diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md index 77b715abb..c93b73afd 100644 --- a/docs/content/migration/v2.md +++ b/docs/content/migration/v2.md @@ -179,7 +179,7 @@ To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in t #### Expose an Ingress on 80 and 443 -Define the default TLS configuration on the HTTPS entry point. +Define the default TLS configuration on the HTTPS entry point. ```yaml tab="Ingress" kind: Ingress @@ -335,7 +335,7 @@ The file parser has been changed, since v2.3 the unknown options/fields in a dyn ### IngressClass In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced. -In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. +In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. ## v2.3 to v2.4 @@ -350,7 +350,7 @@ It is therefore necessary to update [RBAC](../reference/dynamic-configuration/ku In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions, and in TCP router rule `HostSNI` expression. -This check ensures that provided domain names don't contain non-ASCII characters. +This check ensures that provided domain names don't contain non-ASCII characters. If not, an error is raised, and the associated router will be shown as invalid in the dashboard. This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues. @@ -380,8 +380,8 @@ To allow it, the `allowExternalNameServices` option should be set to `true`. ### Kubernetes CRD -In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`. -As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema. +In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`. +As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema. After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update. @@ -420,6 +420,6 @@ the legacy behavior related to the CommonName field can not be enabled at all an ### Errors middleware -In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default), +In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default), the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`. Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details. diff --git a/docs/content/providers/kubernetes-ingress.md b/docs/content/providers/kubernetes-ingress.md index 63e4ef06a..bfbf0cff6 100644 --- a/docs/content/providers/kubernetes-ingress.md +++ b/docs/content/providers/kubernetes-ingress.md @@ -36,10 +36,10 @@ and derives the corresponding dynamic configuration from it, which in turn creates the resulting routers, services, handlers, etc. ```yaml tab="Ingress" +apiVersion: networking.k8s.io/v1 kind: Ingress -apiVersion: networking.k8s.io/v1beta1 metadata: - name: "foo" + name: foo namespace: production spec: @@ -48,20 +48,26 @@ spec: http: paths: - path: /bar + pathType: Exact backend: - serviceName: service1 - servicePort: 80 + service: + name: service1 + port: + number: 80 - path: /foo + pathType: Exact backend: - serviceName: service1 - servicePort: 80 + service: + name: service1 + port: + number: 80 ``` -```yaml tab="Ingress Kubernetes v1.19+" +```yaml tab="Ingress v1beta1 (deprecated)" +apiVersion: networking.k8s.io/v1beta1 kind: Ingress -apiVersion: networking.k8s.io/v1 metadata: - name: "foo" + name: foo namespace: production spec: @@ -70,19 +76,13 @@ spec: http: paths: - path: /bar - pathType: Exact backend: - service: - name: service1 - port: - number: 80 + serviceName: service1 + servicePort: 80 - path: /foo - pathType: Exact backend: - service: - name: service1 - port: - number: 80 + serviceName: service1 + servicePort: 80 ``` ## LetsEncrypt Support with the Ingress Provider @@ -272,19 +272,19 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value ``` ```yaml tab="Ingress" - apiVersion: "networking.k8s.io/v1beta1" - kind: "Ingress" + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress metadata: - name: "example-ingress" + name: example-ingress spec: - ingressClassName: "traefik-lb" + ingressClassName: traefik-lb rules: - host: "*.example.com" http: paths: - - path: "/example" + - path: /example backend: - serviceName: "example-service" + serviceName: example-service servicePort: 80 ``` @@ -303,21 +303,21 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value ``` ```yaml tab="Ingress" - apiVersion: "networking.k8s.io/v1" - kind: "Ingress" + apiVersion: networking.k8s.io/v1 + kind: Ingress metadata: - name: "example-ingress" + name: example-ingress spec: - ingressClassName: "traefik-lb" + ingressClassName: traefik-lb rules: - host: "*.example.com" http: paths: - - path: "/example" + - path: /example pathType: Exact backend: service: - name: "example-service" + name: example-service port: number: 80 ``` diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml index 58548c561..4a5b80e6b 100644 --- a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml +++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml @@ -1,5 +1,5 @@ +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller @@ -48,8 +48,8 @@ rules: - watch --- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller diff --git a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml index c864f55af..72c35e5a5 100644 --- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml +++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml @@ -38,8 +38,8 @@ rules: - update --- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: gateway-controller diff --git a/docs/content/routing/providers/kubernetes-ingress.md b/docs/content/routing/providers/kubernetes-ingress.md index e4a2fb585..d2448f3e0 100644 --- a/docs/content/routing/providers/kubernetes-ingress.md +++ b/docs/content/routing/providers/kubernetes-ingress.md @@ -15,8 +15,8 @@ which in turn will create the resulting routers, services, handlers, etc. ```yaml tab="RBAC" --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: @@ -48,8 +48,8 @@ which in turn will create the resulting routers, services, handlers, etc. - update --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding - apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: @@ -63,8 +63,37 @@ which in turn will create the resulting routers, services, handlers, etc. ``` ```yaml tab="Ingress" + apiVersion: networking.k8s.io/v1 kind: Ingress + metadata: + name: myingress + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web + + spec: + rules: + - host: example.com + http: + paths: + - path: /bar + pathType: Exact + backend: + service: + name: whoami + port: + number: 80 + - path: /foo + pathType: Exact + backend: + service: + name: whoami + port: + number: 80 + ``` + + ```yaml tab="Ingress v1beta1 (deprecated)" apiVersion: networking.k8s.io/v1beta1 + kind: Ingress metadata: name: myingress annotations: @@ -84,36 +113,7 @@ which in turn will create the resulting routers, services, handlers, etc. serviceName: whoami servicePort: 80 ``` - - ```yaml tab="Ingress Kubernetes v1.19+" - kind: Ingress - apiVersion: networking.k8s.io/v1 - metadata: - name: myingress - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: web - - spec: - rules: - - host: example.com - http: - paths: - - path: /bar - pathType: Exact - backend: - service: - name: whoami - port: - number: 80 - - path: /foo - pathType: Exact - backend: - service: - name: whoami - port: - number: 80 - ``` - + ```yaml tab="Traefik" apiVersion: v1 kind: ServiceAccount @@ -121,8 +121,8 @@ which in turn will create the resulting routers, services, handlers, etc. name: traefik-ingress-controller --- - kind: Deployment apiVersion: apps/v1 + kind: Deployment metadata: name: traefik labels: @@ -166,8 +166,8 @@ which in turn will create the resulting routers, services, handlers, etc. ``` ```yaml tab="Whoami" - kind: Deployment apiVersion: apps/v1 + kind: Deployment metadata: name: whoami labels: @@ -237,7 +237,7 @@ which in turn will create the resulting routers, services, handlers, etc. ??? info "`traefik.ingress.kubernetes.io/router.pathmatcher`" - Overrides the default router rule type used for a path. + Overrides the default router rule type used for a path. Only path-related matcher name can be specified: `Path`, `PathPrefix`. Default `PathPrefix` @@ -401,8 +401,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d ```yaml tab="RBAC" --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: @@ -434,8 +434,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d - update --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding - apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: @@ -449,8 +449,37 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d ``` ```yaml tab="Ingress" + apiVersion: networking.k8s.io/v1 kind: Ingress + metadata: + name: myingress + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + + spec: + rules: + - host: example.com + http: + paths: + - path: /bar + pathType: Exact + backend: + service: + name: whoami + port: + number: 80 + - path: /foo + pathType: Exact + backend: + service: + name: whoami + port: + number: 80 + ``` + + ```yaml tab="Ingress v1beta1 (deprecated)" apiVersion: networking.k8s.io/v1beta1 + kind: Ingress metadata: name: myingress annotations: @@ -470,36 +499,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d serviceName: whoami servicePort: 80 ``` - - ```yaml tab="Ingress Kubernetes v1.19+" - kind: Ingress - apiVersion: networking.k8s.io/v1 - metadata: - name: myingress - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - - spec: - rules: - - host: example.com - http: - paths: - - path: /bar - pathType: Exact - backend: - service: - name: whoami - port: - number: 80 - - path: /foo - pathType: Exact - backend: - service: - name: whoami - port: - number: 80 - ``` - + ```yaml tab="Traefik" apiVersion: v1 kind: ServiceAccount @@ -507,8 +507,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d name: traefik-ingress-controller --- - kind: Deployment apiVersion: apps/v1 + kind: Deployment metadata: name: traefik labels: @@ -553,8 +553,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d ``` ```yaml tab="Whoami" - kind: Deployment apiVersion: apps/v1 + kind: Deployment metadata: name: whoami labels: @@ -608,8 +608,8 @@ For more options, please refer to the available [annotations](#on-ingress). ```yaml tab="RBAC" --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: @@ -641,8 +641,8 @@ For more options, please refer to the available [annotations](#on-ingress). - update --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding - apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: @@ -656,8 +656,38 @@ For more options, please refer to the available [annotations](#on-ingress). ``` ```yaml tab="Ingress" + apiVersion: networking.k8s.io/v1 kind: Ingress + metadata: + name: myingress + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: true + + spec: + rules: + - host: example.com + http: + paths: + - path: /bar + pathType: Exact + backend: + service: + name: whoami + port: + number: 80 + - path: /foo + pathType: Exact + backend: + service: + name: whoami + port: + number: 80 + ``` + + ```yaml tab="Ingress v1beta1 (deprecated)" apiVersion: networking.k8s.io/v1beta1 + kind: Ingress metadata: name: myingress annotations: @@ -678,37 +708,7 @@ For more options, please refer to the available [annotations](#on-ingress). serviceName: whoami servicePort: 80 ``` - - ```yaml tab="Ingress Kubernetes v1.19+" - kind: Ingress - apiVersion: networking.k8s.io/v1 - metadata: - name: myingress - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: true - - spec: - rules: - - host: example.com - http: - paths: - - path: /bar - pathType: Exact - backend: - service: - name: whoami - port: - number: 80 - - path: /foo - pathType: Exact - backend: - service: - name: whoami - port: - number: 80 - ``` - + ```yaml tab="Traefik" apiVersion: v1 kind: ServiceAccount @@ -716,8 +716,8 @@ For more options, please refer to the available [annotations](#on-ingress). name: traefik-ingress-controller --- - kind: Deployment apiVersion: apps/v1 + kind: Deployment metadata: name: traefik labels: @@ -761,8 +761,8 @@ For more options, please refer to the available [annotations](#on-ingress). ``` ```yaml tab="Whoami" - kind: Deployment apiVersion: apps/v1 + kind: Deployment metadata: name: whoami labels: @@ -807,8 +807,34 @@ For more options, please refer to the available [annotations](#on-ingress). ??? example "Using a secret" ```yaml tab="Ingress" + apiVersion: networking.k8s.io/v1 kind: Ingress + metadata: + name: foo + namespace: production + + spec: + rules: + - host: example.net + http: + paths: + - path: /bar + pathType: Exact + backend: + service: + name: service1 + port: + number: 80 + # Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS. + # Doesn't enable TLS for that ingress (hence for the underlying router). + # Please see the TLS annotations on ingress made for that purpose. + tls: + - secretName: supersecret + ``` + + ```yaml tab="Ingress v1beta1 (deprecated)" apiVersion: networking.k8s.io/v1beta1 + kind: Ingress metadata: name: foo namespace: production @@ -829,32 +855,6 @@ For more options, please refer to the available [annotations](#on-ingress). - secretName: supersecret ``` - ```yaml tab="Ingress Kubernetes v1.19+" - kind: Ingress - apiVersion: networking.k8s.io/v1 - metadata: - name: foo - namespace: production - - spec: - rules: - - host: example.net - http: - paths: - - path: /bar - pathType: Exact - backend: - service: - name: service1 - port: - number: 80 - # Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS. - # Doesn't enable TLS for that ingress (hence for the underlying router). - # Please see the TLS annotations on ingress made for that purpose. - tls: - - secretName: supersecret - ``` - ```yaml tab="Secret" apiVersion: v1 kind: Secret @@ -900,18 +900,6 @@ and will connect via TLS automatically. Ingresses can be created that look like the following: ```yaml tab="Ingress" -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: cheese - -spec: - defaultBackend: - serviceName: stilton - serverPort: 80 -``` - -```yaml tab="Ingress Kubernetes v1.19+" apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -925,6 +913,18 @@ spec: number: 80 ``` +```yaml tab="Ingress v1beta1 (deprecated)" +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: cheese + +spec: + defaultBackend: + serviceName: stilton + serverPort: 80 +``` + This ingress follows the Global Default Backend property of ingresses. This will allow users to create a "default router" that will match all unmatched requests.