924 lines
50 KiB
YAML
924 lines
50 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.13.0
|
|
name: middlewares.traefik.io
|
|
spec:
|
|
group: traefik.io
|
|
names:
|
|
kind: Middleware
|
|
listKind: MiddlewareList
|
|
plural: middlewares
|
|
singular: middleware
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: 'Middleware is the CRD implementation of a Traefik Middleware.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/'
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: MiddlewareSpec defines the desired state of a Middleware.
|
|
properties:
|
|
addPrefix:
|
|
description: 'AddPrefix holds the add prefix middleware configuration.
|
|
This middleware updates the path of a request before forwarding
|
|
it. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/'
|
|
properties:
|
|
prefix:
|
|
description: Prefix is the string to add before the current path
|
|
in the requested URL. It should include a leading slash (/).
|
|
type: string
|
|
type: object
|
|
basicAuth:
|
|
description: 'BasicAuth holds the basic auth middleware configuration.
|
|
This middleware restricts access to your services to known users.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/'
|
|
properties:
|
|
headerField:
|
|
description: 'HeaderField defines a header field to store the
|
|
authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
|
|
type: string
|
|
realm:
|
|
description: 'Realm allows the protected resources on a server
|
|
to be partitioned into a set of protection spaces, each with
|
|
its own authentication scheme. Default: traefik.'
|
|
type: string
|
|
removeHeader:
|
|
description: 'RemoveHeader sets the removeHeader option to true
|
|
to remove the authorization header before forwarding the request
|
|
to your service. Default: false.'
|
|
type: boolean
|
|
secret:
|
|
description: Secret is the name of the referenced Kubernetes Secret
|
|
containing user credentials.
|
|
type: string
|
|
type: object
|
|
buffering:
|
|
description: 'Buffering holds the buffering middleware configuration.
|
|
This middleware retries or limits the size of requests that can
|
|
be forwarded to backends. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes'
|
|
properties:
|
|
maxRequestBodyBytes:
|
|
description: 'MaxRequestBodyBytes defines the maximum allowed
|
|
body size for the request (in bytes). If the request exceeds
|
|
the allowed size, it is not forwarded to the service, and the
|
|
client gets a 413 (Request Entity Too Large) response. Default:
|
|
0 (no maximum).'
|
|
format: int64
|
|
type: integer
|
|
maxResponseBodyBytes:
|
|
description: 'MaxResponseBodyBytes defines the maximum allowed
|
|
response size from the service (in bytes). If the response exceeds
|
|
the allowed size, it is not forwarded to the client. The client
|
|
gets a 500 (Internal Server Error) response instead. Default:
|
|
0 (no maximum).'
|
|
format: int64
|
|
type: integer
|
|
memRequestBodyBytes:
|
|
description: 'MemRequestBodyBytes defines the threshold (in bytes)
|
|
from which the request will be buffered on disk instead of in
|
|
memory. Default: 1048576 (1Mi).'
|
|
format: int64
|
|
type: integer
|
|
memResponseBodyBytes:
|
|
description: 'MemResponseBodyBytes defines the threshold (in bytes)
|
|
from which the response will be buffered on disk instead of
|
|
in memory. Default: 1048576 (1Mi).'
|
|
format: int64
|
|
type: integer
|
|
retryExpression:
|
|
description: 'RetryExpression defines the retry conditions. It
|
|
is a logical combination of functions with operators AND (&&)
|
|
and OR (||). More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression'
|
|
type: string
|
|
type: object
|
|
chain:
|
|
description: 'Chain holds the configuration of the chain middleware.
|
|
This middleware enables to define reusable combinations of other
|
|
pieces of middleware. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/'
|
|
properties:
|
|
middlewares:
|
|
description: Middlewares is the list of MiddlewareRef which composes
|
|
the chain.
|
|
items:
|
|
description: MiddlewareRef is a reference to a Middleware resource.
|
|
properties:
|
|
name:
|
|
description: Name defines the name of the referenced Middleware
|
|
resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace defines the namespace of the referenced
|
|
Middleware resource.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
circuitBreaker:
|
|
description: CircuitBreaker holds the circuit breaker configuration.
|
|
properties:
|
|
checkPeriod:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CheckPeriod is the interval between successive checks
|
|
of the circuit breaker condition (when in standby state).
|
|
x-kubernetes-int-or-string: true
|
|
expression:
|
|
description: Expression is the condition that triggers the tripped
|
|
state.
|
|
type: string
|
|
fallbackDuration:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: FallbackDuration is the duration for which the circuit
|
|
breaker will wait before trying to recover (from a tripped state).
|
|
x-kubernetes-int-or-string: true
|
|
recoveryDuration:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: RecoveryDuration is the duration for which the circuit
|
|
breaker will try to recover (as soon as it is in recovering
|
|
state).
|
|
x-kubernetes-int-or-string: true
|
|
type: object
|
|
compress:
|
|
description: 'Compress holds the compress middleware configuration.
|
|
This middleware compresses responses before sending them to the
|
|
client, using gzip compression. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/'
|
|
properties:
|
|
excludedContentTypes:
|
|
description: ExcludedContentTypes defines the list of content
|
|
types to compare the Content-Type header of the incoming requests
|
|
and responses before compressing. `application/grpc` is always
|
|
excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
minResponseBodyBytes:
|
|
description: 'MinResponseBodyBytes defines the minimum amount
|
|
of bytes a response body must have to be compressed. Default:
|
|
1024.'
|
|
type: integer
|
|
type: object
|
|
contentType:
|
|
description: ContentType holds the content-type middleware configuration.
|
|
This middleware sets the `Content-Type` header value to the media
|
|
type detected from the response content, when it is not set by the
|
|
backend.
|
|
type: object
|
|
digestAuth:
|
|
description: 'DigestAuth holds the digest auth middleware configuration.
|
|
This middleware restricts access to your services to known users.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/'
|
|
properties:
|
|
headerField:
|
|
description: 'HeaderField defines a header field to store the
|
|
authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
|
|
type: string
|
|
realm:
|
|
description: 'Realm allows the protected resources on a server
|
|
to be partitioned into a set of protection spaces, each with
|
|
its own authentication scheme. Default: traefik.'
|
|
type: string
|
|
removeHeader:
|
|
description: RemoveHeader defines whether to remove the authorization
|
|
header before forwarding the request to the backend.
|
|
type: boolean
|
|
secret:
|
|
description: Secret is the name of the referenced Kubernetes Secret
|
|
containing user credentials.
|
|
type: string
|
|
type: object
|
|
errors:
|
|
description: 'ErrorPage holds the custom error middleware configuration.
|
|
This middleware returns a custom page in lieu of the default, according
|
|
to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/'
|
|
properties:
|
|
query:
|
|
description: Query defines the URL for the error page (hosted
|
|
by service). The {status} variable can be used in order to insert
|
|
the status code in the URL.
|
|
type: string
|
|
service:
|
|
description: 'Service defines the reference to a Kubernetes Service
|
|
that will serve the error page. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service'
|
|
properties:
|
|
kind:
|
|
description: Kind defines the kind of the Service.
|
|
enum:
|
|
- Service
|
|
- TraefikService
|
|
type: string
|
|
name:
|
|
description: Name defines the name of the referenced Kubernetes
|
|
Service or TraefikService. The differentiation between the
|
|
two is specified in the Kind field.
|
|
type: string
|
|
namespace:
|
|
description: Namespace defines the namespace of the referenced
|
|
Kubernetes Service or TraefikService.
|
|
type: string
|
|
nativeLB:
|
|
description: NativeLB controls, when creating the load-balancer,
|
|
whether the LB's children are directly the pods IPs or if
|
|
the only child is the Kubernetes Service clusterIP. The
|
|
Kubernetes Service itself does load-balance to the pods.
|
|
By default, NativeLB is false.
|
|
type: boolean
|
|
passHostHeader:
|
|
description: PassHostHeader defines whether the client Host
|
|
header is forwarded to the upstream Kubernetes Service.
|
|
By default, passHostHeader is true.
|
|
type: boolean
|
|
port:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: Port defines the port of a Kubernetes Service.
|
|
This can be a reference to a named port.
|
|
x-kubernetes-int-or-string: true
|
|
responseForwarding:
|
|
description: ResponseForwarding defines how Traefik forwards
|
|
the response from the upstream Kubernetes Service to the
|
|
client.
|
|
properties:
|
|
flushInterval:
|
|
description: 'FlushInterval defines the interval, in milliseconds,
|
|
in between flushes to the client while copying the response
|
|
body. A negative value means to flush immediately after
|
|
each write to the client. This configuration is ignored
|
|
when ReverseProxy recognizes a response as a streaming
|
|
response; for such responses, writes are flushed to
|
|
the client immediately. Default: 100ms'
|
|
type: string
|
|
type: object
|
|
scheme:
|
|
description: Scheme defines the scheme to use for the request
|
|
to the upstream Kubernetes Service. It defaults to https
|
|
when Kubernetes Service port is 443, http otherwise.
|
|
type: string
|
|
serversTransport:
|
|
description: ServersTransport defines the name of ServersTransport
|
|
resource to use. It allows to configure the transport between
|
|
Traefik and your servers. Can only be used on a Kubernetes
|
|
Service.
|
|
type: string
|
|
sticky:
|
|
description: 'Sticky defines the sticky sessions configuration.
|
|
More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
|
|
properties:
|
|
cookie:
|
|
description: Cookie defines the sticky cookie configuration.
|
|
properties:
|
|
httpOnly:
|
|
description: HTTPOnly defines whether the cookie can
|
|
be accessed by client-side APIs, such as JavaScript.
|
|
type: boolean
|
|
name:
|
|
description: Name defines the Cookie name.
|
|
type: string
|
|
sameSite:
|
|
description: 'SameSite defines the same site policy.
|
|
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
|
|
type: string
|
|
secure:
|
|
description: Secure defines whether the cookie can
|
|
only be transmitted over an encrypted connection
|
|
(i.e. HTTPS).
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
strategy:
|
|
description: Strategy defines the load balancing strategy
|
|
between the servers. RoundRobin is the only supported value
|
|
at the moment.
|
|
type: string
|
|
weight:
|
|
description: Weight defines the weight and should only be
|
|
specified when Name references a TraefikService object (and
|
|
to be precise, one that embeds a Weighted Round Robin).
|
|
type: integer
|
|
required:
|
|
- name
|
|
type: object
|
|
status:
|
|
description: Status defines which status or range of statuses
|
|
should result in an error page. It can be either a status code
|
|
as a number (500), as multiple comma-separated numbers (500,502),
|
|
as ranges by separating two codes with a dash (500-599), or
|
|
a combination of the two (404,418,500-599).
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
forwardAuth:
|
|
description: 'ForwardAuth holds the forward auth middleware configuration.
|
|
This middleware delegates the request authentication to a Service.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/'
|
|
properties:
|
|
address:
|
|
description: Address defines the authentication server address.
|
|
type: string
|
|
authRequestHeaders:
|
|
description: AuthRequestHeaders defines the list of the headers
|
|
to copy from the request to the authentication server. If not
|
|
set or empty then all request headers are passed.
|
|
items:
|
|
type: string
|
|
type: array
|
|
authResponseHeaders:
|
|
description: AuthResponseHeaders defines the list of headers to
|
|
copy from the authentication server response and set on forwarded
|
|
request, replacing any existing conflicting headers.
|
|
items:
|
|
type: string
|
|
type: array
|
|
authResponseHeadersRegex:
|
|
description: 'AuthResponseHeadersRegex defines the regex to match
|
|
headers to copy from the authentication server response and
|
|
set on forwarded request, after stripping all headers that match
|
|
the regex. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex'
|
|
type: string
|
|
tls:
|
|
description: TLS defines the configuration used to secure the
|
|
connection to the authentication server.
|
|
properties:
|
|
caSecret:
|
|
description: CASecret is the name of the referenced Kubernetes
|
|
Secret containing the CA to validate the server certificate.
|
|
The CA certificate is extracted from key `tls.ca` or `ca.crt`.
|
|
type: string
|
|
certSecret:
|
|
description: CertSecret is the name of the referenced Kubernetes
|
|
Secret containing the client certificate. The client certificate
|
|
is extracted from the keys `tls.crt` and `tls.key`.
|
|
type: string
|
|
insecureSkipVerify:
|
|
description: InsecureSkipVerify defines whether the server
|
|
certificates should be validated.
|
|
type: boolean
|
|
type: object
|
|
trustForwardHeader:
|
|
description: 'TrustForwardHeader defines whether to trust (ie:
|
|
forward) all X-Forwarded-* headers.'
|
|
type: boolean
|
|
type: object
|
|
grpcWeb:
|
|
description: GrpcWeb holds the gRPC web middleware configuration.
|
|
This middleware converts a gRPC web request to an HTTP/2 gRPC request.
|
|
properties:
|
|
allowOrigins:
|
|
description: AllowOrigins is a list of allowable origins. Can
|
|
also be a wildcard origin "*".
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
headers:
|
|
description: 'Headers holds the headers middleware configuration.
|
|
This middleware manages the requests and responses headers. More
|
|
info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders'
|
|
properties:
|
|
accessControlAllowCredentials:
|
|
description: AccessControlAllowCredentials defines whether the
|
|
request can include user credentials.
|
|
type: boolean
|
|
accessControlAllowHeaders:
|
|
description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
|
|
values sent in preflight response.
|
|
items:
|
|
type: string
|
|
type: array
|
|
accessControlAllowMethods:
|
|
description: AccessControlAllowMethods defines the Access-Control-Request-Method
|
|
values sent in preflight response.
|
|
items:
|
|
type: string
|
|
type: array
|
|
accessControlAllowOriginList:
|
|
description: AccessControlAllowOriginList is a list of allowable
|
|
origins. Can also be a wildcard origin "*".
|
|
items:
|
|
type: string
|
|
type: array
|
|
accessControlAllowOriginListRegex:
|
|
description: AccessControlAllowOriginListRegex is a list of allowable
|
|
origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
|
|
items:
|
|
type: string
|
|
type: array
|
|
accessControlExposeHeaders:
|
|
description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
|
|
values sent in preflight response.
|
|
items:
|
|
type: string
|
|
type: array
|
|
accessControlMaxAge:
|
|
description: AccessControlMaxAge defines the time that a preflight
|
|
request may be cached.
|
|
format: int64
|
|
type: integer
|
|
addVaryHeader:
|
|
description: AddVaryHeader defines whether the Vary header is
|
|
automatically added/updated when the AccessControlAllowOriginList
|
|
is set.
|
|
type: boolean
|
|
allowedHosts:
|
|
description: AllowedHosts defines the fully qualified list of
|
|
allowed domain names.
|
|
items:
|
|
type: string
|
|
type: array
|
|
browserXssFilter:
|
|
description: BrowserXSSFilter defines whether to add the X-XSS-Protection
|
|
header with the value 1; mode=block.
|
|
type: boolean
|
|
contentSecurityPolicy:
|
|
description: ContentSecurityPolicy defines the Content-Security-Policy
|
|
header value.
|
|
type: string
|
|
contentTypeNosniff:
|
|
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
|
header with the nosniff value.
|
|
type: boolean
|
|
customBrowserXSSValue:
|
|
description: CustomBrowserXSSValue defines the X-XSS-Protection
|
|
header value. This overrides the BrowserXssFilter option.
|
|
type: string
|
|
customFrameOptionsValue:
|
|
description: CustomFrameOptionsValue defines the X-Frame-Options
|
|
header value. This overrides the FrameDeny option.
|
|
type: string
|
|
customRequestHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
description: CustomRequestHeaders defines the header names and
|
|
values to apply to the request.
|
|
type: object
|
|
customResponseHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
description: CustomResponseHeaders defines the header names and
|
|
values to apply to the response.
|
|
type: object
|
|
forceSTSHeader:
|
|
description: ForceSTSHeader defines whether to add the STS header
|
|
even when the connection is HTTP.
|
|
type: boolean
|
|
frameDeny:
|
|
description: FrameDeny defines whether to add the X-Frame-Options
|
|
header with the DENY value.
|
|
type: boolean
|
|
hostsProxyHeaders:
|
|
description: HostsProxyHeaders defines the header keys that may
|
|
hold a proxied hostname value for the request.
|
|
items:
|
|
type: string
|
|
type: array
|
|
isDevelopment:
|
|
description: IsDevelopment defines whether to mitigate the unwanted
|
|
effects of the AllowedHosts, SSL, and STS options when developing.
|
|
Usually testing takes place using HTTP, not HTTPS, and on localhost,
|
|
not your production domain. If you would like your development
|
|
environment to mimic production with complete Host blocking,
|
|
SSL redirects, and STS headers, leave this as false.
|
|
type: boolean
|
|
permissionsPolicy:
|
|
description: PermissionsPolicy defines the Permissions-Policy
|
|
header value. This allows sites to control browser features.
|
|
type: string
|
|
publicKey:
|
|
description: PublicKey is the public key that implements HPKP
|
|
to prevent MITM attacks with forged certificates.
|
|
type: string
|
|
referrerPolicy:
|
|
description: ReferrerPolicy defines the Referrer-Policy header
|
|
value. This allows sites to control whether browsers forward
|
|
the Referer header to other sites.
|
|
type: string
|
|
sslProxyHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
description: 'SSLProxyHeaders defines the header keys with associated
|
|
values that would indicate a valid HTTPS request. It can be
|
|
useful when using other proxies (example: "X-Forwarded-Proto":
|
|
"https").'
|
|
type: object
|
|
stsIncludeSubdomains:
|
|
description: STSIncludeSubdomains defines whether the includeSubDomains
|
|
directive is appended to the Strict-Transport-Security header.
|
|
type: boolean
|
|
stsPreload:
|
|
description: STSPreload defines whether the preload flag is appended
|
|
to the Strict-Transport-Security header.
|
|
type: boolean
|
|
stsSeconds:
|
|
description: STSSeconds defines the max-age of the Strict-Transport-Security
|
|
header. If set to 0, the header is not set.
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
inFlightReq:
|
|
description: 'InFlightReq holds the in-flight request middleware configuration.
|
|
This middleware limits the number of requests being processed and
|
|
served concurrently. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/'
|
|
properties:
|
|
amount:
|
|
description: Amount defines the maximum amount of allowed simultaneous
|
|
in-flight request. The middleware responds with HTTP 429 Too
|
|
Many Requests if there are already amount requests in progress
|
|
(based on the same sourceCriterion strategy).
|
|
format: int64
|
|
type: integer
|
|
sourceCriterion:
|
|
description: 'SourceCriterion defines what criterion is used to
|
|
group requests as originating from a common source. If several
|
|
strategies are defined at the same time, an error will be raised.
|
|
If none are set, the default is to use the requestHost. More
|
|
info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion'
|
|
properties:
|
|
ipStrategy:
|
|
description: 'IPStrategy holds the IP strategy configuration
|
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
|
|
properties:
|
|
depth:
|
|
description: Depth tells Traefik to use the X-Forwarded-For
|
|
header and take the IP located at the depth position
|
|
(starting from the right).
|
|
type: integer
|
|
excludedIPs:
|
|
description: ExcludedIPs configures Traefik to scan the
|
|
X-Forwarded-For header and select the first IP not in
|
|
the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
requestHeaderName:
|
|
description: RequestHeaderName defines the name of the header
|
|
used to group incoming requests.
|
|
type: string
|
|
requestHost:
|
|
description: RequestHost defines whether to consider the request
|
|
Host as the source.
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
ipAllowList:
|
|
description: 'IPAllowList holds the IP allowlist middleware configuration.
|
|
This middleware accepts / refuses requests based on the client IP.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/'
|
|
properties:
|
|
ipStrategy:
|
|
description: 'IPStrategy holds the IP strategy configuration used
|
|
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
|
|
properties:
|
|
depth:
|
|
description: Depth tells Traefik to use the X-Forwarded-For
|
|
header and take the IP located at the depth position (starting
|
|
from the right).
|
|
type: integer
|
|
excludedIPs:
|
|
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
|
|
header and select the first IP not in the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
rejectStatusCode:
|
|
description: RejectStatusCode defines the HTTP status code used
|
|
for refused requests. If not set, the default is 403 (Forbidden).
|
|
type: integer
|
|
sourceRange:
|
|
description: SourceRange defines the set of allowed IPs (or ranges
|
|
of allowed IPs by using CIDR notation).
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
ipWhiteList:
|
|
description: 'Deprecated: please use IPAllowList instead.'
|
|
properties:
|
|
ipStrategy:
|
|
description: 'IPStrategy holds the IP strategy configuration used
|
|
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
|
|
properties:
|
|
depth:
|
|
description: Depth tells Traefik to use the X-Forwarded-For
|
|
header and take the IP located at the depth position (starting
|
|
from the right).
|
|
type: integer
|
|
excludedIPs:
|
|
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
|
|
header and select the first IP not in the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
sourceRange:
|
|
description: SourceRange defines the set of allowed IPs (or ranges
|
|
of allowed IPs by using CIDR notation).
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
passTLSClientCert:
|
|
description: 'PassTLSClientCert holds the pass TLS client cert middleware
|
|
configuration. This middleware adds the selected data from the passed
|
|
client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/'
|
|
properties:
|
|
info:
|
|
description: Info selects the specific client certificate details
|
|
you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
|
properties:
|
|
issuer:
|
|
description: Issuer defines the client certificate issuer
|
|
details to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
|
properties:
|
|
commonName:
|
|
description: CommonName defines whether to add the organizationalUnit
|
|
information into the issuer.
|
|
type: boolean
|
|
country:
|
|
description: Country defines whether to add the country
|
|
information into the issuer.
|
|
type: boolean
|
|
domainComponent:
|
|
description: DomainComponent defines whether to add the
|
|
domainComponent information into the issuer.
|
|
type: boolean
|
|
locality:
|
|
description: Locality defines whether to add the locality
|
|
information into the issuer.
|
|
type: boolean
|
|
organization:
|
|
description: Organization defines whether to add the organization
|
|
information into the issuer.
|
|
type: boolean
|
|
province:
|
|
description: Province defines whether to add the province
|
|
information into the issuer.
|
|
type: boolean
|
|
serialNumber:
|
|
description: SerialNumber defines whether to add the serialNumber
|
|
information into the issuer.
|
|
type: boolean
|
|
type: object
|
|
notAfter:
|
|
description: NotAfter defines whether to add the Not After
|
|
information from the Validity part.
|
|
type: boolean
|
|
notBefore:
|
|
description: NotBefore defines whether to add the Not Before
|
|
information from the Validity part.
|
|
type: boolean
|
|
sans:
|
|
description: Sans defines whether to add the Subject Alternative
|
|
Name information from the Subject Alternative Name part.
|
|
type: boolean
|
|
serialNumber:
|
|
description: SerialNumber defines whether to add the client
|
|
serialNumber information.
|
|
type: boolean
|
|
subject:
|
|
description: Subject defines the client certificate subject
|
|
details to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
|
properties:
|
|
commonName:
|
|
description: CommonName defines whether to add the organizationalUnit
|
|
information into the subject.
|
|
type: boolean
|
|
country:
|
|
description: Country defines whether to add the country
|
|
information into the subject.
|
|
type: boolean
|
|
domainComponent:
|
|
description: DomainComponent defines whether to add the
|
|
domainComponent information into the subject.
|
|
type: boolean
|
|
locality:
|
|
description: Locality defines whether to add the locality
|
|
information into the subject.
|
|
type: boolean
|
|
organization:
|
|
description: Organization defines whether to add the organization
|
|
information into the subject.
|
|
type: boolean
|
|
organizationalUnit:
|
|
description: OrganizationalUnit defines whether to add
|
|
the organizationalUnit information into the subject.
|
|
type: boolean
|
|
province:
|
|
description: Province defines whether to add the province
|
|
information into the subject.
|
|
type: boolean
|
|
serialNumber:
|
|
description: SerialNumber defines whether to add the serialNumber
|
|
information into the subject.
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
pem:
|
|
description: PEM sets the X-Forwarded-Tls-Client-Cert header with
|
|
the certificate.
|
|
type: boolean
|
|
type: object
|
|
plugin:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: 'Plugin defines the middleware plugin configuration.
|
|
More info: https://doc.traefik.io/traefik/plugins/'
|
|
type: object
|
|
rateLimit:
|
|
description: 'RateLimit holds the rate limit configuration. This middleware
|
|
ensures that services will receive a fair amount of requests, and
|
|
allows one to define what fair is. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/'
|
|
properties:
|
|
average:
|
|
description: Average is the maximum rate, by default in requests/s,
|
|
allowed for the given source. It defaults to 0, which means
|
|
no rate limiting. The rate is actually defined by dividing Average
|
|
by Period. So for a rate below 1req/s, one needs to define a
|
|
Period larger than a second.
|
|
format: int64
|
|
type: integer
|
|
burst:
|
|
description: Burst is the maximum number of requests allowed to
|
|
arrive in the same arbitrarily small period of time. It defaults
|
|
to 1.
|
|
format: int64
|
|
type: integer
|
|
period:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: 'Period, in combination with Average, defines the
|
|
actual maximum rate, such as: r = Average / Period. It defaults
|
|
to a second.'
|
|
x-kubernetes-int-or-string: true
|
|
sourceCriterion:
|
|
description: SourceCriterion defines what criterion is used to
|
|
group requests as originating from a common source. If several
|
|
strategies are defined at the same time, an error will be raised.
|
|
If none are set, the default is to use the request's remote
|
|
address field (as an ipStrategy).
|
|
properties:
|
|
ipStrategy:
|
|
description: 'IPStrategy holds the IP strategy configuration
|
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
|
|
properties:
|
|
depth:
|
|
description: Depth tells Traefik to use the X-Forwarded-For
|
|
header and take the IP located at the depth position
|
|
(starting from the right).
|
|
type: integer
|
|
excludedIPs:
|
|
description: ExcludedIPs configures Traefik to scan the
|
|
X-Forwarded-For header and select the first IP not in
|
|
the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
requestHeaderName:
|
|
description: RequestHeaderName defines the name of the header
|
|
used to group incoming requests.
|
|
type: string
|
|
requestHost:
|
|
description: RequestHost defines whether to consider the request
|
|
Host as the source.
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
redirectRegex:
|
|
description: 'RedirectRegex holds the redirect regex middleware configuration.
|
|
This middleware redirects a request using regex matching and replacement.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex'
|
|
properties:
|
|
permanent:
|
|
description: Permanent defines whether the redirection is permanent
|
|
(301).
|
|
type: boolean
|
|
regex:
|
|
description: Regex defines the regex used to match and capture
|
|
elements from the request URL.
|
|
type: string
|
|
replacement:
|
|
description: Replacement defines how to modify the URL to have
|
|
the new target URL.
|
|
type: string
|
|
type: object
|
|
redirectScheme:
|
|
description: 'RedirectScheme holds the redirect scheme middleware
|
|
configuration. This middleware redirects requests from a scheme/port
|
|
to another. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/'
|
|
properties:
|
|
permanent:
|
|
description: Permanent defines whether the redirection is permanent
|
|
(301).
|
|
type: boolean
|
|
port:
|
|
description: Port defines the port of the new URL.
|
|
type: string
|
|
scheme:
|
|
description: Scheme defines the scheme of the new URL.
|
|
type: string
|
|
type: object
|
|
replacePath:
|
|
description: 'ReplacePath holds the replace path middleware configuration.
|
|
This middleware replaces the path of the request URL and store the
|
|
original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/'
|
|
properties:
|
|
path:
|
|
description: Path defines the path to use as replacement in the
|
|
request URL.
|
|
type: string
|
|
type: object
|
|
replacePathRegex:
|
|
description: 'ReplacePathRegex holds the replace path regex middleware
|
|
configuration. This middleware replaces the path of a URL using
|
|
regex matching and replacement. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/'
|
|
properties:
|
|
regex:
|
|
description: Regex defines the regular expression used to match
|
|
and capture the path from the request URL.
|
|
type: string
|
|
replacement:
|
|
description: Replacement defines the replacement path format,
|
|
which can include captured variables.
|
|
type: string
|
|
type: object
|
|
retry:
|
|
description: 'Retry holds the retry middleware configuration. This
|
|
middleware reissues requests a given number of times to a backend
|
|
server if that server does not reply. As soon as the server answers,
|
|
the middleware stops retrying, regardless of the response status.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/'
|
|
properties:
|
|
attempts:
|
|
description: Attempts defines how many times the request should
|
|
be retried.
|
|
type: integer
|
|
initialInterval:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: InitialInterval defines the first wait time in the
|
|
exponential backoff series. The maximum interval is calculated
|
|
as twice the initialInterval. If unspecified, requests will
|
|
be retried immediately. The value of initialInterval should
|
|
be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
|
|
x-kubernetes-int-or-string: true
|
|
type: object
|
|
stripPrefix:
|
|
description: 'StripPrefix holds the strip prefix middleware configuration.
|
|
This middleware removes the specified prefixes from the URL path.
|
|
More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/'
|
|
properties:
|
|
prefixes:
|
|
description: Prefixes defines the prefixes to strip from the request
|
|
URL.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
stripPrefixRegex:
|
|
description: 'StripPrefixRegex holds the strip prefix regex middleware
|
|
configuration. This middleware removes the matching prefixes from
|
|
the URL path. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/'
|
|
properties:
|
|
regex:
|
|
description: Regex defines the regular expression to match the
|
|
path prefix from the request URL.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
required:
|
|
- metadata
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|