.
// It defaults to 0, which means no rate limiting. // It defaults to 0, which means no rate limiting.
@ -323,6 +441,9 @@ type RateLimit struct {
// It defaults to 1. // It defaults to 1.
Burst int64 `json:"burst,omitempty" toml:"burst,omitempty" yaml:"burst,omitempty" export:"true"` Burst int64 `json:"burst,omitempty" toml:"burst,omitempty" yaml:"burst,omitempty" export:"true"`
// SourceCriterion defines what criterion is used to group requests as originating from a common source.
// If several strategies are defined at the same time, an error will be raised.
// If none are set, the default is to use the request's remote address field (as an ipStrategy).
SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"` SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"`
} }
@ -334,51 +455,82 @@ func (r *RateLimit) SetDefaults() {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// RedirectRegex holds the redirection configuration. // RedirectRegex holds the redirect regex middleware configuration.
// This middleware redirects a request using regex matching and replacement.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex
type RedirectRegex struct { type RedirectRegex struct {
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"` // Regex defines the regex used to match and capture elements from the request URL.
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"`
// Replacement defines how to modify the URL to have the new target URL.
Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty"` Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty"`
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"` // Permanent defines whether the redirection is permanent (301).
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// RedirectScheme holds the scheme redirection configuration. // RedirectScheme holds the redirect scheme middleware configuration.
// This middleware redirects requests from a scheme/port to another.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/
type RedirectScheme struct { type RedirectScheme struct {
Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"` // Scheme defines the scheme of the new URL.
Port string `json:"port,omitempty" toml:"port,omitempty" yaml:"port,omitempty" export:"true"` Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"`
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"` // Port defines the port of the new URL.
Port string `json:"port,omitempty" toml:"port,omitempty" yaml:"port,omitempty" export:"true"`
// Permanent defines whether the redirection is permanent (301).
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ReplacePath holds the ReplacePath configuration. // ReplacePath holds the replace path middleware configuration.
// This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/
type ReplacePath struct { type ReplacePath struct {
// Path defines the path to use as replacement in the request URL.
Path string `json:"path,omitempty" toml:"path,omitempty" yaml:"path,omitempty" export:"true"` Path string `json:"path,omitempty" toml:"path,omitempty" yaml:"path,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ReplacePathRegex holds the ReplacePathRegex configuration. // ReplacePathRegex holds the replace path regex middleware configuration.
// This middleware replaces the path of a URL using regex matching and replacement.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/
type ReplacePathRegex struct { type ReplacePathRegex struct {
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"` // Regex defines the regular expression used to match and capture the path from the request URL.
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"`
// Replacement defines the replacement path format, which can include captured variables.
Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty" export:"true"` Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Retry holds the retry configuration. // Retry holds the retry middleware configuration.
// This middleware reissues requests a given number of times to a backend server if that server does not reply.
// As soon as the server answers, the middleware stops retrying, regardless of the response status.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/
type Retry struct { type Retry struct {
Attempts int `json:"attempts,omitempty" toml:"attempts,omitempty" yaml:"attempts,omitempty" export:"true"` // Attempts defines how many times the request should be retried.
Attempts int `json:"attempts,omitempty" toml:"attempts,omitempty" yaml:"attempts,omitempty" export:"true"`
// InitialInterval defines the first wait time in the exponential backoff series.
// The maximum interval is calculated as twice the initialInterval.
// If unspecified, requests will be retried immediately.
// The value of initialInterval should be provided in seconds or as a valid duration format,
// see https://pkg.go.dev/time#ParseDuration.
InitialInterval ptypes.Duration `json:"initialInterval,omitempty" toml:"initialInterval,omitempty" yaml:"initialInterval,omitempty" export:"true"` InitialInterval ptypes.Duration `json:"initialInterval,omitempty" toml:"initialInterval,omitempty" yaml:"initialInterval,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// StripPrefix holds the StripPrefix configuration. // StripPrefix holds the strip prefix middleware configuration.
// This middleware removes the specified prefixes from the URL path.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/
type StripPrefix struct { type StripPrefix struct {
Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"` // Prefixes defines the prefixes to strip from the request URL.
ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"`
// ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.
// Default: true.
ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated
} }
// SetDefaults Default values for a StripPrefix. // SetDefaults Default values for a StripPrefix.
@ -388,8 +540,11 @@ func (s *StripPrefix) SetDefaults() {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// StripPrefixRegex holds the StripPrefixRegex configuration. // StripPrefixRegex holds the strip prefix regex middleware configuration.
// This middleware removes the matching prefixes from the URL path.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/
type StripPrefixRegex struct { type StripPrefixRegex struct {
// Regex defines the regular expression to match the path prefix from the request URL.
Regex []string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"` Regex []string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"`
} }
@ -397,12 +552,18 @@ type StripPrefixRegex struct {
// TLSClientCertificateInfo holds the client TLS certificate info configuration. // TLSClientCertificateInfo holds the client TLS certificate info configuration.
type TLSClientCertificateInfo struct { type TLSClientCertificateInfo struct {
NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty" export:"true"` // NotAfter defines whether to add the Not After information from the Validity part.
NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty" export:"true"` NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty" export:"true"`
Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty" export:"true"` // NotBefore defines whether to add the Not Before information from the Validity part.
Subject *TLSClientCertificateSubjectDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"` NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty" export:"true"`
Issuer *TLSClientCertificateIssuerDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"` // Sans defines whether to add the Subject Alternative Name information from the Subject Alternative Name part.
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty" export:"true"`
// SerialNumber defines whether to add the client serialNumber information.
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
// Subject defines the client certificate subject details to add to the X-Forwarded-Tls-Client-Cert-Info header.
Subject *TLSClientCertificateSubjectDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"`
// Issuer defines the client certificate issuer details to add to the X-Forwarded-Tls-Client-Cert-Info header.
Issuer *TLSClientCertificateIssuerDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
@ -410,12 +571,19 @@ type TLSClientCertificateInfo struct {
// TLSClientCertificateIssuerDNInfo holds the client TLS certificate distinguished name info configuration. // TLSClientCertificateIssuerDNInfo holds the client TLS certificate distinguished name info configuration.
// cf https://tools.ietf.org/html/rfc3739 // cf https://tools.ietf.org/html/rfc3739
type TLSClientCertificateIssuerDNInfo struct { type TLSClientCertificateIssuerDNInfo struct {
Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"` // Country defines whether to add the country information into the issuer.
Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"` Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"`
Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"` // Province defines whether to add the province information into the issuer.
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"` Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"`
CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"` // Locality defines whether to add the locality information into the issuer.
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"`
// Organization defines whether to add the organization information into the issuer.
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"`
// CommonName defines whether to add the organizationalUnit information into the issuer.
CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"`
// SerialNumber defines whether to add the serialNumber information into the issuer.
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
// DomainComponent defines whether to add the domainComponent information into the issuer.
DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"` DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"`
} }
@ -424,14 +592,22 @@ type TLSClientCertificateIssuerDNInfo struct {
// TLSClientCertificateSubjectDNInfo holds the client TLS certificate distinguished name info configuration. // TLSClientCertificateSubjectDNInfo holds the client TLS certificate distinguished name info configuration.
// cf https://tools.ietf.org/html/rfc3739 // cf https://tools.ietf.org/html/rfc3739
type TLSClientCertificateSubjectDNInfo struct { type TLSClientCertificateSubjectDNInfo struct {
Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"` // Country defines whether to add the country information into the subject.
Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"` Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"`
Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"` // Province defines whether to add the province information into the subject.
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"` Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"`
// Locality defines whether to add the locality information into the subject.
Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"`
// Organization defines whether to add the organization information into the subject.
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"`
// OrganizationalUnit defines whether to add the organizationalUnit information into the subject.
OrganizationalUnit bool `json:"organizationalUnit,omitempty" toml:"organizationalUnit,omitempty" yaml:"organizationalUnit,omitempty" export:"true"` OrganizationalUnit bool `json:"organizationalUnit,omitempty" toml:"organizationalUnit,omitempty" yaml:"organizationalUnit,omitempty" export:"true"`
CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"` // CommonName defines whether to add the organizationalUnit information into the subject.
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"` CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"`
DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"` // SerialNumber defines whether to add the serialNumber information into the subject.
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
// DomainComponent defines whether to add the domainComponent information into the subject.
DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true

4
pkg/config/dynamic/tcp_config.go
View file

@ -113,8 +113,10 @@ type TCPServer struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ProxyProtocol holds the ProxyProtocol configuration. // ProxyProtocol holds the PROXY Protocol configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol
type ProxyProtocol struct { type ProxyProtocol struct {
// Version defines the PROXY Protocol version to use.
Version int `json:"version,omitempty" toml:"version,omitempty" yaml:"version,omitempty" export:"true"` Version int `json:"version,omitempty" toml:"version,omitempty" yaml:"version,omitempty" export:"true"`
} }

11
pkg/config/dynamic/tcp_middlewares.go
View file

@ -10,14 +10,21 @@ type TCPMiddleware struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// TCPInFlightConn holds the TCP in flight connection configuration. // TCPInFlightConn holds the TCP InFlightConn middleware configuration.
// This middleware prevents services from being overwhelmed with high load,
// by limiting the number of allowed simultaneous connections for one IP.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/tcp/inflightconn/
type TCPInFlightConn struct { type TCPInFlightConn struct {
// Amount defines the maximum amount of allowed simultaneous connections.
// The middleware closes the connection if there are already amount connections opened.
Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"` Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// TCPIPWhiteList holds the TCP ip white list configuration. // TCPIPWhiteList holds the TCP IPWhiteList middleware configuration.
// This middleware accepts/refuses connections based on the client IP.
type TCPIPWhiteList struct { type TCPIPWhiteList struct {
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"` SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
} }

4
pkg/provider/kubernetes/crd/kubernetes_http.go
View file

@ -84,7 +84,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
serviceName := normalized serviceName := normalized
if len(route.Services) > 1 { if len(route.Services) > 1 {
spec := v1alpha1.ServiceSpec{ spec := v1alpha1.TraefikServiceSpec{
Weighted: &v1alpha1.WeightedRoundRobin{ Weighted: &v1alpha1.WeightedRoundRobin{
Services: route.Services, Services: route.Services,
}, },
@ -217,7 +217,7 @@ func (c configBuilder) buildTraefikService(ctx context.Context, tService *v1alph
// buildServicesLB creates the configuration for the load-balancer of services named id, and defined in tService. // buildServicesLB creates the configuration for the load-balancer of services named id, and defined in tService.
// It adds it to the given conf map. // It adds it to the given conf map.
func (c configBuilder) buildServicesLB(ctx context.Context, namespace string, tService v1alpha1.ServiceSpec, id string, conf map[string]*dynamic.Service) error { func (c configBuilder) buildServicesLB(ctx context.Context, namespace string, tService v1alpha1.TraefikServiceSpec, id string, conf map[string]*dynamic.Service) error {
var wrrServices []dynamic.WRRService var wrrServices []dynamic.WRRService
for _, service := range tService.Weighted.Services { for _, service := range tService.Weighted.Services {

146
pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroute.go
View file

@ -7,90 +7,130 @@ import (
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
) )
// IngressRouteSpec is a specification for a IngressRouteSpec resource. // IngressRouteSpec defines the desired state of IngressRoute.
type IngressRouteSpec struct { type IngressRouteSpec struct {
Routes []Route `json:"routes"` // Routes defines the list of routes.
Routes []Route `json:"routes"`
// EntryPoints defines the list of entry point names to bind to.
// Entry points have to be configured in the static configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
// Default: all.
EntryPoints []string `json:"entryPoints,omitempty"` EntryPoints []string `json:"entryPoints,omitempty"`
TLS *TLS `json:"tls,omitempty"` // TLS defines the TLS configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls
TLS *TLS `json:"tls,omitempty"`
} }
// Route contains the set of routes. // Route holds the HTTP route configuration.
type Route struct { type Route struct {
// Match defines the router's rule.
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule
Match string `json:"match"` Match string `json:"match"`
// Kind defines the kind of the route.
// Rule is the only supported kind.
// +kubebuilder:validation:Enum=Rule // +kubebuilder:validation:Enum=Rule
Kind string `json:"kind"` Kind string `json:"kind"`
Priority int `json:"priority,omitempty"` // Priority defines the router's priority.
Services []Service `json:"services,omitempty"` // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority
Priority int `json:"priority,omitempty"`
// Services defines the list of Service.
// It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
Services []Service `json:"services,omitempty"`
// Middlewares defines the list of references to Middleware resources.
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware
Middlewares []MiddlewareRef `json:"middlewares,omitempty"` Middlewares []MiddlewareRef `json:"middlewares,omitempty"`
} }
// TLS contains the TLS certificates configuration of the routes. // TLS holds the TLS configuration.
// To enable Let's Encrypt, use an empty TLS struct, // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls
// e.g. in YAML:
//
// tls: {} # inline format
//
// tls:
// secretName: # block format
type TLS struct { type TLS struct {
// SecretName is the name of the referenced Kubernetes Secret to specify the // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
// certificate details.
SecretName string `json:"secretName,omitempty"` SecretName string `json:"secretName,omitempty"`
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. // Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
// If not defined, the `default` TLSOption is used.
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options
Options *TLSOptionRef `json:"options,omitempty"` Options *TLSOptionRef `json:"options,omitempty"`
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store. // Store defines the reference to the TLSStore, that will be used to store certificates.
Store *TLSStoreRef `json:"store,omitempty"` // Please note that only `default` TLSStore can be used.
CertResolver string `json:"certResolver,omitempty"` Store *TLSStoreRef `json:"store,omitempty"`
Domains []types.Domain `json:"domains,omitempty"` // CertResolver defines the name of the certificate resolver to use.
// Cert resolvers have to be configured in the static configuration.
// More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers
CertResolver string `json:"certResolver,omitempty"`
// Domains defines the list of domains that will be used to issue certificates.
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains
Domains []types.Domain `json:"domains,omitempty"`
} }
// TLSOptionRef is a ref to the TLSOption resources. // TLSOptionRef is a reference to a TLSOption resource.
type TLSOptionRef struct { type TLSOptionRef struct {
Name string `json:"name"` // Name defines the name of the referenced TLSOption.
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption
Name string `json:"name"`
// Namespace defines the namespace of the referenced TLSOption.
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption
Namespace string `json:"namespace,omitempty"` Namespace string `json:"namespace,omitempty"`
} }
// TLSStoreRef is a ref to the TLSStore resource. // TLSStoreRef is a reference to a TLSStore resource.
type TLSStoreRef struct { type TLSStoreRef struct {
Name string `json:"name"` // Name defines the name of the referenced TLSStore.
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore
Name string `json:"name"`
// Namespace defines the namespace of the referenced TLSStore.
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore
Namespace string `json:"namespace,omitempty"` Namespace string `json:"namespace,omitempty"`
} }
// LoadBalancerSpec can reference either a Kubernetes Service object (a load-balancer of servers), // LoadBalancerSpec defines the desired state of LoadBalancer.
// or a TraefikService object (a traefik load-balancer of services). // It can reference either a Kubernetes Service object (a load-balancer of servers),
// or a TraefikService object (a load-balancer of Traefik services).
type LoadBalancerSpec struct { type LoadBalancerSpec struct {
// Name is a reference to a Kubernetes Service object (for a load-balancer of servers), // Name defines the name of the referenced Kubernetes Service or TraefikService.
// or to a TraefikService object (service load-balancer, mirroring, etc).
// The differentiation between the two is specified in the Kind field. // The differentiation between the two is specified in the Kind field.
Name string `json:"name"` Name string `json:"name"`
// Kind defines the kind of the Service.
// +kubebuilder:validation:Enum=Service;TraefikService // +kubebuilder:validation:Enum=Service;TraefikService
Kind string `json:"kind,omitempty"` Kind string `json:"kind,omitempty"`
Namespace string `json:"namespace,omitempty"` // Namespace defines the namespace of the referenced Kubernetes Service or TraefikService.
Sticky *dynamic.Sticky `json:"sticky,omitempty"` Namespace string `json:"namespace,omitempty"`
// Sticky defines the sticky sessions configuration.
// Port and all the fields below are related to a servers load-balancer, // More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions
// and therefore should only be specified when Name references a Kubernetes Service. Sticky *dynamic.Sticky `json:"sticky,omitempty"`
// Port defines the port of a Kubernetes Service.
Port intstr.IntOrString `json:"port,omitempty"` // This can be a reference to a named port.
Scheme string `json:"scheme,omitempty"` Port intstr.IntOrString `json:"port,omitempty"`
Strategy string `json:"strategy,omitempty"` // Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
PassHostHeader *bool `json:"passHostHeader,omitempty"` // It defaults to https when Kubernetes Service port is 443, http otherwise.
Scheme string `json:"scheme,omitempty"`
// Strategy defines the load balancing strategy between the servers.
// RoundRobin is the only supported value at the moment.
Strategy string `json:"strategy,omitempty"`
// PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
// By default, passHostHeader is true.
PassHostHeader *bool `json:"passHostHeader,omitempty"`
// ResponseForwarding defines how Traefik forwards the response from the upstream Kubernetes Service to the client.
ResponseForwarding *dynamic.ResponseForwarding `json:"responseForwarding,omitempty"` ResponseForwarding *dynamic.ResponseForwarding `json:"responseForwarding,omitempty"`
ServersTransport string `json:"serversTransport,omitempty"` // ServersTransport defines the name of ServersTransport resource to use.
// It allows to configure the transport between Traefik and your servers.
// Can only be used on a Kubernetes Service.
ServersTransport string `json:"serversTransport,omitempty"`
// Weight should only be specified when Name references a TraefikService object // Weight defines the weight and should only be specified when Name references a TraefikService object
// (and to be precise, one that embeds a Weighted Round Robin). // (and to be precise, one that embeds a Weighted Round Robin).
Weight *int `json:"weight,omitempty"` Weight *int `json:"weight,omitempty"`
} }
// Service defines an upstream to proxy traffic. // Service defines an upstream HTTP service to proxy traffic to.
type Service struct { type Service struct {
LoadBalancerSpec `json:",inline"` LoadBalancerSpec `json:",inline"`
} }
// MiddlewareRef is a ref to the Middleware resources. // MiddlewareRef is a reference to a Middleware resource.
type MiddlewareRef struct { type MiddlewareRef struct {
Name string `json:"name"` // Name defines the name of the referenced Middleware resource.
Name string `json:"name"`
// Namespace defines the namespace of the referenced Middleware resource.
Namespace string `json:"namespace,omitempty"` Namespace string `json:"namespace,omitempty"`
} }
@ -98,9 +138,11 @@ type MiddlewareRef struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// IngressRoute is an Ingress CRD specification. // IngressRoute is the CRD implementation of a Traefik HTTP Router.
type IngressRoute struct { type IngressRoute struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec IngressRouteSpec `json:"spec"` Spec IngressRouteSpec `json:"spec"`
@ -108,9 +150,13 @@ type IngressRoute struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IngressRouteList is a list of IngressRoutes. // IngressRouteList is a collection of IngressRoute.
type IngressRouteList struct { type IngressRouteList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
Items []IngressRoute `json:"items"`
// Items is the list of IngressRoute.
Items []IngressRoute `json:"items"`
} }

104
pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroutetcp.go
View file

@ -7,60 +7,88 @@ import (
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
) )
// IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec resource. // IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
type IngressRouteTCPSpec struct { type IngressRouteTCPSpec struct {
Routes []RouteTCP `json:"routes"` // Routes defines the list of routes.
EntryPoints []string `json:"entryPoints,omitempty"` Routes []RouteTCP `json:"routes"`
TLS *TLSTCP `json:"tls,omitempty"` // EntryPoints defines the list of entry point names to bind to.
// Entry points have to be configured in the static configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
// Default: all.
EntryPoints []string `json:"entryPoints,omitempty"`
// TLS defines the TLS configuration on a layer 4 / TCP Route.
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1
TLS *TLSTCP `json:"tls,omitempty"`
} }
// RouteTCP contains the set of routes. // RouteTCP holds the TCP route configuration.
type RouteTCP struct { type RouteTCP struct {
Match string `json:"match"` // Match defines the router's rule.
Priority int `json:"priority,omitempty"` // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1
Match string `json:"match"`
// Priority defines the router's priority.
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1
Priority int `json:"priority,omitempty"`
// Services defines the list of TCP services.
Services []ServiceTCP `json:"services,omitempty"` Services []ServiceTCP `json:"services,omitempty"`
// Middlewares contains references to MiddlewareTCP resources. // Middlewares defines the list of references to MiddlewareTCP resources.
Middlewares []ObjectReference `json:"middlewares,omitempty"` Middlewares []ObjectReference `json:"middlewares,omitempty"`
} }
// TLSTCP contains the TLS certificates configuration of the routes. // TLSTCP holds the TLS configuration for an IngressRouteTCP.
// To enable Let's Encrypt, use an empty TLS struct, // More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1
// e.g. in YAML:
//
// tls: {} # inline format
//
// tls:
// secretName: # block format
type TLSTCP struct { type TLSTCP struct {
// SecretName is the name of the referenced Kubernetes Secret to specify the // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
// certificate details. SecretName string `json:"secretName,omitempty"`
SecretName string `json:"secretName,omitempty"` // Passthrough defines whether a TLS router will terminate the TLS connection.
Passthrough bool `json:"passthrough,omitempty"` Passthrough bool `json:"passthrough,omitempty"`
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. // Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
// If not defined, the `default` TLSOption is used.
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options
Options *ObjectReference `json:"options,omitempty"` Options *ObjectReference `json:"options,omitempty"`
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store. // Store defines the reference to the TLSStore, that will be used to store certificates.
Store *ObjectReference `json:"store,omitempty"` // Please note that only `default` TLSStore can be used.
CertResolver string `json:"certResolver,omitempty"` Store *ObjectReference `json:"store,omitempty"`
Domains []types.Domain `json:"domains,omitempty"` // CertResolver defines the name of the certificate resolver to use.
// Cert resolvers have to be configured in the static configuration.
// More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers
CertResolver string `json:"certResolver,omitempty"`
// Domains defines the list of domains that will be used to issue certificates.
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains
Domains []types.Domain `json:"domains,omitempty"`
} }
// ServiceTCP defines an upstream to proxy traffic. // ServiceTCP defines an upstream TCP service to proxy traffic to.
type ServiceTCP struct { type ServiceTCP struct {
Name string `json:"name"` // Name defines the name of the referenced Kubernetes Service.
Namespace string `json:"namespace,omitempty"` Name string `json:"name"`
Port intstr.IntOrString `json:"port"` // Namespace defines the namespace of the referenced Kubernetes Service.
Weight *int `json:"weight,omitempty"` Namespace string `json:"namespace,omitempty"`
TerminationDelay *int `json:"terminationDelay,omitempty"` // Port defines the port of a Kubernetes Service.
ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"` // This can be a reference to a named port.
Port intstr.IntOrString `json:"port"`
// Weight defines the weight used when balancing requests between multiple Kubernetes Service.
Weight *int `json:"weight,omitempty"`
// TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
// it has closed the writing capability of its connection, to close the reading capability as well,
// hence fully terminating the connection.
// It is a duration in milliseconds, defaulting to 100.
// A negative value means an infinite deadline (i.e. the reading capability is never closed).
TerminationDelay *int `json:"terminationDelay,omitempty"`
// ProxyProtocol defines the PROXY protocol configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol
ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
} }
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// IngressRouteTCP is an Ingress CRD specification. // IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
type IngressRouteTCP struct { type IngressRouteTCP struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec IngressRouteTCPSpec `json:"spec"` Spec IngressRouteTCPSpec `json:"spec"`
@ -68,9 +96,13 @@ type IngressRouteTCP struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IngressRouteTCPList is a list of IngressRoutes. // IngressRouteTCPList is a collection of IngressRouteTCP.
type IngressRouteTCPList struct { type IngressRouteTCPList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
Items []IngressRouteTCP `json:"items"`
// Items is the list of IngressRouteTCP.
Items []IngressRouteTCP `json:"items"`
} }

49
pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressrouteudp.go
View file

@ -5,38 +5,45 @@ import (
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
) )
// IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec resource. // IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
type IngressRouteUDPSpec struct { type IngressRouteUDPSpec struct {
Routes []RouteUDP `json:"routes"` // Routes defines the list of routes.
EntryPoints []string `json:"entryPoints,omitempty"` Routes []RouteUDP `json:"routes"`
// EntryPoints defines the list of entry point names to bind to.
// Entry points have to be configured in the static configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
// Default: all.
EntryPoints []string `json:"entryPoints,omitempty"`
} }
// RouteUDP contains the set of routes. // RouteUDP holds the UDP route configuration.
type RouteUDP struct { type RouteUDP struct {
// Services defines the list of UDP services.
Services []ServiceUDP `json:"services,omitempty"` Services []ServiceUDP `json:"services,omitempty"`
} }
// TLSOptionUDPRef is a ref to the TLSOption resources. // ServiceUDP defines an upstream UDP service to proxy traffic to.
type TLSOptionUDPRef struct {
Name string `json:"name"`
Namespace string `json:"namespace,omitempty"`
}
// ServiceUDP defines an upstream to proxy traffic.
type ServiceUDP struct { type ServiceUDP struct {
Name string `json:"name"` // Name defines the name of the referenced Kubernetes Service.
Namespace string `json:"namespace,omitempty"` Name string `json:"name"`
Port intstr.IntOrString `json:"port"` // Namespace defines the namespace of the referenced Kubernetes Service.
Weight *int `json:"weight,omitempty"` Namespace string `json:"namespace,omitempty"`
// Port defines the port of a Kubernetes Service.
// This can be a reference to a named port.
Port intstr.IntOrString `json:"port"`
// Weight defines the weight used when balancing requests between multiple Kubernetes Service.
Weight *int `json:"weight,omitempty"`
} }
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// IngressRouteUDP is an Ingress CRD specification. // IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
type IngressRouteUDP struct { type IngressRouteUDP struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec IngressRouteUDPSpec `json:"spec"` Spec IngressRouteUDPSpec `json:"spec"`
@ -44,9 +51,13 @@ type IngressRouteUDP struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IngressRouteUDPList is a list of IngressRoutes. // IngressRouteUDPList is a collection of IngressRouteUDP.
type IngressRouteUDPList struct { type IngressRouteUDPList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
Items []IngressRouteUDP `json:"items"`
// Items is the list of IngressRouteUDP.
Items []IngressRouteUDP `json:"items"`
} }

166
pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go
View file

@ -11,9 +11,12 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// Middleware is a specification for a Middleware resource. // Middleware is the CRD implementation of a Traefik Middleware.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/
type Middleware struct { type Middleware struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec MiddlewareSpec `json:"spec"` Spec MiddlewareSpec `json:"spec"`
@ -21,7 +24,7 @@ type Middleware struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// MiddlewareSpec holds the Middleware configuration. // MiddlewareSpec defines the desired state of a Middleware.
type MiddlewareSpec struct { type MiddlewareSpec struct {
AddPrefix *dynamic.AddPrefix `json:"addPrefix,omitempty"` AddPrefix *dynamic.AddPrefix `json:"addPrefix,omitempty"`
StripPrefix *dynamic.StripPrefix `json:"stripPrefix,omitempty"` StripPrefix *dynamic.StripPrefix `json:"stripPrefix,omitempty"`
@ -50,84 +53,155 @@ type MiddlewareSpec struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ErrorPage holds the custom error page configuration. // ErrorPage holds the custom error middleware configuration.
// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/
type ErrorPage struct { type ErrorPage struct {
Status []string `json:"status,omitempty"` // Status defines which status or range of statuses should result in an error page.
Service Service `json:"service,omitempty"` // It can be either a status code as a number (500),
Query string `json:"query,omitempty"` // as multiple comma-separated numbers (500,502),
// as ranges by separating two codes with a dash (500-599),
// or a combination of the two (404,418,500-599).
Status []string `json:"status,omitempty"`
// Service defines the reference to a Kubernetes Service that will serve the error page.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service
Service Service `json:"service,omitempty"`
// Query defines the URL for the error page (hosted by service).
// The {status} variable can be used in order to insert the status code in the URL.
Query string `json:"query,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Chain holds a chain of middlewares. // Chain holds the configuration of the chain middleware.
// This middleware enables to define reusable combinations of other pieces of middleware.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/
type Chain struct { type Chain struct {
// Middlewares is the list of MiddlewareRef which composes the chain.
Middlewares []MiddlewareRef `json:"middlewares,omitempty"` Middlewares []MiddlewareRef `json:"middlewares,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// BasicAuth holds the HTTP basic authentication configuration. // BasicAuth holds the basic auth middleware configuration.
// This middleware restricts access to your services to known users.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/
type BasicAuth struct { type BasicAuth struct {
Secret string `json:"secret,omitempty"` // Secret is the name of the referenced Kubernetes Secret containing user credentials.
Realm string `json:"realm,omitempty"` Secret string `json:"secret,omitempty"`
RemoveHeader bool `json:"removeHeader,omitempty"` // Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
HeaderField string `json:"headerField,omitempty"` // Default: traefik.
Realm string `json:"realm,omitempty"`
// RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
// Default: false.
RemoveHeader bool `json:"removeHeader,omitempty"`
// HeaderField defines a header field to store the authenticated user.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
HeaderField string `json:"headerField,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// DigestAuth holds the Digest HTTP authentication configuration. // DigestAuth holds the digest auth middleware configuration.
// This middleware restricts access to your services to known users.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/
type DigestAuth struct { type DigestAuth struct {
Secret string `json:"secret,omitempty"` // Secret is the name of the referenced Kubernetes Secret containing user credentials.
RemoveHeader bool `json:"removeHeader,omitempty"` Secret string `json:"secret,omitempty"`
Realm string `json:"realm,omitempty"` // RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend.
HeaderField string `json:"headerField,omitempty"` RemoveHeader bool `json:"removeHeader,omitempty"`
// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
// Default: traefik.
Realm string `json:"realm,omitempty"`
// HeaderField defines a header field to store the authenticated user.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
HeaderField string `json:"headerField,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ForwardAuth holds the http forward authentication configuration. // ForwardAuth holds the forward auth middleware configuration.
// This middleware delegates the request authentication to a Service.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/
type ForwardAuth struct { type ForwardAuth struct {
Address string `json:"address,omitempty"` // Address defines the authentication server address.
TrustForwardHeader bool `json:"trustForwardHeader,omitempty"` Address string `json:"address,omitempty"`
AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"` // TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty"` TrustForwardHeader bool `json:"trustForwardHeader,omitempty"`
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"` // AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
TLS *ClientTLS `json:"tls,omitempty"` AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"`
// AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty"`
// AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
// If not set or empty then all request headers are passed.
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"`
// TLS defines the configuration used to secure the connection to the authentication server.
TLS *ClientTLS `json:"tls,omitempty"`
} }
// ClientTLS holds TLS specific configurations as client. // ClientTLS holds the client TLS configuration.
type ClientTLS struct { type ClientTLS struct {
CASecret string `json:"caSecret,omitempty"` // CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
CAOptional bool `json:"caOptional,omitempty"` // The CA certificate is extracted from key `tls.ca` or `ca.crt`.
CertSecret string `json:"certSecret,omitempty"` CASecret string `json:"caSecret,omitempty"`
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` // CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
} // The client certificate is extracted from the keys `tls.crt` and `tls.key`.
CertSecret string `json:"certSecret,omitempty"`
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // InsecureSkipVerify defines whether the server certificates should be validated.
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
// MiddlewareList is a list of Middleware resources. CAOptional bool `json:"caOptional,omitempty"`
type MiddlewareList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []Middleware `json:"items"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// RateLimit holds the rate limiting configuration for a given router. // RateLimit holds the rate limit configuration.
// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/
type RateLimit struct { type RateLimit struct {
Average int64 `json:"average,omitempty"` // Average is the maximum rate, by default in requests/s, allowed for the given source.
Period *intstr.IntOrString `json:"period,omitempty"` // It defaults to 0, which means no rate limiting.
Burst *int64 `json:"burst,omitempty"` // The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
// one needs to define a Period larger than a second.
Average int64 `json:"average,omitempty"`
// Period, in combination with Average, defines the actual maximum rate, such as:
// r = Average / Period. It defaults to a second.
Period *intstr.IntOrString `json:"period,omitempty"`
// Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
// It defaults to 1.
Burst *int64 `json:"burst,omitempty"`
// SourceCriterion defines what criterion is used to group requests as originating from a common source.
// If several strategies are defined at the same time, an error will be raised.
// If none are set, the default is to use the request's remote address field (as an ipStrategy).
SourceCriterion *dynamic.SourceCriterion `json:"sourceCriterion,omitempty"` SourceCriterion *dynamic.SourceCriterion `json:"sourceCriterion,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Retry holds the retry configuration. // Retry holds the retry middleware configuration.
// This middleware reissues requests a given number of times to a backend server if that server does not reply.
// As soon as the server answers, the middleware stops retrying, regardless of the response status.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/
type Retry struct { type Retry struct {
Attempts int `json:"attempts,omitempty"` // Attempts defines how many times the request should be retried.
Attempts int `json:"attempts,omitempty"`
// InitialInterval defines the first wait time in the exponential backoff series.
// The maximum interval is calculated as twice the initialInterval.
// If unspecified, requests will be retried immediately.
// The value of initialInterval should be provided in seconds or as a valid duration format,
// see https://pkg.go.dev/time#ParseDuration.
InitialInterval intstr.IntOrString `json:"initialInterval,omitempty"` InitialInterval intstr.IntOrString `json:"initialInterval,omitempty"`
} }
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// MiddlewareList is a collection of Middleware resources.
type MiddlewareList struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"`
// Items is the list of Middleware.
Items []Middleware `json:"items"`
}

18
pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go
View file

@ -8,9 +8,12 @@ import (
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// MiddlewareTCP is a specification for a MiddlewareTCP resource. // MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/
type MiddlewareTCP struct { type MiddlewareTCP struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec MiddlewareTCPSpec `json:"spec"` Spec MiddlewareTCPSpec `json:"spec"`
@ -18,18 +21,23 @@ type MiddlewareTCP struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// MiddlewareTCPSpec holds the MiddlewareTCP configuration. // MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
type MiddlewareTCPSpec struct { type MiddlewareTCPSpec struct {
// InFlightConn defines the InFlightConn middleware configuration.
InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"` InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"` // IPWhiteList defines the IPWhiteList middleware configuration.
IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
} }
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// MiddlewareTCPList is a list of MiddlewareTCP resources. // MiddlewareTCPList is a collection of MiddlewareTCP resources.
type MiddlewareTCPList struct { type MiddlewareTCPList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
// Items is the list of MiddlewareTCP.
Items []MiddlewareTCP `json:"items"` Items []MiddlewareTCP `json:"items"`
} }

4
pkg/provider/kubernetes/crd/traefik/v1alpha1/objectreference.go
View file

@ -2,6 +2,8 @@ package v1alpha1
// ObjectReference is a generic reference to a Traefik resource. // ObjectReference is a generic reference to a Traefik resource.
type ObjectReference struct { type ObjectReference struct {
Name string `json:"name"` // Name defines the name of the referenced Traefik resource.
Name string `json:"name"`
// Namespace defines the namespace of the referenced Traefik resource.
Namespace string `json:"namespace,omitempty"` Namespace string `json:"namespace,omitempty"`
} }

39
pkg/provider/kubernetes/crd/traefik/v1alpha1/serverstransport.go
View file

@ -9,9 +9,14 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// ServersTransport is a specification for a ServersTransport resource. // ServersTransport is the CRD implementation of a ServersTransport.
// If no serversTransport is specified, the default@internal will be used.
// The default@internal serversTransport is created from the static configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1
type ServersTransport struct { type ServersTransport struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec ServersTransportSpec `json:"spec"` Spec ServersTransportSpec `json:"spec"`
@ -19,38 +24,37 @@ type ServersTransport struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ServersTransportSpec options to configure communication between Traefik and the servers. // ServersTransportSpec defines the desired state of a ServersTransport.
type ServersTransportSpec struct { type ServersTransportSpec struct {
// ServerName used to contact the server. // ServerName defines the server name used to contact the server.
ServerName string `json:"serverName,omitempty"` ServerName string `json:"serverName,omitempty"`
// Disable SSL certificate verification. // InsecureSkipVerify disables SSL certificate verification.
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
// Add cert file for self-signed certificate. // RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"` RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
// Certificates for mTLS. // CertificatesSecrets defines a list of secret storing client certificates for mTLS.
CertificatesSecrets []string `json:"certificatesSecrets,omitempty"` CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
// If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. // MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
MaxIdleConnsPerHost int `json:"maxIdleConnsPerHost,omitempty"` MaxIdleConnsPerHost int `json:"maxIdleConnsPerHost,omitempty"`
// Timeouts for requests forwarded to the backend servers. // ForwardingTimeouts defines the timeouts for requests forwarded to the backend servers.
ForwardingTimeouts *ForwardingTimeouts `json:"forwardingTimeouts,omitempty"` ForwardingTimeouts *ForwardingTimeouts `json:"forwardingTimeouts,omitempty"`
// Disable HTTP/2 for connections with backend servers. // DisableHTTP2 disables HTTP/2 for connections with backend servers.
DisableHTTP2 bool `json:"disableHTTP2,omitempty"` DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
// URI used to match against SAN URI during the peer certificate verification. // PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
PeerCertURI string `json:"peerCertURI,omitempty"` PeerCertURI string `json:"peerCertURI,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ForwardingTimeouts contains timeout configurations for forwarding requests to the backend servers. // ForwardingTimeouts holds the timeout configurations for forwarding requests to the backend servers.
type ForwardingTimeouts struct { type ForwardingTimeouts struct {
// DialTimeout is the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. // DialTimeout is the amount of time to wait until a connection to a backend server can be established.
DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"` DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
// ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any). // ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
// If zero, no timeout exists.
ResponseHeaderTimeout *intstr.IntOrString `json:"responseHeaderTimeout,omitempty"` ResponseHeaderTimeout *intstr.IntOrString `json:"responseHeaderTimeout,omitempty"`
// IdleConnTimeout is the maximum period for which an idle HTTP keep-alive connection will remain open before closing itself. // IdleConnTimeout is the maximum period for which an idle HTTP keep-alive connection will remain open before closing itself.
IdleConnTimeout *intstr.IntOrString `json:"idleConnTimeout,omitempty"` IdleConnTimeout *intstr.IntOrString `json:"idleConnTimeout,omitempty"`
// ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. If zero, no health check is performed. // ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection.
ReadIdleTimeout *intstr.IntOrString `json:"readIdleTimeout,omitempty"` ReadIdleTimeout *intstr.IntOrString `json:"readIdleTimeout,omitempty"`
// PingTimeout is the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. // PingTimeout is the timeout after which the HTTP/2 connection will be closed if a response to ping is not received.
PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"` PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"`
@ -58,10 +62,13 @@ type ForwardingTimeouts struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ServersTransportList is a list of ServersTransport resources. // ServersTransportList is a collection of ServersTransport resources.
type ServersTransportList struct { type ServersTransportList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
// Items is the list of ServersTransport.
Items []ServersTransport `json:"items"` Items []ServersTransport `json:"items"`
} }

57
pkg/provider/kubernetes/crd/traefik/v1alpha1/service.go
View file

@ -9,60 +9,77 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// TraefikService is the specification for a service (that an IngressRoute refers // TraefikService is the CRD implementation of a Traefik Service.
// to) that is usually not a terminal service (i.e. not a pod of servers), as // TraefikService object allows to:
// opposed to a Kubernetes Service. That is to say, it usually refers to other // - Apply weight to Services on load-balancing
// (children) services, which themselves can be TraefikServices or Services. // - Mirror traffic on services
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice
type TraefikService struct { type TraefikService struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec ServiceSpec `json:"spec"` Spec TraefikServiceSpec `json:"spec"`
} }
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// TraefikServiceList is a list of TraefikService resources. // TraefikServiceList is a collection of TraefikService resources.
type TraefikServiceList struct { type TraefikServiceList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
// Items is the list of TraefikService.
Items []TraefikService `json:"items"` Items []TraefikService `json:"items"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ServiceSpec defines whether a TraefikService is a load-balancer of services or a // TraefikServiceSpec defines the desired state of a TraefikService.
// mirroring service. type TraefikServiceSpec struct {
type ServiceSpec struct { // Weighted defines the Weighted Round Robin configuration.
Weighted *WeightedRoundRobin `json:"weighted,omitempty"` Weighted *WeightedRoundRobin `json:"weighted,omitempty"`
Mirroring *Mirroring `json:"mirroring,omitempty"` // Mirroring defines the Mirroring service configuration.
Mirroring *Mirroring `json:"mirroring,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// Mirroring defines a mirroring service, which is composed of a main // Mirroring holds the mirroring service configuration.
// load-balancer, and a list of mirrors. // More info: https://doc.traefik.io/traefik/v2.7/routing/services/#mirroring-service
type Mirroring struct { type Mirroring struct {
LoadBalancerSpec `json:",inline"` LoadBalancerSpec `json:",inline"`
MaxBodySize *int64 `json:"maxBodySize,omitempty"` // MaxBodySize defines the maximum size allowed for the body of the request.
Mirrors []MirrorService `json:"mirrors,omitempty"` // If the body is larger, the request is not mirrored.
// Default value is -1, which means unlimited size.
MaxBodySize *int64 `json:"maxBodySize,omitempty"`
// Mirrors defines the list of mirrors where Traefik will duplicate the traffic.
Mirrors []MirrorService `json:"mirrors,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// MirrorService defines one of the mirrors of a Mirroring service. // MirrorService holds the mirror configuration.
type MirrorService struct { type MirrorService struct {
LoadBalancerSpec `json:",inline"` LoadBalancerSpec `json:",inline"`
// Percent defines the part of the traffic to mirror.
// Supported values: 0 to 100.
Percent int `json:"percent,omitempty"` Percent int `json:"percent,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// WeightedRoundRobin defines a load-balancer of services. // WeightedRoundRobin holds the weighted round-robin configuration.
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#weighted-round-robin-service
type WeightedRoundRobin struct { type WeightedRoundRobin struct {
Services []Service `json:"services,omitempty"` // Services defines the list of Kubernetes Service and/or TraefikService to load-balance, with weight.
Sticky *dynamic.Sticky `json:"sticky,omitempty"` Services []Service `json:"services,omitempty"`
// Sticky defines whether sticky sessions are enabled.
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
Sticky *dynamic.Sticky `json:"sticky,omitempty"`
} }

52
pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
View file

@ -8,9 +8,12 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// TLSOption is a specification for a TLSOption resource. // TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options
type TLSOption struct { type TLSOption struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec TLSOptionSpec `json:"spec"` Spec TLSOptionSpec `json:"spec"`
@ -18,35 +21,54 @@ type TLSOption struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// TLSOptionSpec configures TLS for an entry point. // TLSOptionSpec defines the desired state of a TLSOption.
type TLSOptionSpec struct { type TLSOptionSpec struct {
MinVersion string `json:"minVersion,omitempty"` // MinVersion defines the minimum TLS version that Traefik will accept.
MaxVersion string `json:"maxVersion,omitempty"` // Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
CipherSuites []string `json:"cipherSuites,omitempty"` // Default: VersionTLS10.
CurvePreferences []string `json:"curvePreferences,omitempty"` MinVersion string `json:"minVersion,omitempty"`
ClientAuth ClientAuth `json:"clientAuth,omitempty"` // MaxVersion defines the maximum TLS version that Traefik will accept.
SniStrict bool `json:"sniStrict,omitempty"` // Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"` // Default: None.
ALPNProtocols []string `json:"alpnProtocols,omitempty"` MaxVersion string `json:"maxVersion,omitempty"`
// CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites
CipherSuites []string `json:"cipherSuites,omitempty"`
// CurvePreferences defines the preferred elliptic curves in a specific order.
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences
CurvePreferences []string `json:"curvePreferences,omitempty"`
// ClientAuth defines the server's policy for TLS Client Authentication.
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
// SniStrict defines whether Traefik allows connections from clients connections that do not specify a server_name extension.
SniStrict bool `json:"sniStrict,omitempty"`
// PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
// It is enabled automatically when minVersion or maxVersion are set.
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
// ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols
ALPNProtocols []string `json:"alpnProtocols,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// ClientAuth defines the parameters of the client authentication part of the TLS connection, if any. // ClientAuth holds the TLS client authentication configuration.
type ClientAuth struct { type ClientAuth struct {
// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. // SecretNames defines the names of the referenced Kubernetes Secret storing certificate details.
SecretNames []string `json:"secretNames,omitempty"` SecretNames []string `json:"secretNames,omitempty"`
// +kubebuilder:validation:Enum=NoClientCert;RequestClientCert;RequireAnyClientCert;VerifyClientCertIfGiven;RequireAndVerifyClientCert
// ClientAuthType defines the client authentication type to apply. // ClientAuthType defines the client authentication type to apply.
// +kubebuilder:validation:Enum=NoClientCert;RequestClientCert;RequireAnyClientCert;VerifyClientCertIfGiven;RequireAndVerifyClientCert
ClientAuthType string `json:"clientAuthType,omitempty"` ClientAuthType string `json:"clientAuthType,omitempty"`
} }
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// TLSOptionList is a list of TLSOption resources. // TLSOptionList is a collection of TLSOption resources.
type TLSOptionList struct { type TLSOptionList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
// Items is the list of TLSOption.
Items []TLSOption `json:"items"` Items []TLSOption `json:"items"`
} }

19
pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsstore.go
View file

@ -8,9 +8,14 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:storageversion // +kubebuilder:storageversion
// TLSStore is a specification for a TLSStore resource. // TLSStore is the CRD implementation of a Traefik TLS Store.
// For the time being, only the TLSStore named default is supported.
// This means that you cannot have two stores that are named default in different Kubernetes namespaces.
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores
type TLSStore struct { type TLSStore struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata"` metav1.ObjectMeta `json:"metadata"`
Spec TLSStoreSpec `json:"spec"` Spec TLSStoreSpec `json:"spec"`
@ -18,14 +23,15 @@ type TLSStore struct {
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// TLSStoreSpec configures a TLSStore resource. // TLSStoreSpec defines the desired state of a TLSStore.
type TLSStoreSpec struct { type TLSStoreSpec struct {
// DefaultCertificate defines the default certificate configuration.
DefaultCertificate DefaultCertificate `json:"defaultCertificate"` DefaultCertificate DefaultCertificate `json:"defaultCertificate"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true
// DefaultCertificate holds a secret name for the TLSOption resource. // DefaultCertificate holds the default certificate configuration.
type DefaultCertificate struct { type DefaultCertificate struct {
// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
@ -33,10 +39,13 @@ type DefaultCertificate struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// TLSStoreList is a list of TLSStore resources. // TLSStoreList is a collection of TLSStore resources.
type TLSStoreList struct { type TLSStoreList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"` metav1.ListMeta `json:"metadata"`
// Items is the list of TLSStore.
Items []TLSStore `json:"items"` Items []TLSStore `json:"items"`
} }

68
pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go
View file

@ -1140,32 +1140,6 @@ func (in *Service) DeepCopy() *Service {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceSpec) DeepCopyInto(out *ServiceSpec) {
*out = *in
if in.Weighted != nil {
in, out := &in.Weighted, &out.Weighted
*out = new(WeightedRoundRobin)
(*in).DeepCopyInto(*out)
}
if in.Mirroring != nil {
in, out := &in.Mirroring, &out.Mirroring
*out = new(Mirroring)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceSpec.
func (in *ServiceSpec) DeepCopy() *ServiceSpec {
if in == nil {
return nil
}
out := new(ServiceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceTCP) DeepCopyInto(out *ServiceTCP) { func (in *ServiceTCP) DeepCopyInto(out *ServiceTCP) {
*out = *in *out = *in
@ -1361,22 +1335,6 @@ func (in *TLSOptionSpec) DeepCopy() *TLSOptionSpec {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSOptionUDPRef) DeepCopyInto(out *TLSOptionUDPRef) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSOptionUDPRef.
func (in *TLSOptionUDPRef) DeepCopy() *TLSOptionUDPRef {
if in == nil {
return nil
}
out := new(TLSOptionUDPRef)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSStore) DeepCopyInto(out *TLSStore) { func (in *TLSStore) DeepCopyInto(out *TLSStore) {
*out = *in *out = *in
@ -1563,6 +1521,32 @@ func (in *TraefikServiceList) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TraefikServiceSpec) DeepCopyInto(out *TraefikServiceSpec) {
*out = *in
if in.Weighted != nil {
in, out := &in.Weighted, &out.Weighted
*out = new(WeightedRoundRobin)
(*in).DeepCopyInto(*out)
}
if in.Mirroring != nil {
in, out := &in.Mirroring, &out.Mirroring
*out = new(Mirroring)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TraefikServiceSpec.
func (in *TraefikServiceSpec) DeepCopy() *TraefikServiceSpec {
if in == nil {
return nil
}
out := new(TraefikServiceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WeightedRoundRobin) DeepCopyInto(out *WeightedRoundRobin) { func (in *WeightedRoundRobin) DeepCopyInto(out *WeightedRoundRobin) {
*out = *in *out = *in

4
pkg/redactor/testdata/anonymized-dynamic-config.json vendored
View file

@ -283,6 +283,7 @@
"notAfter": true, "notAfter": true,
"notBefore": true, "notBefore": true,
"sans": true, "sans": true,
"serialNumber": true,
"subject": { "subject": {
"country": true, "country": true,
"province": true, "province": true,
@ -301,8 +302,7 @@
"commonName": true, "commonName": true,
"serialNumber": true, "serialNumber": true,
"domainComponent": true "domainComponent": true
}, }
"serialNumber": true
} }
}, },
"retry": { "retry": {

4
pkg/redactor/testdata/secured-dynamic-config.json vendored
View file

@ -286,6 +286,7 @@
"notAfter": true, "notAfter": true,
"notBefore": true, "notBefore": true,
"sans": true, "sans": true,
"serialNumber": true,
"subject": { "subject": {
"country": true, "country": true,
"province": true, "province": true,
@ -304,8 +305,7 @@
"commonName": true, "commonName": true,
"serialNumber": true, "serialNumber": true,
"domainComponent": true "domainComponent": true
}, }
"serialNumber": true
} }
}, },
"retry": { "retry": {

5
script/code-gen.sh
View file

@ -32,8 +32,9 @@ docker run --rm \
-w "/go/src/${PROJECT_MODULE}" \ -w "/go/src/${PROJECT_MODULE}" \
"${IMAGE_NAME}" $cmd "${IMAGE_NAME}" $cmd
echo "Concatenate the CRD definitions for the integration tests ..." echo "Concatenate the CRD definitions for publication and integration tests ..."
cat $(pwd)/docs/content/reference/dynamic-configuration/traefik.containo.us_*.yaml > $(pwd)/integration/fixtures/k8s/01-traefik-crd.yml cat $(pwd)/docs/content/reference/dynamic-configuration/traefik.containo.us_*.yaml > $(pwd)/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
cp -f $(pwd)/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml $(pwd)/integration/fixtures/k8s/01-traefik-crd.yml
cp -r $(pwd)/${MODULE_VERSION}/* $(pwd) cp -r $(pwd)/${MODULE_VERSION}/* $(pwd)
rm -rf $(pwd)/${MODULE_VERSION} rm -rf $(pwd)/${MODULE_VERSION}