Migration: Steps needed between the versions

v2.0 to v2.1

Kubernetes CRD

In v2.1, a new Kubernetes CRD called TraefikService was added. While updating an installation to v2.1, one should apply that CRD, and update the existing ClusterRole definition to allow Traefik to use that CRD.

To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.

TraefikService

  1. apiVersion: apiextensions.k8s.io/v1beta1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. name: traefikservices.traefik.containo.us
  5. spec:
  6. group: traefik.containo.us
  7. version: v1alpha1
  8. names:
  9. kind: TraefikService
  10. plural: traefikservices
  11. singular: traefikservice
  12. scope: Namespaced

ClusterRole

  1. kind: ClusterRole
  2. apiVersion: rbac.authorization.k8s.io/v1beta1
  3. metadata:
  4. name: traefik-ingress-controller
  5. rules:
  6. - apiGroups:
  7. - ""
  8. resources:
  9. - services
  10. - endpoints
  11. - secrets
  12. verbs:
  13. - get
  14. - list
  15. - watch
  16. - apiGroups:
  17. - extensions
  18. resources:
  19. - ingresses
  20. verbs:
  21. - get
  22. - list
  23. - watch
  24. - apiGroups:
  25. - extensions
  26. resources:
  27. - ingresses/status
  28. verbs:
  29. - update
  30. - apiGroups:
  31. - traefik.containo.us
  32. resources:
  33. - middlewares
  34. - ingressroutes
  35. - traefikservices
  36. - ingressroutetcps
  37. - tlsoptions
  38. verbs:
  39. - get
  40. - list
  41. - watch

After having both resources applied, Traefik will work properly.

v2.1 to v2.2

Headers middleware: accessControlAllowOrigin

accessControlAllowOrigin is deprecated. This field will be removed in future 2.x releases. Please configure your allowed origins in accessControlAllowOriginList instead.

Kubernetes CRD

In v2.2, new Kubernetes CRDs called TLSStore and IngressRouteUDP were added. While updating an installation to v2.2, one should apply that CRDs, and update the existing ClusterRole definition to allow Traefik to use that CRDs.

To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.

TLSStore

  1. apiVersion: apiextensions.k8s.io/v1beta1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. name: tlsstores.traefik.containo.us
  5. spec:
  6. group: traefik.containo.us
  7. version: v1alpha1
  8. names:
  9. kind: TLSStore
  10. plural: tlsstores
  11. singular: tlsstore
  12. scope: Namespaced

IngressRouteUDP

  1. apiVersion: apiextensions.k8s.io/v1beta1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. name: ingressrouteudps.traefik.containo.us
  5. spec:
  6. group: traefik.containo.us
  7. version: v1alpha1
  8. names:
  9. kind: IngressRouteUDP
  10. plural: ingressrouteudps
  11. singular: ingressrouteudp
  12. scope: Namespaced

ClusterRole

  1. kind: ClusterRole
  2. apiVersion: rbac.authorization.k8s.io/v1beta1
  3. metadata:
  4. name: traefik-ingress-controller
  5. rules:
  6. - apiGroups:
  7. - ""
  8. resources:
  9. - services
  10. - endpoints
  11. - secrets
  12. verbs:
  13. - get
  14. - list
  15. - watch
  16. - apiGroups:
  17. - extensions
  18. resources:
  19. - ingresses
  20. verbs:
  21. - get
  22. - list
  23. - watch
  24. - apiGroups:
  25. - extensions
  26. resources:
  27. - ingresses/status
  28. verbs:
  29. - update
  30. - apiGroups:
  31. - traefik.containo.us
  32. resources:
  33. - middlewares
  34. - ingressroutes
  35. - traefikservices
  36. - ingressroutetcps
  37. - ingressrouteudps
  38. - tlsoptions
  39. - tlsstores
  40. verbs:
  41. - get
  42. - list
  43. - watch

After having both resources applied, Traefik will work properly.

Kubernetes Ingress

To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.

Expose an Ingress on 80 and 443

Define the default TLS configuration on the HTTPS entry point.

Ingress

  1. kind: Ingress
  2. apiVersion: networking.k8s.io/v1beta1
  3. metadata:
  4. name: example
  5. spec:
  6. tls:
  7. - secretName: myTlsSecret
  8. rules:
  9. - host: example.com
  10. http:
  11. paths:
  12. - path: "/foo"
  13. backend:
  14. serviceName: example-com
  15. servicePort: 80

Entry points definition and enable Ingress provider:

File (YAML)

  1. # Static configuration
  2. entryPoints:
  3. web:
  4. address: :80
  5. websecure:
  6. address: :443
  7. http:
  8. tls: {}
  9. providers:
  10. kubernetesIngress: {}

File (TOML)

  1. # Static configuration
  2. [entryPoints.web]
  3. address = ":80"
  4. [entryPoints.websecure]
  5. address = ":443"
  6. [entryPoints.websecure.http]
  7. [entryPoints.websecure.http.tls]
  8. [providers.kubernetesIngress]

CLI

  1. # Static configuration
  2. --entryPoints.web.address=:80
  3. --entryPoints.websecure.address=:443
  4. --entryPoints.websecure.http.tls=true
  5. --providers.kubernetesIngress=true

Use TLS only on one Ingress

Define the TLS restriction with annotations.

Ingress

  1. kind: Ingress
  2. apiVersion: networking.k8s.io/v1beta1
  3. metadata:
  4. name: example-tls
  5. annotations:
  6. traefik.ingress.kubernetes.io/router.entrypoints: websecure
  7. traefik.ingress.kubernetes.io/router.tls: "true"
  8. spec:
  9. tls:
  10. - secretName: myTlsSecret
  11. rules:
  12. - host: example.com
  13. http:
  14. paths:
  15. - path: ""
  16. backend:
  17. serviceName: example-com
  18. servicePort: 80

Entry points definition and enable Ingress provider:

File (YAML)

  1. # Static configuration
  2. entryPoints:
  3. web:
  4. address: :80
  5. websecure:
  6. address: :443
  7. providers:
  8. kubernetesIngress: {}

File (TOML)

  1. # Static configuration
  2. [entryPoints.web]
  3. address = ":80"
  4. [entryPoints.websecure]
  5. address = ":443"
  6. [providers.kubernetesIngress]

CLI

  1. # Static configuration
  2. --entryPoints.web.address=:80
  3. --entryPoints.websecure.address=:443
  4. --providers.kubernetesIngress=true

v2.2.2 to v2.2.5

InsecureSNI removal

In v2.2.2 we introduced a new flag (insecureSNI) which was available as a global option to disable domain fronting. Since v2.2.5 this global option has been removed, and you should not use it anymore.

HostSNI rule matcher removal

In v2.2.2 we introduced a new rule matcher (HostSNI) for HTTP routers which was allowing to match the Server Name Indication at the router level. Since v2.2.5 this rule has been removed for HTTP routers, and you should not use it anymore.

v2.2 to v2.3

X.509 CommonName Deprecation

The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present, is now disabled by default.

It means that if one is using https with your backend servers, and a certificate with only a CommonName, Traefik will not try to match the server name indication with the CommonName anymore.

It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable.

More information: https://golang.org/doc/go1.15#commonname

File Provider

The file parser has been changed, since v2.3 the unknown options/fields in a dynamic configuration file are treated as errors.

IngressClass

In v2.3, the support of IngressClass, which is available since Kubernetes version 1.18, has been introduced. In order to be able to use this new resource the Kubernetes RBAC must be updated.