baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

fix: add peerCertURI config to k8s crd provider

Browse source 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
This commit is contained in:
Kevin Pollet 2021-09-17 08:56:07 +02:00 committed by GitHub
parent 76867e39ea
commit bda0dba131
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 32 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
docs/content/routing/providers/kubernetes-crd.md
View file

@ -1713,19 +1713,19 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
disableHTTP2: true # [11] disableHTTP2: true # [11]
``` ```
| Ref | Attribute | Purpose | | Ref | Attribute | Purpose |
|------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------| |------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `serverName` | ServerName used to contact the server. | | [1] | `serverName` | ServerName used to contact the server. |
| [2] | `insecureSkipVerify` | Disables SSL certificate verification. | | [2] | `insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. |
| [3] | `rootCAsSecrets` | Adds cert file for self-signed certificate. The secret must contain a certificate under either a tls.ca or a ca.crt key. | | [3] | `rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [4] | `certificatesSecrets` | Certificates for mTLS. | | [4] | `certificatesSecrets` | Certificates to present to the server for mTLS. |
| [5] | `maxIdleConnsPerHost` | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used. | | [5] | `maxIdleConnsPerHost` | Controls the maximum idle (keep-alive) connections to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used. |
| [6] | `forwardingTimeouts` | Timeouts for requests forwarded to the backend servers. | | [6] | `forwardingTimeouts` | Timeouts for requests forwarded to the servers. |
| [7] | `dialTimeout` | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | | [7] | `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. |
| [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. | | [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
| [9] | `idleConnTimeout` | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself. | | [9] | `idleConnTimeout` | The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists. |
| [10] | `peerCertURI` | URI used to match with service certificate. | | [10] | `peerCertURI` | URI used to match against SAN URIs during the server's certificate verification. |
| [11] | `disableHTTP2` | Disables HTTP/2 for connections with backend servers. | | [11] | `disableHTTP2` | Disables HTTP/2 for connections with servers. |
!!! info "CA Secret" !!! info "CA Secret"

14
docs/content/routing/services/index.md
View file

@ -606,7 +606,7 @@ metadata:
_Optional_ _Optional_
`insecureSkipVerify` disables SSL certificate verification. `insecureSkipVerify` controls whether the server's certificate chain and host name is verified.
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
## Dynamic configuration ## Dynamic configuration
@ -637,8 +637,7 @@ spec:
_Optional_ _Optional_
`rootCAs` is the list of certificates (as file paths, or data bytes) `rootCAs` defines the set of root certificate authorities (as file paths, or data bytes) to use when verifying server certificates.
that will be set as Root Certificate Authorities when using a self-signed TLS certificate.
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
## Dynamic configuration ## Dynamic configuration
@ -711,7 +710,7 @@ spec:
_Optional, Default=false_ _Optional, Default=false_
`disableHTTP2` disables HTTP/2 for connections with backend servers. `disableHTTP2` disables HTTP/2 for connections with servers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
## Dynamic configuration ## Dynamic configuration
@ -742,7 +741,7 @@ spec:
_Optional, Default=false_ _Optional, Default=false_
`peerCertURI` defines the URI used to match against SAN URI during the peer certificate verification. `peerCertURI` defines the URI used to match against SAN URIs during the server's certificate verification.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
## Dynamic configuration ## Dynamic configuration
@ -771,7 +770,7 @@ spec:
#### `forwardingTimeouts` #### `forwardingTimeouts`
`forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers. `forwardingTimeouts` are the timeouts applied when forwarding requests to the servers.
##### `forwardingTimeouts.dialTimeout` ##### `forwardingTimeouts.dialTimeout`
@ -847,8 +846,7 @@ spec:
_Optional, Default=90s_ _Optional, Default=90s_
`idleConnTimeout`, is the maximum amount of time an idle (keep-alive) connection `idleConnTimeout` is the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
will remain idle before closing itself.
Zero means no limit. Zero means no limit.
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"

19
pkg/provider/kubernetes/crd/fixtures/with_servers_transport.yml
View file

@ -94,17 +94,18 @@ spec:
insecureSkipVerify: true insecureSkipVerify: true
maxIdleConnsPerHost: 42 maxIdleConnsPerHost: 42
disableHTTP2: true disableHTTP2: true
peerCertURI: foo://bar
rootCAsSecrets: rootCAsSecrets:
- root-ca0 - root-ca0
- root-ca1 - root-ca1
- root-ca2 - root-ca2
- root-ca3 - root-ca3
- root-ca4 - root-ca4
- allcerts - allcerts
certificatesSecrets: certificatesSecrets:
- mtls1 - mtls1
- mtls2 - mtls2
- allcerts - allcerts
forwardingTimeouts: forwardingTimeouts:
dialTimeout: 42 dialTimeout: 42
responseHeaderTimeout: 42s responseHeaderTimeout: 42s

1
pkg/provider/kubernetes/crd/kubernetes.go
View file

@ -348,6 +348,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
DisableHTTP2: serversTransport.Spec.DisableHTTP2, DisableHTTP2: serversTransport.Spec.DisableHTTP2,
MaxIdleConnsPerHost: serversTransport.Spec.MaxIdleConnsPerHost, MaxIdleConnsPerHost: serversTransport.Spec.MaxIdleConnsPerHost,
ForwardingTimeouts: forwardingTimeout, ForwardingTimeouts: forwardingTimeout,
PeerCertURI: serversTransport.Spec.PeerCertURI,
} }
} }

2
pkg/provider/kubernetes/crd/kubernetes_test.go
View file

@ -3516,6 +3516,7 @@ func TestLoadIngressRoutes(t *testing.T) {
ResponseHeaderTimeout: types.Duration(42 * time.Second), ResponseHeaderTimeout: types.Duration(42 * time.Second),
IdleConnTimeout: types.Duration(42 * time.Millisecond), IdleConnTimeout: types.Duration(42 * time.Millisecond),
}, },
PeerCertURI: "foo://bar",
}, },
"default-test": { "default-test": {
ServerName: "test", ServerName: "test",
@ -3627,6 +3628,7 @@ func TestLoadIngressRoutes(t *testing.T) {
IdleConnTimeout: types.Duration(42 * time.Millisecond), IdleConnTimeout: types.Duration(42 * time.Millisecond),
}, },
DisableHTTP2: true, DisableHTTP2: true,
PeerCertURI: "foo://bar",
}, },
"default-test": { "default-test": {
ServerName: "test", ServerName: "test",