我的书签
添加书签
移除书签Traefik & Kubernetes
The Kubernetes Ingress Controller, The Custom Resource Way.
Configuration Examples
Configuring KubernetesCRD and Deploying/Exposing Services
Resource Definition
# All resources definition must be declared---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: ingressroutes.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRoutelistKind: IngressRouteListplural: ingressroutessingular: ingressroutescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRoute is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteSpec is a specification for a IngressRouteSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: Route contains the set of routes.properties:kind:enum:- Ruletype: stringmatch:type: stringmiddlewares:items:description: MiddlewareRef is a ref to the Middleware resources.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arraypriority:type: integerservices:items:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). Thedifferentiation between the two is specified in theKind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configurationbased on cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Namereferences a TraefikService object (and to be precise,one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayrequired:- kind- matchtype: objecttype: arraytls:description: "TLS contains the TLS certificates configuration of theroutes. To enable Let's Encrypt, use an empty TLS struct, e.g. inYAML: \n \t tls: {} # inline format \n \t tls: \t secretName:# block format"properties:certResolver:type: stringdomains:items:description: Domain holds a domain name with SANs.properties:main:type: stringsans:items:type: stringtype: arraytype: objecttype: arrayoptions:description: Options is a reference to a TLSOption, that specifiesthe parameters of the TLS connection.properties:name:type: stringnamespace:type: stringrequired:- nametype: objectsecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: Store is a reference to a TLSStore, that specifiesthe parameters of the TLS store.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: ingressroutetcps.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRouteTCPlistKind: IngressRouteTCPListplural: ingressroutetcpssingular: ingressroutetcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteTCP is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: RouteTCP contains the set of routes.properties:match:type: stringmiddlewares:description: Middlewares contains references to MiddlewareTCPresources.items:description: ObjectReference is a generic reference to a Traefikresource.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arrayservices:items:description: ServiceTCP defines an upstream to proxy traffic.properties:name:type: stringnamespace:type: stringport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueproxyProtocol:description: ProxyProtocol holds the ProxyProtocol configuration.properties:version:type: integertype: objectterminationDelay:type: integerweight:type: integerrequired:- name- porttype: objecttype: arrayrequired:- matchtype: objecttype: arraytls:description: "TLSTCP contains the TLS certificates configuration ofthe routes. To enable Let's Encrypt, use an empty TLS struct, e.g.in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:# block format"properties:certResolver:type: stringdomains:items:description: Domain holds a domain name with SANs.properties:main:type: stringsans:items:type: stringtype: arraytype: objecttype: arrayoptions:description: Options is a reference to a TLSOption, that specifiesthe parameters of the TLS connection.properties:name:type: stringnamespace:type: stringrequired:- nametype: objectpassthrough:type: booleansecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: Store is a reference to a TLSStore, that specifiesthe parameters of the TLS store.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: ingressrouteudps.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRouteUDPlistKind: IngressRouteUDPListplural: ingressrouteudpssingular: ingressrouteudpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteUDP is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: RouteUDP contains the set of routes.properties:services:items:description: ServiceUDP defines an upstream to proxy traffic.properties:name:type: stringnamespace:type: stringport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueweight:type: integerrequired:- name- porttype: objecttype: arraytype: objecttype: arrayrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: middlewares.traefik.containo.usspec:group: traefik.containo.usnames:kind: MiddlewarelistKind: MiddlewareListplural: middlewaressingular: middlewarescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: Middleware is a specification for a Middleware resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: MiddlewareSpec holds the Middleware configuration.properties:addPrefix:description: AddPrefix holds the AddPrefix configuration.properties:prefix:type: stringtype: objectbasicAuth:description: BasicAuth holds the HTTP basic authentication configuration.properties:headerField:type: stringrealm:type: stringremoveHeader:type: booleansecret:type: stringtype: objectbuffering:description: Buffering holds the request/response buffering configuration.properties:maxRequestBodyBytes:format: int64type: integermaxResponseBodyBytes:format: int64type: integermemRequestBodyBytes:format: int64type: integermemResponseBodyBytes:format: int64type: integerretryExpression:type: stringtype: objectchain:description: Chain holds a chain of middlewares.properties:middlewares:items:description: MiddlewareRef is a ref to the Middleware resources.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arraytype: objectcircuitBreaker:description: CircuitBreaker holds the circuit breaker configuration.properties:expression:type: stringtype: objectcompress:description: Compress holds the compress configuration.properties:excludedContentTypes:items:type: stringtype: arrayminResponseBodyBytes:type: integertype: objectcontentType:description: ContentType middleware - or rather its unique `autoDetect`option - specifies whether to let the `Content-Type` header, ifit has not been set by the backend, be automatically set to a valuederived from the contents of the response. As a proxy, the defaultbehavior should be to leave the header alone, regardless of whatthe backend did with it. However, the historic default was to alwaysauto-detect and set the header if it was nil, and it is going tobe kept that way in order to support users currently relying onit. This middleware exists to enable the correct behavior untilat least the default one can be changed in a future version.properties:autoDetect:type: booleantype: objectdigestAuth:description: DigestAuth holds the Digest HTTP authentication configuration.properties:headerField:type: stringrealm:type: stringremoveHeader:type: booleansecret:type: stringtype: objecterrors:description: ErrorPage holds the custom error page configuration.properties:query:type: stringservice:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Service object(for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration for theforward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objectstatus:items:type: stringtype: arraytype: objectforwardAuth:description: ForwardAuth holds the http forward authentication configuration.properties:address:type: stringauthRequestHeaders:items:type: stringtype: arrayauthResponseHeaders:items:type: stringtype: arrayauthResponseHeadersRegex:type: stringtls:description: ClientTLS holds TLS specific configurations as client.properties:caOptional:type: booleancaSecret:type: stringcertSecret:type: stringinsecureSkipVerify:type: booleantype: objecttrustForwardHeader:type: booleantype: objectheaders:description: Headers holds the custom header configuration.properties:accessControlAllowCredentials:description: AccessControlAllowCredentials is only valid if true.false is ignored.type: booleanaccessControlAllowHeaders:description: AccessControlAllowHeaders must be used in responseto a preflight request with Access-Control-Request-Headers set.items:type: stringtype: arrayaccessControlAllowMethods:description: AccessControlAllowMethods must be used in responseto a preflight request with Access-Control-Request-Method set.items:type: stringtype: arrayaccessControlAllowOriginList:description: AccessControlAllowOriginList is a list of allowableorigins. Can also be a wildcard origin "*".items:type: stringtype: arrayaccessControlAllowOriginListRegex:description: AccessControlAllowOriginListRegex is a list of allowableorigins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).items:type: stringtype: arrayaccessControlExposeHeaders:description: AccessControlExposeHeaders sets valid headers forthe response.items:type: stringtype: arrayaccessControlMaxAge:description: AccessControlMaxAge sets the time that a preflightrequest may be cached.format: int64type: integeraddVaryHeader:description: AddVaryHeader controls if the Vary header is automaticallyadded/updated when the AccessControlAllowOriginList is set.type: booleanallowedHosts:items:type: stringtype: arraybrowserXssFilter:type: booleancontentSecurityPolicy:type: stringcontentTypeNosniff:type: booleancustomBrowserXSSValue:type: stringcustomFrameOptionsValue:type: stringcustomRequestHeaders:additionalProperties:type: stringtype: objectcustomResponseHeaders:additionalProperties:type: stringtype: objectfeaturePolicy:description: 'Deprecated: use PermissionsPolicy instead.'type: stringforceSTSHeader:type: booleanframeDeny:type: booleanhostsProxyHeaders:items:type: stringtype: arrayisDevelopment:type: booleanpermissionsPolicy:type: stringpublicKey:type: stringreferrerPolicy:type: stringsslForceHost:description: 'Deprecated: use RedirectRegex instead.'type: booleansslHost:description: 'Deprecated: use RedirectRegex instead.'type: stringsslProxyHeaders:additionalProperties:type: stringtype: objectsslRedirect:description: 'Deprecated: use EntryPoint redirection or RedirectSchemeinstead.'type: booleansslTemporaryRedirect:description: 'Deprecated: use EntryPoint redirection or RedirectSchemeinstead.'type: booleanstsIncludeSubdomains:type: booleanstsPreload:type: booleanstsSeconds:format: int64type: integertype: objectinFlightReq:description: InFlightReq limits the number of requests being processedand served concurrently.properties:amount:format: int64type: integersourceCriterion:description: SourceCriterion defines what criterion is used togroup requests as originating from a common source. If noneare set, the default is to use the request's remote addressfield. All fields are mutually exclusive.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectrequestHeaderName:type: stringrequestHost:type: booleantype: objecttype: objectipWhiteList:description: IPWhiteList holds the ip white list configuration.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectsourceRange:items:type: stringtype: arraytype: objectpassTLSClientCert:description: PassTLSClientCert holds the TLS client cert headers configuration.properties:info:description: TLSClientCertificateInfo holds the client TLS certificateinfo configuration.properties:issuer:description: TLSClientCertificateIssuerDNInfo holds the clientTLS certificate distinguished name info configuration. cfhttps://tools.ietf.org/html/rfc3739properties:commonName:type: booleancountry:type: booleandomainComponent:type: booleanlocality:type: booleanorganization:type: booleanprovince:type: booleanserialNumber:type: booleantype: objectnotAfter:type: booleannotBefore:type: booleansans:type: booleanserialNumber:type: booleansubject:description: TLSClientCertificateSubjectDNInfo holds the clientTLS certificate distinguished name info configuration. cfhttps://tools.ietf.org/html/rfc3739properties:commonName:type: booleancountry:type: booleandomainComponent:type: booleanlocality:type: booleanorganization:type: booleanorganizationalUnit:type: booleanprovince:type: booleanserialNumber:type: booleantype: objecttype: objectpem:type: booleantype: objectplugin:additionalProperties:x-kubernetes-preserve-unknown-fields: truetype: objectrateLimit:description: RateLimit holds the rate limiting configuration for agiven router.properties:average:format: int64type: integerburst:format: int64type: integerperiod:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: truesourceCriterion:description: SourceCriterion defines what criterion is used togroup requests as originating from a common source. If noneare set, the default is to use the request's remote addressfield. All fields are mutually exclusive.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectrequestHeaderName:type: stringrequestHost:type: booleantype: objecttype: objectredirectRegex:description: RedirectRegex holds the redirection configuration.properties:permanent:type: booleanregex:type: stringreplacement:type: stringtype: objectredirectScheme:description: RedirectScheme holds the scheme redirection configuration.properties:permanent:type: booleanport:type: stringscheme:type: stringtype: objectreplacePath:description: ReplacePath holds the ReplacePath configuration.properties:path:type: stringtype: objectreplacePathRegex:description: ReplacePathRegex holds the ReplacePathRegex configuration.properties:regex:type: stringreplacement:type: stringtype: objectretry:description: Retry holds the retry configuration.properties:attempts:type: integerinitialInterval:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: truetype: objectstripPrefix:description: StripPrefix holds the StripPrefix configuration.properties:forceSlash:type: booleanprefixes:items:type: stringtype: arraytype: objectstripPrefixRegex:description: StripPrefixRegex holds the StripPrefixRegex configuration.properties:regex:items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: middlewaretcps.traefik.containo.usspec:group: traefik.containo.usnames:kind: MiddlewareTCPlistKind: MiddlewareTCPListplural: middlewaretcpssingular: middlewaretcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: MiddlewareTCP is a specification for a MiddlewareTCP resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.properties:inFlightConn:description: TCPInFlightConn holds the TCP in flight connection configuration.properties:amount:format: int64type: integertype: objectipWhiteList:description: TCPIPWhiteList holds the TCP ip white list configuration.properties:sourceRange:items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: serverstransports.traefik.containo.usspec:group: traefik.containo.usnames:kind: ServersTransportlistKind: ServersTransportListplural: serverstransportssingular: serverstransportscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: ServersTransport is a specification for a ServersTransport resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: ServersTransportSpec options to configure communication betweenTraefik and the servers.properties:certificatesSecrets:description: Certificates for mTLS.items:type: stringtype: arraydisableHTTP2:description: Disable HTTP/2 for connections with backend servers.type: booleanforwardingTimeouts:description: Timeouts for requests forwarded to the backend servers.properties:dialTimeout:anyOf:- type: integer- type: stringdescription: DialTimeout is the amount of time to wait until aconnection to a backend server can be established. If zero,no timeout exists.x-kubernetes-int-or-string: trueidleConnTimeout:anyOf:- type: integer- type: stringdescription: IdleConnTimeout is the maximum period for which anidle HTTP keep-alive connection will remain open before closingitself.x-kubernetes-int-or-string: truepingTimeout:anyOf:- type: integer- type: stringdescription: PingTimeout is the timeout after which the HTTP/2connection will be closed if a response to ping is not received.x-kubernetes-int-or-string: truereadIdleTimeout:anyOf:- type: integer- type: stringdescription: ReadIdleTimeout is the timeout after which a healthcheck using ping frame will be carried out if no frame is receivedon the HTTP/2 connection. If zero, no health check is performed.x-kubernetes-int-or-string: trueresponseHeaderTimeout:anyOf:- type: integer- type: stringdescription: ResponseHeaderTimeout is the amount of time to waitfor a server's response headers after fully writing the request(including its body, if any). If zero, no timeout exists.x-kubernetes-int-or-string: truetype: objectinsecureSkipVerify:description: Disable SSL certificate verification.type: booleanmaxIdleConnsPerHost:description: If non-zero, controls the maximum idle (keep-alive) tokeep per-host. If zero, DefaultMaxIdleConnsPerHost is used.type: integerpeerCertURI:description: URI used to match against SAN URI during the peer certificateverification.type: stringrootCAsSecrets:description: Add cert file for self-signed certificate.items:type: stringtype: arrayserverName:description: ServerName used to contact the server.type: stringtype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: tlsoptions.traefik.containo.usspec:group: traefik.containo.usnames:kind: TLSOptionlistKind: TLSOptionListplural: tlsoptionssingular: tlsoptionscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TLSOption is a specification for a TLSOption resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: TLSOptionSpec configures TLS for an entry point.properties:alpnProtocols:items:type: stringtype: arraycipherSuites:items:type: stringtype: arrayclientAuth:description: ClientAuth defines the parameters of the client authenticationpart of the TLS connection, if any.properties:clientAuthType:description: ClientAuthType defines the client authenticationtype to apply.enum:- NoClientCert- RequestClientCert- RequireAnyClientCert- VerifyClientCertIfGiven- RequireAndVerifyClientCerttype: stringsecretNames:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.items:type: stringtype: arraytype: objectcurvePreferences:items:type: stringtype: arraymaxVersion:type: stringminVersion:type: stringpreferServerCipherSuites:type: booleansniStrict:type: booleantype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: tlsstores.traefik.containo.usspec:group: traefik.containo.usnames:kind: TLSStorelistKind: TLSStoreListplural: tlsstoressingular: tlsstorescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TLSStore is a specification for a TLSStore resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: TLSStoreSpec configures a TLSStore resource.properties:defaultCertificate:description: DefaultCertificate holds a secret name for the TLSOptionresource.properties:secretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringrequired:- secretNametype: objectrequired:- defaultCertificatetype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.6.2creationTimestamp: nullname: traefikservices.traefik.containo.usspec:group: traefik.containo.usnames:kind: TraefikServicelistKind: TraefikServiceListplural: traefikservicessingular: traefikservicescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TraefikService is the specification for a service (that an IngressRouterefers to) that is usually not a terminal service (i.e. not a pod of servers),as opposed to a Kubernetes Service. That is to say, it usually refers toother (children) services, which themselves can be TraefikServices or Services.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: ServiceSpec defines whether a TraefikService is a load-balancerof services or a mirroring service.properties:mirroring:description: Mirroring defines a mirroring service, which is composedof a main load-balancer, and a list of mirrors.properties:kind:enum:- Service- TraefikServicetype: stringmaxBodySize:format: int64type: integermirrors:items:description: MirrorService defines one of the mirrors of a Mirroringservice.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanpercent:type: integerport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayname:description: Name is a reference to a Kubernetes Service object(for a load-balancer of servers), or to a TraefikService object(service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration for the forwardof the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration based oncookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objectweighted:description: WeightedRoundRobin defines a load-balancer of services.properties:services:items:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objecttype: arraysticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration based oncookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objecttype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []
RBAC
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: traefik-ingress-controllerrules:- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- extensions- networking.k8s.ioresources:- ingresses- ingressclassesverbs:- get- list- watch- apiGroups:- extensionsresources:- ingresses/statusverbs:- update- apiGroups:- traefik.containo.usresources:- middlewares- middlewaretcps- ingressroutes- traefikservices- ingressroutetcps- ingressrouteudps- tlsoptions- tlsstores- serverstransportsverbs:- get- list- watch---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: traefik-ingress-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controllersubjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: default
Traefik
apiVersion: v1kind: ServiceAccountmetadata:name: traefik-ingress-controller---kind: DeploymentapiVersion: apps/v1metadata:name: traefiklabels:app: traefikspec:replicas: 1selector:matchLabels:app: traefiktemplate:metadata:labels:app: traefikspec:serviceAccountName: traefik-ingress-controllercontainers:- name: traefikimage: traefik:v2.6args:- --log.level=DEBUG- --api- --api.insecure- --entrypoints.web.address=:80- --entrypoints.tcpep.address=:8000- --entrypoints.udpep.address=:9000/udp- --providers.kubernetescrdports:- name: webcontainerPort: 80- name: admincontainerPort: 8080- name: tcpepcontainerPort: 8000- name: udpepcontainerPort: 9000---apiVersion: v1kind: Servicemetadata:name: traefikspec:type: LoadBalancerselector:app: traefikports:- protocol: TCPport: 80name: webtargetPort: 80- protocol: TCPport: 8080name: admintargetPort: 8080- protocol: TCPport: 8000name: tcpeptargetPort: 8000---apiVersion: v1kind: Servicemetadata:name: traefikudpspec:type: LoadBalancerselector:app: traefikports:- protocol: UDPport: 9000name: udpeptargetPort: 9000
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: myingressroutenamespace: defaultspec:entryPoints:- webroutes:- match: Host(`foo`) && PathPrefix(`/bar`)kind: Ruleservices:- name: whoamiport: 80---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroute.tcpnamespace: defaultspec:entryPoints:- tcpeproutes:- match: HostSNI(`bar`)services:- name: whoamitcpport: 8080---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressroute.udpnamespace: defaultspec:entryPoints:- udpeproutes:- services:- name: whoamiudpport: 8080
Whoami
kind: DeploymentapiVersion: apps/v1metadata:name: whoaminamespace: defaultlabels:app: traefiklabsname: whoamispec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamitemplate:metadata:labels:app: traefiklabstask: whoamispec:containers:- name: whoamiimage: traefik/whoamiports:- containerPort: 80---apiVersion: v1kind: Servicemetadata:name: whoaminamespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: whoami---kind: DeploymentapiVersion: apps/v1metadata:name: whoamitcpnamespace: defaultlabels:app: traefiklabsname: whoamitcpspec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamitcptemplate:metadata:labels:app: traefiklabstask: whoamitcpspec:containers:- name: whoamitcpimage: traefik/whoamitcpports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: whoamitcpnamespace: defaultspec:ports:- protocol: TCPport: 8080selector:app: traefiklabstask: whoamitcp---kind: DeploymentapiVersion: apps/v1metadata:name: whoamiudpnamespace: defaultlabels:app: traefiklabsname: whoamiudpspec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamiudptemplate:metadata:labels:app: traefiklabstask: whoamiudpspec:containers:- name: whoamiudpimage: traefik/whoamiudp:latestports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: whoamiudpnamespace: defaultspec:ports:- port: 8080selector:app: traefiklabstask: whoamiudp
Routing Configuration
Custom Resource Definition (CRD)
- You can find an exhaustive list, generated from Traefik’s source code, of the custom resources and their attributes in the reference page.
- Validate that the prerequisites are fulfilled before using the Traefik custom resources.
- Traefik CRDs are building blocks that you can assemble according to your needs.
You can find an excerpt of the available custom resources in the table below:
| Kind | Purpose | Concept Behind |
|---|---|---|
| IngressRoute | HTTP Routing | HTTP router |
| Middleware | Tweaks the HTTP requests before they are sent to your service | HTTP Middlewares |
| TraefikService | Abstraction for HTTP loadbalancing/mirroring | HTTP service |
| IngressRouteTCP | TCP Routing | TCP router |
| MiddlewareTCP | Tweaks the TCP requests before they are sent to your service | TCP Middlewares |
| IngressRouteUDP | UDP Routing | UDP router |
| TLSOptions | Allows to configure some parameters of the TLS connection | TLSOptions |
| TLSStores | Allows to configure the default TLS store | TLSStores |
| ServersTransport | Allows to configure the transport between Traefik and the backends | ServersTransport |
Kind: IngressRoute
IngressRoute is the CRD implementation of a Traefik HTTP router.
Register the IngressRoute kind in the Kubernetes cluster before creating IngressRoute objects.
IngressRoute Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: foonamespace: barspec:entryPoints: # [1]- fooroutes: # [2]- kind: Rulematch: Host(`test.example.com`) # [3]priority: 10 # [4]middlewares: # [5]- name: middleware1 # [6]namespace: default # [7]services: # [8]- kind: Servicename: foonamespace: defaultpassHostHeader: trueport: 80 # [9]responseForwarding:flushInterval: 1msscheme: httpsserversTransport: transport # [10]sticky:cookie:httpOnly: truename: cookiesecure: truesameSite: nonestrategy: RoundRobinweight: 10tls: # [11]secretName: supersecret # [12]options: # [13]name: opt # [14]namespace: default # [15]certResolver: foo # [16]domains: # [17]- main: example.net # [18]sans: # [19]- a.example.net- b.example.net
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entry points names |
| [2] | routes | List of routes |
| [3] | routes[n].match | Defines the rule corresponding to an underlying router. |
| [4] | routes[n].priority | Disambiguate rules of the same length, for route matching |
| [5] | routes[n].middlewares | List of reference to Middleware |
| [6] | middlewares[n].name | Defines the Middleware name |
| [7] | middlewares[n].namespace | Defines the Middleware namespace |
| [8] | routes[n].services | List of any combination of TraefikService and reference to a Kubernetes service (See below for ExternalName Service setup) |
| [9] | services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. |
| [10] | services[n].serversTransport | Defines the reference to a ServersTransport. The ServersTransport namespace is assumed to be the Kubernetes service namespace (see ServersTransport reference). |
| [11] | tls | Defines TLS certificate configuration |
| [12] | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) |
| [13] | tls.options | Defines the reference to a TLSOption |
| [14] | options.name | Defines the TLSOption name |
| [15] | options.namespace | Defines the TLSOption namespace |
| [16] | tls.certResolver | Defines the reference to a CertResolver |
| [17] | tls.domains | List of domains |
| [18] | domains[n].main | Defines the main domain name |
| [19] | domains[n].sans | List of SANs (alternative domains) |
Declaring an IngressRoute
IngressRoute
# All resources definition must be declaredapiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test-namenamespace: defaultspec:entryPoints:- webroutes:- kind: Rulematch: Host(`test.example.com`)middlewares:- name: middleware1namespace: defaultpriority: 10services:- kind: Servicename: foonamespace: defaultpassHostHeader: trueport: 80responseForwarding:flushInterval: 1msscheme: httpssticky:cookie:httpOnly: truename: cookiesecure: truestrategy: RoundRobinweight: 10tls:certResolver: foodomains:- main: example.netsans:- a.example.net- b.example.netoptions:name: optnamespace: defaultsecretName: supersecret
Middlewares
# All resources definition must be declared# Prefixing with /fooapiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: middleware1namespace: defaultspec:addPrefix:prefix: /foo
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: optnamespace: defaultspec:minVersion: VersionTLS12
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Configuring Backend Protocol
There are 3 ways to configure the backend protocol for communication between Traefik and your pods:
- Setting the scheme explicitly (http/https/h2c)
- Configuring the name of the kubernetes service port to start with https (https)
- Setting the kubernetes service port to use port 443 (https)
If you do not configure the above, Traefik will assume an http connection.
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRoute
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalName
ExternalName Service
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svc---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Both sides
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Kind: Middleware
Middleware is the CRD implementation of a Traefik middleware.
Register the Middleware kind in the Kubernetes cluster before creating Middleware objects or referencing middlewares in the IngressRoute objects.
Declaring and Referencing a Middleware
Middleware
apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: stripprefixnamespace: foospec:stripPrefix:prefixes:- /stripit
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80middlewares:- name: stripprefixnamespace: foo
Cross-provider namespace
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a Middleware from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.
More information about available middlewares in the dedicated middlewares section.
Kind: TraefikService
TraefikService is the CRD implementation of a “Traefik Service”.
Register the TraefikService kind in the Kubernetes cluster before creating TraefikService objects, referencing services in the IngressRoute objects, or recursively in others TraefikService objects.
Disambiguate Traefik and Kubernetes Services
As the field name can reference different types of objects, use the field kind to avoid any ambiguity.
The field kind allows the following values:
Service(default value): to reference a Kubernetes ServiceTraefikService: to reference another Traefik Service
TraefikService object allows to use any (valid) combinations of:
- servers load balancing.
- services Weighted Round Robin load balancing.
- services mirroring.
Server Load Balancing
More information in the dedicated server load balancing section.
Declaring and Using Server Load Balancing
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: svc1namespace: default- name: svc2namespace: default
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2
Weighted Round Robin
More information in the dedicated Weighted Round Robin service load balancing section.
Declaring and Using Weighted Round Robin
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: wrr1namespace: defaultkind: TraefikService
Weighted Round Robin
apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr1namespace: defaultspec:weighted:services:- name: svc1port: 80weight: 1- name: wrr2kind: TraefikServiceweight: 1- name: mirror1kind: TraefikServiceweight: 1---apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr2namespace: defaultspec:weighted:services:- name: svc2port: 80weight: 1- name: svc3port: 80weight: 1
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2---apiVersion: v1kind: Servicemetadata:name: svc3namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app3
Mirroring
More information in the dedicated mirroring service section.
Declaring and Using Mirroring
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: mirror1namespace: defaultkind: TraefikService
Mirroring k8s Service
# Mirroring from a k8s ServiceapiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: mirror1namespace: defaultspec:mirroring:name: svc1port: 80mirrors:- name: svc2port: 80percent: 20- name: svc3kind: TraefikServicepercent: 20
Mirroring Traefik Service
# Mirroring from a Traefik ServiceapiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: mirror1namespace: defaultspec:mirroring:name: wrr1kind: TraefikServicemirrors:- name: svc2port: 80percent: 20- name: svc3kind: TraefikServicepercent: 20
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the current resource.
Additionally, when the definition of the TraefikService is from another provider, the cross-provider syntax (service@provider) should be used to refer to the TraefikService, just as in the middleware case.
Specifying a namespace attribute in this case would not make any sense, and will be ignored (except if the provider is kubernetescrd).
Stickiness and load-balancing
As explained in the section about Sticky sessions, for stickiness to work all the way, it must be specified at each load-balancing level.
For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.
Stickiness on two load-balancing levels
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: wrr1namespace: defaultkind: TraefikService
Weighted Round Robin
apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr1namespace: defaultspec:weighted:services:- name: whoami1kind: Serviceport: 80weight: 1sticky:cookie:name: lvl2- name: whoami2kind: Serviceweight: 1port: 80sticky:cookie:name: lvl2sticky:cookie:name: lvl1
K8s Service
apiVersion: v1kind: Servicemetadata:name: whoami1spec:ports:- protocol: TCPname: webport: 80selector:app: whoami1---apiVersion: v1kind: Servicemetadata:name: whoami2spec:ports:- protocol: TCPname: webport: 80selector:app: whoami2
Deployment (to illustrate replicas)
kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: whoami1labels:app: whoami1spec:replicas: 2selector:matchLabels:app: whoami1template:metadata:labels:app: whoami1spec:containers:- name: whoami1image: traefik/whoamiports:- name: webcontainerPort: 80---kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: whoami2labels:app: whoami2spec:replicas: 2selector:matchLabels:app: whoami2template:metadata:labels:app: whoami2spec:containers:- name: whoami2image: traefik/whoamiports:- name: webcontainerPort: 80
To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo
assuming 10.42.0.6 is the IP address of one of the replicas (a pod then) of the whoami1 service.
Kind IngressRouteTCP
IngressRouteTCP is the CRD implementation of a Traefik TCP router.
Register the IngressRouteTCP kind in the Kubernetes cluster before creating IngressRouteTCP objects.
IngressRouteTCP Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroutetcpfoospec:entryPoints: # [1]- footcproutes: # [2]- match: HostSNI(`*`) # [3]middlewares:- name: middleware1 # [4]namespace: default # [5]services: # [6]- name: foo # [7]port: 8080 # [8]weight: 10 # [9]terminationDelay: 400 # [10]proxyProtocol: # [11]version: 1 # [12]tls: # [13]secretName: supersecret # [14]options: # [15]name: opt # [16]namespace: default # [17]certResolver: foo # [18]domains: # [19]- main: example.net # [20]sans: # [21]- a.example.net- b.example.netpassthrough: false # [22]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entrypoints names |
| [2] | routes | List of routes |
| [3] | routes[n].match | Defines the rule corresponding to an underlying router |
| [4] | middlewares[n].name | Defines the MiddlewareTCP name |
| [5] | middlewares[n].namespace | Defines the MiddlewareTCP namespace |
| [6] | routes[n].services | List of Kubernetes service definitions (See below for ExternalName Service setup) |
| [7] | services[n].name | Defines the name of a Kubernetes service |
| [8] | services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. |
| [9] | services[n].weight | Defines the weight to apply to the server load balancing |
| [10] | services[n].terminationDelay | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
| [11] | proxyProtocol | Defines the PROXY protocol configuration |
| [12] | version | Defines the PROXY protocol version |
| [13] | tls | Defines TLS certificate configuration |
| [14] | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) |
| [15] | tls.options | Defines the reference to a TLSOption |
| [16] | options.name | Defines the TLSOption name |
| [17] | options.namespace | Defines the TLSOption namespace |
| [18] | tls.certResolver | Defines the reference to a CertResolver |
| [19] | tls.domains | List of domains |
| [20] | domains[n].main | Defines the main domain name |
| [21] | domains[n].sans | List of SANs (alternative domains) |
| [22] | tls.passthrough | If true, delegates the TLS termination to the backend |
Declaring an IngressRouteTCP
IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroutetcpfoospec:entryPoints:- footcproutes:# Match is the rule corresponding to an underlying router.- match: HostSNI(`*`)services:- name: fooport: 8080terminationDelay: 400weight: 10- name: barport: 8081terminationDelay: 500weight: 10tls:certResolver: foodomains:- main: example.netsans:- a.example.net- b.example.netoptions:name: optnamespace: defaultsecretName: supersecretpassthrough: false
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: optnamespace: defaultspec:minVersion: VersionTLS12
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteTCPservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteTCPservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
Only on IngressRouteTCP
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)services:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalName
On both sides
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)services:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Kind: MiddlewareTCP
MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
Register the MiddlewareTCP kind in the Kubernetes cluster before creating MiddlewareTCP objects or referencing TCP middlewares in the IngressRouteTCP objects.
Declaring and Referencing a MiddlewareTCP
Middleware
apiVersion: traefik.containo.us/v1alpha1kind: MiddlewareTCPmetadata:name: ipwhitelistspec:ipWhiteList:sourceRange:- 127.0.0.1/32- 192.168.1.7
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/whitelist`)kind: Ruleservices:- name: whoamiport: 80middlewares:- name: ipwhitelistnamespace: foo
Cross-provider namespace
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the TCP middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a MiddlewareTCP from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.
More information about available TCP middlewares in the dedicated middlewares section.
Kind IngressRouteUDP
IngressRouteUDP is the CRD implementation of a Traefik UDP router.
Register the IngressRouteUDP kind in the Kubernetes cluster before creating IngressRouteUDP objects.
IngressRouteUDP Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressrouteudpfoospec:entryPoints: # [1]- fooudproutes: # [2]- services: # [3]- name: foo # [4]port: 8080 # [5]weight: 10 # [6]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entrypoints names |
| [2] | routes | List of routes |
| [3] | routes[n].services | List of Kubernetes service definitions (See below for ExternalName Service setup) |
| [4] | services[n].name | Defines the name of a Kubernetes service |
| [6] | services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. |
| [7] | services[n].weight | Defines the weight to apply to the server load balancing |
Declaring an IngressRouteUDP
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressrouteudpfoospec:entryPoints:- fooudproutes:- services:- name: fooport: 8080weight: 10- name: barport: 8081weight: 10
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteUDPservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteUDPservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRouteUDP
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- services:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalName
ExternalName Service
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- services:- name: external-svc---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Both sides
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- services:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Kind: TLSOption
TLSOption is the CRD implementation of a Traefik “TLS Option”.
Register the TLSOption kind in the Kubernetes cluster before creating TLSOption objects or referencing TLS options in the IngressRoute / IngressRouteTCP objects.
TLSOption Attributes
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: mytlsoptionnamespace: defaultspec:minVersion: VersionTLS12 # [1]maxVersion: VersionTLS13 # [1]curvePreferences: # [3]- CurveP521- CurveP384cipherSuites: # [4]- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256- TLS_RSA_WITH_AES_256_GCM_SHA384clientAuth: # [5]secretNames: # [6]- secret-ca1- secret-ca2clientAuthType: VerifyClientCertIfGiven # [7]sniStrict: true # [8]alpnProtocols: # [9]- foobar
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | minVersion | Defines the minimum TLS version that is acceptable |
| [2] | maxVersion | Defines the maximum TLS version that is acceptable |
| [3] | cipherSuites | list of supported cipher suites for TLS versions up to TLS 1.2 |
| [4] | curvePreferences | List of the elliptic curves references that will be used in an ECDHE handshake, in preference order |
| [5] | clientAuth | determines the server’s policy for TLS Client Authentication |
| [6] | clientAuth.secretNames | list of names of the referenced Kubernetes Secrets (in TLSOption namespace). The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [7] | clientAuth.clientAuthType | defines the client authentication type to apply. The available values are: NoClientCert, RequestClientCert, VerifyClientCertIfGiven and RequireAndVerifyClientCert |
| [8] | sniStrict | if true, Traefik won’t allow connections from clients connections that do not specify a server_name extension |
| [9] | alpnProtocols | List of supported application level protocols for the TLS handshake, in order of preference. |
CA Secret
The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.
Declaring and referencing a TLSOption
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: mytlsoptionnamespace: defaultspec:minVersion: VersionTLS12sniStrict: truecipherSuites:- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256- TLS_RSA_WITH_AES_256_GCM_SHA384clientAuth:secretNames:- secret-ca1- secret-ca2clientAuthType: VerifyClientCertIfGiven
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80tls:options:name: mytlsoptionnamespace: default
Secrets
apiVersion: v1kind: Secretmetadata:name: secret-ca1namespace: defaultdata:# Must contain a certificate under either a `tls.ca` or a `ca.crt` key.tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=---apiVersion: v1kind: Secretmetadata:name: secret-ca2namespace: defaultdata:# Must contain a certificate under either a `tls.ca` or a `ca.crt` key.tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
Additionally, when the definition of the TLS option is from another provider, the cross-provider syntax (middlewarename@provider) should be used to refer to the TLS option. Specifying a namespace attribute in this case would not make any sense, and will be ignored.
Kind: TLSStore
TLSStore is the CRD implementation of a Traefik “TLS Store”.
Register the TLSStore kind in the Kubernetes cluster before creating TLSStore objects or referencing TLS stores in the IngressRoute / IngressRouteTCP objects.
Default TLS Store
Traefik currently only uses the TLS Store named “default”. This means that if you have two stores that are named default in different kubernetes namespaces, they may be randomly chosen. For the time being, please only configure one TLSSTore named default.
TLSStore Attributes
TLSStore
apiVersion: traefik.containo.us/v1alpha1kind: TLSStoremetadata:name: defaultnamespace: defaultspec:defaultCertificate:secretName: my-secret # [1]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | secretName | The name of the referenced Kubernetes Secret that holds the default certificate for the store. |
Declaring and referencing a TLSStore
TLSStore
apiVersion: traefik.containo.us/v1alpha1kind: TLSStoremetadata:name: defaultnamespace: defaultspec:defaultCertificate:secretName: supersecret
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80tls:store:name: default
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Kind: ServersTransport
ServersTransport is the CRD implementation of a ServersTransport.
Default serversTransport
If no serversTransport is specified, the default@internal will be used. The default@internal serversTransport is created from the static configuration.
ServersTransport Attributes
ServersTransport
apiVersion: traefik.containo.us/v1alpha1kind: ServersTransportmetadata:name: mytransportnamespace: defaultspec:serverName: foobar # [1]insecureSkipVerify: true # [2]rootCAsSecrets: # [3]- foobar- foobarcertificatesSecrets: # [4]- foobar- foobarmaxIdleConnsPerHost: 1 # [5]forwardingTimeouts: # [6]dialTimeout: 42s # [7]responseHeaderTimeout: 42s # [8]idleConnTimeout: 42s # [9]peerCertURI: foobar # [10]disableHTTP2: true # [11]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | serverName | ServerName used to contact the server. |
| [2] | insecureSkipVerify | Controls whether the server’s certificate chain and host name is verified. |
| [3] | rootCAsSecrets | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [4] | certificatesSecrets | Certificates to present to the server for mTLS. |
| [5] | maxIdleConnsPerHost | Controls the maximum idle (keep-alive) connections to keep per-host. If zero, defaultMaxIdleConnsPerHost is used. |
| [6] | forwardingTimeouts | Timeouts for requests forwarded to the servers. |
| [7] | dialTimeout | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. |
| [8] | responseHeaderTimeout | The amount of time to wait for a server’s response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
| [9] | idleConnTimeout | The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists. |
| [10] | peerCertURI | URI used to match against SAN URIs during the server’s certificate verification. |
| [11] | disableHTTP2 | Disables HTTP/2 for connections with servers. |
CA Secret
The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.
Declaring and referencing a ServersTransport
ServersTransport
apiVersion: traefik.containo.us/v1alpha1kind: ServersTransportmetadata:name: mytransportnamespace: defaultspec:serverName: example.orginsecureSkipVerify: true
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: testroutenamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`)kind: Ruleservices:- name: whoamiport: 80serversTransport: mytransport
ServersTransport reference
By default, the referenced ServersTransport CRD must be defined in the same Kubernetes service namespace.
To reference a ServersTransport CRD from another namespace, the value must be of form namespace-name@kubernetescrd, and the cross-namespace option must be enabled.
If the ServersTransport CRD is defined in another provider the cross-provider format name@provider should be used.
Further
Also see the full example with Let’s Encrypt.
