package crd import ( "context" "errors" "fmt" "strings" "github.com/containous/traefik/v2/pkg/config/dynamic" "github.com/containous/traefik/v2/pkg/log" "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1" "github.com/containous/traefik/v2/pkg/tls" corev1 "k8s.io/api/core/v1" ) func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *dynamic.HTTPConfiguration { conf := &dynamic.HTTPConfiguration{ Routers: map[string]*dynamic.Router{}, Middlewares: map[string]*dynamic.Middleware{}, Services: map[string]*dynamic.Service{}, } for _, ingressRoute := range client.GetIngressRoutes() { ctxRt := log.With(ctx, log.Str("ingress", ingressRoute.Name), log.Str("namespace", ingressRoute.Namespace)) logger := log.FromContext(ctxRt) // TODO keep the name ingressClass? if !shouldProcessIngress(p.IngressClass, ingressRoute.Annotations[annotationKubernetesIngressClass]) { continue } err := getTLSHTTP(ctx, ingressRoute, client, tlsConfigs) if err != nil { logger.Errorf("Error configuring TLS: %v", err) } ingressName := ingressRoute.Name if len(ingressName) == 0 { ingressName = ingressRoute.GenerateName } for _, route := range ingressRoute.Spec.Routes { if route.Kind != "Rule" { logger.Errorf("Unsupported match kind: %s. Only \"Rule\" is supported for now.", route.Kind) continue } if len(route.Match) == 0 { logger.Errorf("Empty match rule") continue } if err := checkStringQuoteValidity(route.Match); err != nil { logger.Errorf("Invalid syntax for match rule: %s", route.Match) continue } key, err := makeServiceKey(route.Match, ingressName) if err != nil { logger.Error(err) continue } serviceName := makeID(ingressRoute.Namespace, key) for _, service := range route.Services { balancerServerHTTP, err := createLoadBalancerServerHTTP(client, ingressRoute.Namespace, service) if err != nil { logger. WithField("serviceName", service.Name). WithField("servicePort", service.Port). Errorf("Cannot create service: %v", err) continue } // If there is only one service defined, we skip the creation of the load balancer of services, // i.e. the service on top is directly a load balancer of servers. if len(route.Services) == 1 { conf.Services[serviceName] = balancerServerHTTP break } serviceKey := fmt.Sprintf("%s-%s-%d", serviceName, service.Name, service.Port) conf.Services[serviceKey] = balancerServerHTTP srv := dynamic.WRRService{Name: serviceKey} srv.SetDefaults() if service.Weight != nil { srv.Weight = service.Weight } if conf.Services[serviceName] == nil { conf.Services[serviceName] = &dynamic.Service{Weighted: &dynamic.WeightedRoundRobin{}} } conf.Services[serviceName].Weighted.Services = append(conf.Services[serviceName].Weighted.Services, srv) } var mds []string for _, mi := range route.Middlewares { if strings.Contains(mi.Name, "@") { if len(mi.Namespace) > 0 { logger. WithField(log.MiddlewareName, mi.Name). Warnf("namespace %q is ignored in cross-provider context", mi.Namespace) } mds = append(mds, mi.Name) continue } ns := mi.Namespace if len(ns) == 0 { ns = ingressRoute.Namespace } mds = append(mds, makeID(ns, mi.Name)) } conf.Routers[serviceName] = &dynamic.Router{ Middlewares: mds, Priority: route.Priority, EntryPoints: ingressRoute.Spec.EntryPoints, Rule: route.Match, Service: serviceName, } if ingressRoute.Spec.TLS != nil { tlsConf := &dynamic.RouterTLSConfig{ CertResolver: ingressRoute.Spec.TLS.CertResolver, Domains: ingressRoute.Spec.TLS.Domains, } if ingressRoute.Spec.TLS.Options != nil && len(ingressRoute.Spec.TLS.Options.Name) > 0 { tlsOptionsName := ingressRoute.Spec.TLS.Options.Name // Is a Kubernetes CRD reference, (i.e. not a cross-provider reference) ns := ingressRoute.Spec.TLS.Options.Namespace if !strings.Contains(tlsOptionsName, "@") { if len(ns) == 0 { ns = ingressRoute.Namespace } tlsOptionsName = makeID(ns, tlsOptionsName) } else if len(ns) > 0 { logger. WithField("TLSoptions", ingressRoute.Spec.TLS.Options.Name). Warnf("namespace %q is ignored in cross-provider context", ns) } tlsConf.Options = tlsOptionsName } conf.Routers[serviceName].TLS = tlsConf } } } return conf } func createLoadBalancerServerHTTP(client Client, namespace string, service v1alpha1.Service) (*dynamic.Service, error) { servers, err := loadServers(client, namespace, service) if err != nil { return nil, err } // TODO: support other strategies. lb := &dynamic.ServersLoadBalancer{} lb.SetDefaults() lb.Servers = servers lb.PassHostHeader = service.PassHostHeader if lb.PassHostHeader == nil { passHostHeader := true lb.PassHostHeader = &passHostHeader } lb.ResponseForwarding = service.ResponseForwarding return &dynamic.Service{ LoadBalancer: lb, }, nil } func loadServers(client Client, namespace string, svc v1alpha1.Service) ([]dynamic.Server, error) { strategy := svc.Strategy if strategy == "" { strategy = "RoundRobin" } if strategy != "RoundRobin" { return nil, fmt.Errorf("load balancing strategy %v is not supported", strategy) } service, exists, err := client.GetService(namespace, svc.Name) if err != nil { return nil, err } if !exists { return nil, fmt.Errorf("service not found %s/%s", namespace, svc.Name) } var portSpec *corev1.ServicePort for _, p := range service.Spec.Ports { if svc.Port == p.Port { portSpec = &p break } } if portSpec == nil { return nil, errors.New("service port not found") } var servers []dynamic.Server if service.Spec.Type == corev1.ServiceTypeExternalName { servers = append(servers, dynamic.Server{ URL: fmt.Sprintf("http://%s:%d", service.Spec.ExternalName, portSpec.Port), }) } else { endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, svc.Name) if endpointsErr != nil { return nil, endpointsErr } if !endpointsExists { return nil, errors.New("endpoints not found") } if len(endpoints.Subsets) == 0 { return nil, errors.New("subset not found") } var port int32 for _, subset := range endpoints.Subsets { for _, p := range subset.Ports { if portSpec.Name == p.Name { port = p.Port break } } if port == 0 { return nil, errors.New("cannot define a port") } protocol := "http" switch svc.Scheme { case "http", "https", "h2c": protocol = svc.Scheme case "": if portSpec.Port == 443 || strings.HasPrefix(portSpec.Name, "https") { protocol = "https" } default: return nil, fmt.Errorf("invalid scheme %q specified", svc.Scheme) } for _, addr := range subset.Addresses { servers = append(servers, dynamic.Server{ URL: fmt.Sprintf("%s://%s:%d", protocol, addr.IP, port), }) } } } return servers, nil } func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error { if ingressRoute.Spec.TLS == nil { return nil } if ingressRoute.Spec.TLS.SecretName == "" { log.FromContext(ctx).Debugf("No secret name provided") return nil } configKey := ingressRoute.Namespace + "/" + ingressRoute.Spec.TLS.SecretName if _, tlsExists := tlsConfigs[configKey]; !tlsExists { tlsConf, err := getTLS(k8sClient, ingressRoute.Spec.TLS.SecretName, ingressRoute.Namespace) if err != nil { return err } tlsConfigs[configKey] = tlsConf } return nil }