Traefik & Kubernetes

The Kubernetes Ingress Controller, The Custom Resource Way.

Configuration Examples

Configuring KubernetesCRD and Deploying/Exposing Services

Resource Definition

  1. # All resources definition must be declared
  2. ---
  3. apiVersion: apiextensions.k8s.io/v1
  4. kind: CustomResourceDefinition
  5. metadata:
  6. annotations:
  7. controller-gen.kubebuilder.io/version: v0.6.2
  8. creationTimestamp: null
  9. name: ingressroutes.traefik.containo.us
  10. spec:
  11. group: traefik.containo.us
  12. names:
  13. kind: IngressRoute
  14. listKind: IngressRouteList
  15. plural: ingressroutes
  16. singular: ingressroute
  17. scope: Namespaced
  18. versions:
  19. - name: v1alpha1
  20. schema:
  21. openAPIV3Schema:
  22. description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
  23. properties:
  24. apiVersion:
  25. description: 'APIVersion defines the versioned schema of this representation
  26. of an object. Servers should convert recognized schemas to the latest
  27. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  28. type: string
  29. kind:
  30. description: 'Kind is a string value representing the REST resource this
  31. object represents. Servers may infer this from the endpoint the client
  32. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  33. type: string
  34. metadata:
  35. type: object
  36. spec:
  37. description: IngressRouteSpec defines the desired state of IngressRoute.
  38. properties:
  39. entryPoints:
  40. description: 'EntryPoints defines the list of entry point names to
  41. bind to. Entry points have to be configured in the static configuration.
  42. More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
  43. Default: all.'
  44. items:
  45. type: string
  46. type: array
  47. routes:
  48. description: Routes defines the list of routes.
  49. items:
  50. description: Route holds the HTTP route configuration.
  51. properties:
  52. kind:
  53. description: Kind defines the kind of the route. Rule is the
  54. only supported kind.
  55. enum:
  56. - Rule
  57. type: string
  58. match:
  59. description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule'
  60. type: string
  61. middlewares:
  62. description: 'Middlewares defines the list of references to
  63. Middleware resources. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-middleware'
  64. items:
  65. description: MiddlewareRef is a reference to a Middleware
  66. resource.
  67. properties:
  68. name:
  69. description: Name defines the name of the referenced Middleware
  70. resource.
  71. type: string
  72. namespace:
  73. description: Namespace defines the namespace of the referenced
  74. Middleware resource.
  75. type: string
  76. required:
  77. - name
  78. type: object
  79. type: array
  80. priority:
  81. description: 'Priority defines the router''s priority. More
  82. info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority'
  83. type: integer
  84. services:
  85. description: Services defines the list of Service. It can contain
  86. any combination of TraefikService and/or reference to a Kubernetes
  87. Service.
  88. items:
  89. description: Service defines an upstream HTTP service to proxy
  90. traffic to.
  91. properties:
  92. kind:
  93. description: Kind defines the kind of the Service.
  94. enum:
  95. - Service
  96. - TraefikService
  97. type: string
  98. name:
  99. description: Name defines the name of the referenced Kubernetes
  100. Service or TraefikService. The differentiation between
  101. the two is specified in the Kind field.
  102. type: string
  103. namespace:
  104. description: Namespace defines the namespace of the referenced
  105. Kubernetes Service or TraefikService.
  106. type: string
  107. passHostHeader:
  108. description: PassHostHeader defines whether the client
  109. Host header is forwarded to the upstream Kubernetes
  110. Service. By default, passHostHeader is true.
  111. type: boolean
  112. port:
  113. anyOf:
  114. - type: integer
  115. - type: string
  116. description: Port defines the port of a Kubernetes Service.
  117. This can be a reference to a named port.
  118. x-kubernetes-int-or-string: true
  119. responseForwarding:
  120. description: ResponseForwarding defines how Traefik forwards
  121. the response from the upstream Kubernetes Service to
  122. the client.
  123. properties:
  124. flushInterval:
  125. description: 'FlushInterval defines the interval,
  126. in milliseconds, in between flushes to the client
  127. while copying the response body. A negative value
  128. means to flush immediately after each write to the
  129. client. This configuration is ignored when ReverseProxy
  130. recognizes a response as a streaming response; for
  131. such responses, writes are flushed to the client
  132. immediately. Default: 100ms'
  133. type: string
  134. type: object
  135. scheme:
  136. description: Scheme defines the scheme to use for the
  137. request to the upstream Kubernetes Service. It defaults
  138. to https when Kubernetes Service port is 443, http otherwise.
  139. type: string
  140. serversTransport:
  141. description: ServersTransport defines the name of ServersTransport
  142. resource to use. It allows to configure the transport
  143. between Traefik and your servers. Can only be used on
  144. a Kubernetes Service.
  145. type: string
  146. sticky:
  147. description: 'Sticky defines the sticky sessions configuration.
  148. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
  149. properties:
  150. cookie:
  151. description: Cookie defines the sticky cookie configuration.
  152. properties:
  153. httpOnly:
  154. description: HTTPOnly defines whether the cookie
  155. can be accessed by client-side APIs, such as
  156. JavaScript.
  157. type: boolean
  158. name:
  159. description: Name defines the Cookie name.
  160. type: string
  161. sameSite:
  162. description: 'SameSite defines the same site policy.
  163. More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
  164. type: string
  165. secure:
  166. description: Secure defines whether the cookie
  167. can only be transmitted over an encrypted connection
  168. (i.e. HTTPS).
  169. type: boolean
  170. type: object
  171. type: object
  172. strategy:
  173. description: Strategy defines the load balancing strategy
  174. between the servers. RoundRobin is the only supported
  175. value at the moment.
  176. type: string
  177. weight:
  178. description: Weight defines the weight and should only
  179. be specified when Name references a TraefikService object
  180. (and to be precise, one that embeds a Weighted Round
  181. Robin).
  182. type: integer
  183. required:
  184. - name
  185. type: object
  186. type: array
  187. required:
  188. - kind
  189. - match
  190. type: object
  191. type: array
  192. tls:
  193. description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls'
  194. properties:
  195. certResolver:
  196. description: 'CertResolver defines the name of the certificate
  197. resolver to use. Cert resolvers have to be configured in the
  198. static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
  199. type: string
  200. domains:
  201. description: 'Domains defines the list of domains that will be
  202. used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
  203. items:
  204. description: Domain holds a domain name with SANs.
  205. properties:
  206. main:
  207. description: Main defines the main domain name.
  208. type: string
  209. sans:
  210. description: SANs defines the subject alternative domain
  211. names.
  212. items:
  213. type: string
  214. type: array
  215. type: object
  216. type: array
  217. options:
  218. description: 'Options defines the reference to a TLSOption, that
  219. specifies the parameters of the TLS connection. If not defined,
  220. the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
  221. properties:
  222. name:
  223. description: 'Name defines the name of the referenced TLSOption.
  224. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
  225. type: string
  226. namespace:
  227. description: 'Namespace defines the namespace of the referenced
  228. TLSOption. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
  229. type: string
  230. required:
  231. - name
  232. type: object
  233. secretName:
  234. description: SecretName is the name of the referenced Kubernetes
  235. Secret to specify the certificate details.
  236. type: string
  237. store:
  238. description: Store defines the reference to the TLSStore, that
  239. will be used to store certificates. Please note that only `default`
  240. TLSStore can be used.
  241. properties:
  242. name:
  243. description: 'Name defines the name of the referenced TLSStore.
  244. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
  245. type: string
  246. namespace:
  247. description: 'Namespace defines the namespace of the referenced
  248. TLSStore. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
  249. type: string
  250. required:
  251. - name
  252. type: object
  253. type: object
  254. required:
  255. - routes
  256. type: object
  257. required:
  258. - metadata
  259. - spec
  260. type: object
  261. served: true
  262. storage: true
  263. status:
  264. acceptedNames:
  265. kind: ""
  266. plural: ""
  267. conditions: []
  268. storedVersions: []
  269. ---
  270. apiVersion: apiextensions.k8s.io/v1
  271. kind: CustomResourceDefinition
  272. metadata:
  273. annotations:
  274. controller-gen.kubebuilder.io/version: v0.6.2
  275. creationTimestamp: null
  276. name: ingressroutetcps.traefik.containo.us
  277. spec:
  278. group: traefik.containo.us
  279. names:
  280. kind: IngressRouteTCP
  281. listKind: IngressRouteTCPList
  282. plural: ingressroutetcps
  283. singular: ingressroutetcp
  284. scope: Namespaced
  285. versions:
  286. - name: v1alpha1
  287. schema:
  288. openAPIV3Schema:
  289. description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
  290. properties:
  291. apiVersion:
  292. description: 'APIVersion defines the versioned schema of this representation
  293. of an object. Servers should convert recognized schemas to the latest
  294. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  295. type: string
  296. kind:
  297. description: 'Kind is a string value representing the REST resource this
  298. object represents. Servers may infer this from the endpoint the client
  299. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  300. type: string
  301. metadata:
  302. type: object
  303. spec:
  304. description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
  305. properties:
  306. entryPoints:
  307. description: 'EntryPoints defines the list of entry point names to
  308. bind to. Entry points have to be configured in the static configuration.
  309. More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
  310. Default: all.'
  311. items:
  312. type: string
  313. type: array
  314. routes:
  315. description: Routes defines the list of routes.
  316. items:
  317. description: RouteTCP holds the TCP route configuration.
  318. properties:
  319. match:
  320. description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule_1'
  321. type: string
  322. middlewares:
  323. description: Middlewares defines the list of references to MiddlewareTCP
  324. resources.
  325. items:
  326. description: ObjectReference is a generic reference to a Traefik
  327. resource.
  328. properties:
  329. name:
  330. description: Name defines the name of the referenced Traefik
  331. resource.
  332. type: string
  333. namespace:
  334. description: Namespace defines the namespace of the referenced
  335. Traefik resource.
  336. type: string
  337. required:
  338. - name
  339. type: object
  340. type: array
  341. priority:
  342. description: 'Priority defines the router''s priority. More
  343. info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority_1'
  344. type: integer
  345. services:
  346. description: Services defines the list of TCP services.
  347. items:
  348. description: ServiceTCP defines an upstream TCP service to
  349. proxy traffic to.
  350. properties:
  351. name:
  352. description: Name defines the name of the referenced Kubernetes
  353. Service.
  354. type: string
  355. namespace:
  356. description: Namespace defines the namespace of the referenced
  357. Kubernetes Service.
  358. type: string
  359. port:
  360. anyOf:
  361. - type: integer
  362. - type: string
  363. description: Port defines the port of a Kubernetes Service.
  364. This can be a reference to a named port.
  365. x-kubernetes-int-or-string: true
  366. proxyProtocol:
  367. description: 'ProxyProtocol defines the PROXY protocol
  368. configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#proxy-protocol'
  369. properties:
  370. version:
  371. description: Version defines the PROXY Protocol version
  372. to use.
  373. type: integer
  374. type: object
  375. terminationDelay:
  376. description: TerminationDelay defines the deadline that
  377. the proxy sets, after one of its connected peers indicates
  378. it has closed the writing capability of its connection,
  379. to close the reading capability as well, hence fully
  380. terminating the connection. It is a duration in milliseconds,
  381. defaulting to 100. A negative value means an infinite
  382. deadline (i.e. the reading capability is never closed).
  383. type: integer
  384. weight:
  385. description: Weight defines the weight used when balancing
  386. requests between multiple Kubernetes Service.
  387. type: integer
  388. required:
  389. - name
  390. - port
  391. type: object
  392. type: array
  393. required:
  394. - match
  395. type: object
  396. type: array
  397. tls:
  398. description: 'TLS defines the TLS configuration on a layer 4 / TCP
  399. Route. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls_1'
  400. properties:
  401. certResolver:
  402. description: 'CertResolver defines the name of the certificate
  403. resolver to use. Cert resolvers have to be configured in the
  404. static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
  405. type: string
  406. domains:
  407. description: 'Domains defines the list of domains that will be
  408. used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
  409. items:
  410. description: Domain holds a domain name with SANs.
  411. properties:
  412. main:
  413. description: Main defines the main domain name.
  414. type: string
  415. sans:
  416. description: SANs defines the subject alternative domain
  417. names.
  418. items:
  419. type: string
  420. type: array
  421. type: object
  422. type: array
  423. options:
  424. description: 'Options defines the reference to a TLSOption, that
  425. specifies the parameters of the TLS connection. If not defined,
  426. the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
  427. properties:
  428. name:
  429. description: Name defines the name of the referenced Traefik
  430. resource.
  431. type: string
  432. namespace:
  433. description: Namespace defines the namespace of the referenced
  434. Traefik resource.
  435. type: string
  436. required:
  437. - name
  438. type: object
  439. passthrough:
  440. description: Passthrough defines whether a TLS router will terminate
  441. the TLS connection.
  442. type: boolean
  443. secretName:
  444. description: SecretName is the name of the referenced Kubernetes
  445. Secret to specify the certificate details.
  446. type: string
  447. store:
  448. description: Store defines the reference to the TLSStore, that
  449. will be used to store certificates. Please note that only `default`
  450. TLSStore can be used.
  451. properties:
  452. name:
  453. description: Name defines the name of the referenced Traefik
  454. resource.
  455. type: string
  456. namespace:
  457. description: Namespace defines the namespace of the referenced
  458. Traefik resource.
  459. type: string
  460. required:
  461. - name
  462. type: object
  463. type: object
  464. required:
  465. - routes
  466. type: object
  467. required:
  468. - metadata
  469. - spec
  470. type: object
  471. served: true
  472. storage: true
  473. status:
  474. acceptedNames:
  475. kind: ""
  476. plural: ""
  477. conditions: []
  478. storedVersions: []
  479. ---
  480. apiVersion: apiextensions.k8s.io/v1
  481. kind: CustomResourceDefinition
  482. metadata:
  483. annotations:
  484. controller-gen.kubebuilder.io/version: v0.6.2
  485. creationTimestamp: null
  486. name: ingressrouteudps.traefik.containo.us
  487. spec:
  488. group: traefik.containo.us
  489. names:
  490. kind: IngressRouteUDP
  491. listKind: IngressRouteUDPList
  492. plural: ingressrouteudps
  493. singular: ingressrouteudp
  494. scope: Namespaced
  495. versions:
  496. - name: v1alpha1
  497. schema:
  498. openAPIV3Schema:
  499. description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
  500. properties:
  501. apiVersion:
  502. description: 'APIVersion defines the versioned schema of this representation
  503. of an object. Servers should convert recognized schemas to the latest
  504. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  505. type: string
  506. kind:
  507. description: 'Kind is a string value representing the REST resource this
  508. object represents. Servers may infer this from the endpoint the client
  509. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  510. type: string
  511. metadata:
  512. type: object
  513. spec:
  514. description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
  515. properties:
  516. entryPoints:
  517. description: 'EntryPoints defines the list of entry point names to
  518. bind to. Entry points have to be configured in the static configuration.
  519. More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
  520. Default: all.'
  521. items:
  522. type: string
  523. type: array
  524. routes:
  525. description: Routes defines the list of routes.
  526. items:
  527. description: RouteUDP holds the UDP route configuration.
  528. properties:
  529. services:
  530. description: Services defines the list of UDP services.
  531. items:
  532. description: ServiceUDP defines an upstream UDP service to
  533. proxy traffic to.
  534. properties:
  535. name:
  536. description: Name defines the name of the referenced Kubernetes
  537. Service.
  538. type: string
  539. namespace:
  540. description: Namespace defines the namespace of the referenced
  541. Kubernetes Service.
  542. type: string
  543. port:
  544. anyOf:
  545. - type: integer
  546. - type: string
  547. description: Port defines the port of a Kubernetes Service.
  548. This can be a reference to a named port.
  549. x-kubernetes-int-or-string: true
  550. weight:
  551. description: Weight defines the weight used when balancing
  552. requests between multiple Kubernetes Service.
  553. type: integer
  554. required:
  555. - name
  556. - port
  557. type: object
  558. type: array
  559. type: object
  560. type: array
  561. required:
  562. - routes
  563. type: object
  564. required:
  565. - metadata
  566. - spec
  567. type: object
  568. served: true
  569. storage: true
  570. status:
  571. acceptedNames:
  572. kind: ""
  573. plural: ""
  574. conditions: []
  575. storedVersions: []
  576. ---
  577. apiVersion: apiextensions.k8s.io/v1
  578. kind: CustomResourceDefinition
  579. metadata:
  580. annotations:
  581. controller-gen.kubebuilder.io/version: v0.6.2
  582. creationTimestamp: null
  583. name: middlewares.traefik.containo.us
  584. spec:
  585. group: traefik.containo.us
  586. names:
  587. kind: Middleware
  588. listKind: MiddlewareList
  589. plural: middlewares
  590. singular: middleware
  591. scope: Namespaced
  592. versions:
  593. - name: v1alpha1
  594. schema:
  595. openAPIV3Schema:
  596. description: 'Middleware is the CRD implementation of a Traefik Middleware.
  597. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/overview/'
  598. properties:
  599. apiVersion:
  600. description: 'APIVersion defines the versioned schema of this representation
  601. of an object. Servers should convert recognized schemas to the latest
  602. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  603. type: string
  604. kind:
  605. description: 'Kind is a string value representing the REST resource this
  606. object represents. Servers may infer this from the endpoint the client
  607. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  608. type: string
  609. metadata:
  610. type: object
  611. spec:
  612. description: MiddlewareSpec defines the desired state of a Middleware.
  613. properties:
  614. addPrefix:
  615. description: 'AddPrefix holds the add prefix middleware configuration.
  616. This middleware updates the path of a request before forwarding
  617. it. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/addprefix/'
  618. properties:
  619. prefix:
  620. description: Prefix is the string to add before the current path
  621. in the requested URL. It should include a leading slash (/).
  622. type: string
  623. type: object
  624. basicAuth:
  625. description: 'BasicAuth holds the basic auth middleware configuration.
  626. This middleware restricts access to your services to known users.
  627. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/'
  628. properties:
  629. headerField:
  630. description: 'HeaderField defines a header field to store the
  631. authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
  632. type: string
  633. realm:
  634. description: 'Realm allows the protected resources on a server
  635. to be partitioned into a set of protection spaces, each with
  636. its own authentication scheme. Default: traefik.'
  637. type: string
  638. removeHeader:
  639. description: 'RemoveHeader sets the removeHeader option to true
  640. to remove the authorization header before forwarding the request
  641. to your service. Default: false.'
  642. type: boolean
  643. secret:
  644. description: Secret is the name of the referenced Kubernetes Secret
  645. containing user credentials.
  646. type: string
  647. type: object
  648. buffering:
  649. description: 'Buffering holds the buffering middleware configuration.
  650. This middleware retries or limits the size of requests that can
  651. be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#maxrequestbodybytes'
  652. properties:
  653. maxRequestBodyBytes:
  654. description: 'MaxRequestBodyBytes defines the maximum allowed
  655. body size for the request (in bytes). If the request exceeds
  656. the allowed size, it is not forwarded to the service, and the
  657. client gets a 413 (Request Entity Too Large) response. Default:
  658. 0 (no maximum).'
  659. format: int64
  660. type: integer
  661. maxResponseBodyBytes:
  662. description: 'MaxResponseBodyBytes defines the maximum allowed
  663. response size from the service (in bytes). If the response exceeds
  664. the allowed size, it is not forwarded to the client. The client
  665. gets a 500 (Internal Server Error) response instead. Default:
  666. 0 (no maximum).'
  667. format: int64
  668. type: integer
  669. memRequestBodyBytes:
  670. description: 'MemRequestBodyBytes defines the threshold (in bytes)
  671. from which the request will be buffered on disk instead of in
  672. memory. Default: 1048576 (1Mi).'
  673. format: int64
  674. type: integer
  675. memResponseBodyBytes:
  676. description: 'MemResponseBodyBytes defines the threshold (in bytes)
  677. from which the response will be buffered on disk instead of
  678. in memory. Default: 1048576 (1Mi).'
  679. format: int64
  680. type: integer
  681. retryExpression:
  682. description: 'RetryExpression defines the retry conditions. It
  683. is a logical combination of functions with operators AND (&&)
  684. and OR (||). More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#retryexpression'
  685. type: string
  686. type: object
  687. chain:
  688. description: 'Chain holds the configuration of the chain middleware.
  689. This middleware enables to define reusable combinations of other
  690. pieces of middleware. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/chain/'
  691. properties:
  692. middlewares:
  693. description: Middlewares is the list of MiddlewareRef which composes
  694. the chain.
  695. items:
  696. description: MiddlewareRef is a reference to a Middleware resource.
  697. properties:
  698. name:
  699. description: Name defines the name of the referenced Middleware
  700. resource.
  701. type: string
  702. namespace:
  703. description: Namespace defines the namespace of the referenced
  704. Middleware resource.
  705. type: string
  706. required:
  707. - name
  708. type: object
  709. type: array
  710. type: object
  711. circuitBreaker:
  712. description: CircuitBreaker holds the circuit breaker configuration.
  713. properties:
  714. checkPeriod:
  715. anyOf:
  716. - type: integer
  717. - type: string
  718. description: CheckPeriod is the interval between successive checks
  719. of the circuit breaker condition (when in standby state).
  720. x-kubernetes-int-or-string: true
  721. expression:
  722. description: Expression is the condition that triggers the tripped
  723. state.
  724. type: string
  725. fallbackDuration:
  726. anyOf:
  727. - type: integer
  728. - type: string
  729. description: FallbackDuration is the duration for which the circuit
  730. breaker will wait before trying to recover (from a tripped state).
  731. x-kubernetes-int-or-string: true
  732. recoveryDuration:
  733. anyOf:
  734. - type: integer
  735. - type: string
  736. description: RecoveryDuration is the duration for which the circuit
  737. breaker will try to recover (as soon as it is in recovering
  738. state).
  739. x-kubernetes-int-or-string: true
  740. type: object
  741. compress:
  742. description: 'Compress holds the compress middleware configuration.
  743. This middleware compresses responses before sending them to the
  744. client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/compress/'
  745. properties:
  746. excludedContentTypes:
  747. description: ExcludedContentTypes defines the list of content
  748. types to compare the Content-Type header of the incoming requests
  749. and responses before compressing.
  750. items:
  751. type: string
  752. type: array
  753. minResponseBodyBytes:
  754. description: 'MinResponseBodyBytes defines the minimum amount
  755. of bytes a response body must have to be compressed. Default:
  756. 1024.'
  757. type: integer
  758. type: object
  759. contentType:
  760. description: ContentType holds the content-type middleware configuration.
  761. This middleware exists to enable the correct behavior until at least
  762. the default one can be changed in a future version.
  763. properties:
  764. autoDetect:
  765. description: AutoDetect specifies whether to let the `Content-Type`
  766. header, if it has not been set by the backend, be automatically
  767. set to a value derived from the contents of the response. As
  768. a proxy, the default behavior should be to leave the header
  769. alone, regardless of what the backend did with it. However,
  770. the historic default was to always auto-detect and set the header
  771. if it was nil, and it is going to be kept that way in order
  772. to support users currently relying on it.
  773. type: boolean
  774. type: object
  775. digestAuth:
  776. description: 'DigestAuth holds the digest auth middleware configuration.
  777. This middleware restricts access to your services to known users.
  778. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/digestauth/'
  779. properties:
  780. headerField:
  781. description: 'HeaderField defines a header field to store the
  782. authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
  783. type: string
  784. realm:
  785. description: 'Realm allows the protected resources on a server
  786. to be partitioned into a set of protection spaces, each with
  787. its own authentication scheme. Default: traefik.'
  788. type: string
  789. removeHeader:
  790. description: RemoveHeader defines whether to remove the authorization
  791. header before forwarding the request to the backend.
  792. type: boolean
  793. secret:
  794. description: Secret is the name of the referenced Kubernetes Secret
  795. containing user credentials.
  796. type: string
  797. type: object
  798. errors:
  799. description: 'ErrorPage holds the custom error middleware configuration.
  800. This middleware returns a custom page in lieu of the default, according
  801. to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/'
  802. properties:
  803. query:
  804. description: Query defines the URL for the error page (hosted
  805. by service). The {status} variable can be used in order to insert
  806. the status code in the URL.
  807. type: string
  808. service:
  809. description: 'Service defines the reference to a Kubernetes Service
  810. that will serve the error page. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/#service'
  811. properties:
  812. kind:
  813. description: Kind defines the kind of the Service.
  814. enum:
  815. - Service
  816. - TraefikService
  817. type: string
  818. name:
  819. description: Name defines the name of the referenced Kubernetes
  820. Service or TraefikService. The differentiation between the
  821. two is specified in the Kind field.
  822. type: string
  823. namespace:
  824. description: Namespace defines the namespace of the referenced
  825. Kubernetes Service or TraefikService.
  826. type: string
  827. passHostHeader:
  828. description: PassHostHeader defines whether the client Host
  829. header is forwarded to the upstream Kubernetes Service.
  830. By default, passHostHeader is true.
  831. type: boolean
  832. port:
  833. anyOf:
  834. - type: integer
  835. - type: string
  836. description: Port defines the port of a Kubernetes Service.
  837. This can be a reference to a named port.
  838. x-kubernetes-int-or-string: true
  839. responseForwarding:
  840. description: ResponseForwarding defines how Traefik forwards
  841. the response from the upstream Kubernetes Service to the
  842. client.
  843. properties:
  844. flushInterval:
  845. description: 'FlushInterval defines the interval, in milliseconds,
  846. in between flushes to the client while copying the response
  847. body. A negative value means to flush immediately after
  848. each write to the client. This configuration is ignored
  849. when ReverseProxy recognizes a response as a streaming
  850. response; for such responses, writes are flushed to
  851. the client immediately. Default: 100ms'
  852. type: string
  853. type: object
  854. scheme:
  855. description: Scheme defines the scheme to use for the request
  856. to the upstream Kubernetes Service. It defaults to https
  857. when Kubernetes Service port is 443, http otherwise.
  858. type: string
  859. serversTransport:
  860. description: ServersTransport defines the name of ServersTransport
  861. resource to use. It allows to configure the transport between
  862. Traefik and your servers. Can only be used on a Kubernetes
  863. Service.
  864. type: string
  865. sticky:
  866. description: 'Sticky defines the sticky sessions configuration.
  867. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
  868. properties:
  869. cookie:
  870. description: Cookie defines the sticky cookie configuration.
  871. properties:
  872. httpOnly:
  873. description: HTTPOnly defines whether the cookie can
  874. be accessed by client-side APIs, such as JavaScript.
  875. type: boolean
  876. name:
  877. description: Name defines the Cookie name.
  878. type: string
  879. sameSite:
  880. description: 'SameSite defines the same site policy.
  881. More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
  882. type: string
  883. secure:
  884. description: Secure defines whether the cookie can
  885. only be transmitted over an encrypted connection
  886. (i.e. HTTPS).
  887. type: boolean
  888. type: object
  889. type: object
  890. strategy:
  891. description: Strategy defines the load balancing strategy
  892. between the servers. RoundRobin is the only supported value
  893. at the moment.
  894. type: string
  895. weight:
  896. description: Weight defines the weight and should only be
  897. specified when Name references a TraefikService object (and
  898. to be precise, one that embeds a Weighted Round Robin).
  899. type: integer
  900. required:
  901. - name
  902. type: object
  903. status:
  904. description: Status defines which status or range of statuses
  905. should result in an error page. It can be either a status code
  906. as a number (500), as multiple comma-separated numbers (500,502),
  907. as ranges by separating two codes with a dash (500-599), or
  908. a combination of the two (404,418,500-599).
  909. items:
  910. type: string
  911. type: array
  912. type: object
  913. forwardAuth:
  914. description: 'ForwardAuth holds the forward auth middleware configuration.
  915. This middleware delegates the request authentication to a Service.
  916. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/'
  917. properties:
  918. address:
  919. description: Address defines the authentication server address.
  920. type: string
  921. authRequestHeaders:
  922. description: AuthRequestHeaders defines the list of the headers
  923. to copy from the request to the authentication server. If not
  924. set or empty then all request headers are passed.
  925. items:
  926. type: string
  927. type: array
  928. authResponseHeaders:
  929. description: AuthResponseHeaders defines the list of headers to
  930. copy from the authentication server response and set on forwarded
  931. request, replacing any existing conflicting headers.
  932. items:
  933. type: string
  934. type: array
  935. authResponseHeadersRegex:
  936. description: 'AuthResponseHeadersRegex defines the regex to match
  937. headers to copy from the authentication server response and
  938. set on forwarded request, after stripping all headers that match
  939. the regex. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/#authresponseheadersregex'
  940. type: string
  941. tls:
  942. description: TLS defines the configuration used to secure the
  943. connection to the authentication server.
  944. properties:
  945. caOptional:
  946. type: boolean
  947. caSecret:
  948. description: CASecret is the name of the referenced Kubernetes
  949. Secret containing the CA to validate the server certificate.
  950. The CA certificate is extracted from key `tls.ca` or `ca.crt`.
  951. type: string
  952. certSecret:
  953. description: CertSecret is the name of the referenced Kubernetes
  954. Secret containing the client certificate. The client certificate
  955. is extracted from the keys `tls.crt` and `tls.key`.
  956. type: string
  957. insecureSkipVerify:
  958. description: InsecureSkipVerify defines whether the server
  959. certificates should be validated.
  960. type: boolean
  961. type: object
  962. trustForwardHeader:
  963. description: 'TrustForwardHeader defines whether to trust (ie:
  964. forward) all X-Forwarded-* headers.'
  965. type: boolean
  966. type: object
  967. headers:
  968. description: 'Headers holds the headers middleware configuration.
  969. This middleware manages the requests and responses headers. More
  970. info: https://doc.traefik.io/traefik/v2.9/middlewares/http/headers/#customrequestheaders'
  971. properties:
  972. accessControlAllowCredentials:
  973. description: AccessControlAllowCredentials defines whether the
  974. request can include user credentials.
  975. type: boolean
  976. accessControlAllowHeaders:
  977. description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
  978. values sent in preflight response.
  979. items:
  980. type: string
  981. type: array
  982. accessControlAllowMethods:
  983. description: AccessControlAllowMethods defines the Access-Control-Request-Method
  984. values sent in preflight response.
  985. items:
  986. type: string
  987. type: array
  988. accessControlAllowOriginList:
  989. description: AccessControlAllowOriginList is a list of allowable
  990. origins. Can also be a wildcard origin "*".
  991. items:
  992. type: string
  993. type: array
  994. accessControlAllowOriginListRegex:
  995. description: AccessControlAllowOriginListRegex is a list of allowable
  996. origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
  997. items:
  998. type: string
  999. type: array
  1000. accessControlExposeHeaders:
  1001. description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
  1002. values sent in preflight response.
  1003. items:
  1004. type: string
  1005. type: array
  1006. accessControlMaxAge:
  1007. description: AccessControlMaxAge defines the time that a preflight
  1008. request may be cached.
  1009. format: int64
  1010. type: integer
  1011. addVaryHeader:
  1012. description: AddVaryHeader defines whether the Vary header is
  1013. automatically added/updated when the AccessControlAllowOriginList
  1014. is set.
  1015. type: boolean
  1016. allowedHosts:
  1017. description: AllowedHosts defines the fully qualified list of
  1018. allowed domain names.
  1019. items:
  1020. type: string
  1021. type: array
  1022. browserXssFilter:
  1023. description: BrowserXSSFilter defines whether to add the X-XSS-Protection
  1024. header with the value 1; mode=block.
  1025. type: boolean
  1026. contentSecurityPolicy:
  1027. description: ContentSecurityPolicy defines the Content-Security-Policy
  1028. header value.
  1029. type: string
  1030. contentTypeNosniff:
  1031. description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
  1032. header with the nosniff value.
  1033. type: boolean
  1034. customBrowserXSSValue:
  1035. description: CustomBrowserXSSValue defines the X-XSS-Protection
  1036. header value. This overrides the BrowserXssFilter option.
  1037. type: string
  1038. customFrameOptionsValue:
  1039. description: CustomFrameOptionsValue defines the X-Frame-Options
  1040. header value. This overrides the FrameDeny option.
  1041. type: string
  1042. customRequestHeaders:
  1043. additionalProperties:
  1044. type: string
  1045. description: CustomRequestHeaders defines the header names and
  1046. values to apply to the request.
  1047. type: object
  1048. customResponseHeaders:
  1049. additionalProperties:
  1050. type: string
  1051. description: CustomResponseHeaders defines the header names and
  1052. values to apply to the response.
  1053. type: object
  1054. featurePolicy:
  1055. description: 'Deprecated: use PermissionsPolicy instead.'
  1056. type: string
  1057. forceSTSHeader:
  1058. description: ForceSTSHeader defines whether to add the STS header
  1059. even when the connection is HTTP.
  1060. type: boolean
  1061. frameDeny:
  1062. description: FrameDeny defines whether to add the X-Frame-Options
  1063. header with the DENY value.
  1064. type: boolean
  1065. hostsProxyHeaders:
  1066. description: HostsProxyHeaders defines the header keys that may
  1067. hold a proxied hostname value for the request.
  1068. items:
  1069. type: string
  1070. type: array
  1071. isDevelopment:
  1072. description: IsDevelopment defines whether to mitigate the unwanted
  1073. effects of the AllowedHosts, SSL, and STS options when developing.
  1074. Usually testing takes place using HTTP, not HTTPS, and on localhost,
  1075. not your production domain. If you would like your development
  1076. environment to mimic production with complete Host blocking,
  1077. SSL redirects, and STS headers, leave this as false.
  1078. type: boolean
  1079. permissionsPolicy:
  1080. description: PermissionsPolicy defines the Permissions-Policy
  1081. header value. This allows sites to control browser features.
  1082. type: string
  1083. publicKey:
  1084. description: PublicKey is the public key that implements HPKP
  1085. to prevent MITM attacks with forged certificates.
  1086. type: string
  1087. referrerPolicy:
  1088. description: ReferrerPolicy defines the Referrer-Policy header
  1089. value. This allows sites to control whether browsers forward
  1090. the Referer header to other sites.
  1091. type: string
  1092. sslForceHost:
  1093. description: 'Deprecated: use RedirectRegex instead.'
  1094. type: boolean
  1095. sslHost:
  1096. description: 'Deprecated: use RedirectRegex instead.'
  1097. type: string
  1098. sslProxyHeaders:
  1099. additionalProperties:
  1100. type: string
  1101. description: 'SSLProxyHeaders defines the header keys with associated
  1102. values that would indicate a valid HTTPS request. It can be
  1103. useful when using other proxies (example: "X-Forwarded-Proto":
  1104. "https").'
  1105. type: object
  1106. sslRedirect:
  1107. description: 'Deprecated: use EntryPoint redirection or RedirectScheme
  1108. instead.'
  1109. type: boolean
  1110. sslTemporaryRedirect:
  1111. description: 'Deprecated: use EntryPoint redirection or RedirectScheme
  1112. instead.'
  1113. type: boolean
  1114. stsIncludeSubdomains:
  1115. description: STSIncludeSubdomains defines whether the includeSubDomains
  1116. directive is appended to the Strict-Transport-Security header.
  1117. type: boolean
  1118. stsPreload:
  1119. description: STSPreload defines whether the preload flag is appended
  1120. to the Strict-Transport-Security header.
  1121. type: boolean
  1122. stsSeconds:
  1123. description: STSSeconds defines the max-age of the Strict-Transport-Security
  1124. header. If set to 0, the header is not set.
  1125. format: int64
  1126. type: integer
  1127. type: object
  1128. inFlightReq:
  1129. description: 'InFlightReq holds the in-flight request middleware configuration.
  1130. This middleware limits the number of requests being processed and
  1131. served concurrently. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/'
  1132. properties:
  1133. amount:
  1134. description: Amount defines the maximum amount of allowed simultaneous
  1135. in-flight request. The middleware responds with HTTP 429 Too
  1136. Many Requests if there are already amount requests in progress
  1137. (based on the same sourceCriterion strategy).
  1138. format: int64
  1139. type: integer
  1140. sourceCriterion:
  1141. description: 'SourceCriterion defines what criterion is used to
  1142. group requests as originating from a common source. If several
  1143. strategies are defined at the same time, an error will be raised.
  1144. If none are set, the default is to use the requestHost. More
  1145. info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/#sourcecriterion'
  1146. properties:
  1147. ipStrategy:
  1148. description: 'IPStrategy holds the IP strategy configuration
  1149. used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
  1150. properties:
  1151. depth:
  1152. description: Depth tells Traefik to use the X-Forwarded-For
  1153. header and take the IP located at the depth position
  1154. (starting from the right).
  1155. type: integer
  1156. excludedIPs:
  1157. description: ExcludedIPs configures Traefik to scan the
  1158. X-Forwarded-For header and select the first IP not in
  1159. the list.
  1160. items:
  1161. type: string
  1162. type: array
  1163. type: object
  1164. requestHeaderName:
  1165. description: RequestHeaderName defines the name of the header
  1166. used to group incoming requests.
  1167. type: string
  1168. requestHost:
  1169. description: RequestHost defines whether to consider the request
  1170. Host as the source.
  1171. type: boolean
  1172. type: object
  1173. type: object
  1174. ipWhiteList:
  1175. description: 'IPWhiteList holds the IP whitelist middleware configuration.
  1176. This middleware accepts / refuses requests based on the client IP.
  1177. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
  1178. properties:
  1179. ipStrategy:
  1180. description: 'IPStrategy holds the IP strategy configuration used
  1181. by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
  1182. properties:
  1183. depth:
  1184. description: Depth tells Traefik to use the X-Forwarded-For
  1185. header and take the IP located at the depth position (starting
  1186. from the right).
  1187. type: integer
  1188. excludedIPs:
  1189. description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
  1190. header and select the first IP not in the list.
  1191. items:
  1192. type: string
  1193. type: array
  1194. type: object
  1195. sourceRange:
  1196. description: SourceRange defines the set of allowed IPs (or ranges
  1197. of allowed IPs by using CIDR notation).
  1198. items:
  1199. type: string
  1200. type: array
  1201. type: object
  1202. passTLSClientCert:
  1203. description: 'PassTLSClientCert holds the pass TLS client cert middleware
  1204. configuration. This middleware adds the selected data from the passed
  1205. client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/passtlsclientcert/'
  1206. properties:
  1207. info:
  1208. description: Info selects the specific client certificate details
  1209. you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
  1210. properties:
  1211. issuer:
  1212. description: Issuer defines the client certificate issuer
  1213. details to add to the X-Forwarded-Tls-Client-Cert-Info header.
  1214. properties:
  1215. commonName:
  1216. description: CommonName defines whether to add the organizationalUnit
  1217. information into the issuer.
  1218. type: boolean
  1219. country:
  1220. description: Country defines whether to add the country
  1221. information into the issuer.
  1222. type: boolean
  1223. domainComponent:
  1224. description: DomainComponent defines whether to add the
  1225. domainComponent information into the issuer.
  1226. type: boolean
  1227. locality:
  1228. description: Locality defines whether to add the locality
  1229. information into the issuer.
  1230. type: boolean
  1231. organization:
  1232. description: Organization defines whether to add the organization
  1233. information into the issuer.
  1234. type: boolean
  1235. province:
  1236. description: Province defines whether to add the province
  1237. information into the issuer.
  1238. type: boolean
  1239. serialNumber:
  1240. description: SerialNumber defines whether to add the serialNumber
  1241. information into the issuer.
  1242. type: boolean
  1243. type: object
  1244. notAfter:
  1245. description: NotAfter defines whether to add the Not After
  1246. information from the Validity part.
  1247. type: boolean
  1248. notBefore:
  1249. description: NotBefore defines whether to add the Not Before
  1250. information from the Validity part.
  1251. type: boolean
  1252. sans:
  1253. description: Sans defines whether to add the Subject Alternative
  1254. Name information from the Subject Alternative Name part.
  1255. type: boolean
  1256. serialNumber:
  1257. description: SerialNumber defines whether to add the client
  1258. serialNumber information.
  1259. type: boolean
  1260. subject:
  1261. description: Subject defines the client certificate subject
  1262. details to add to the X-Forwarded-Tls-Client-Cert-Info header.
  1263. properties:
  1264. commonName:
  1265. description: CommonName defines whether to add the organizationalUnit
  1266. information into the subject.
  1267. type: boolean
  1268. country:
  1269. description: Country defines whether to add the country
  1270. information into the subject.
  1271. type: boolean
  1272. domainComponent:
  1273. description: DomainComponent defines whether to add the
  1274. domainComponent information into the subject.
  1275. type: boolean
  1276. locality:
  1277. description: Locality defines whether to add the locality
  1278. information into the subject.
  1279. type: boolean
  1280. organization:
  1281. description: Organization defines whether to add the organization
  1282. information into the subject.
  1283. type: boolean
  1284. organizationalUnit:
  1285. description: OrganizationalUnit defines whether to add
  1286. the organizationalUnit information into the subject.
  1287. type: boolean
  1288. province:
  1289. description: Province defines whether to add the province
  1290. information into the subject.
  1291. type: boolean
  1292. serialNumber:
  1293. description: SerialNumber defines whether to add the serialNumber
  1294. information into the subject.
  1295. type: boolean
  1296. type: object
  1297. type: object
  1298. pem:
  1299. description: PEM sets the X-Forwarded-Tls-Client-Cert header with
  1300. the certificate.
  1301. type: boolean
  1302. type: object
  1303. plugin:
  1304. additionalProperties:
  1305. x-kubernetes-preserve-unknown-fields: true
  1306. description: 'Plugin defines the middleware plugin configuration.
  1307. More info: https://doc.traefik.io/traefik/plugins/'
  1308. type: object
  1309. rateLimit:
  1310. description: 'RateLimit holds the rate limit configuration. This middleware
  1311. ensures that services will receive a fair amount of requests, and
  1312. allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ratelimit/'
  1313. properties:
  1314. average:
  1315. description: Average is the maximum rate, by default in requests/s,
  1316. allowed for the given source. It defaults to 0, which means
  1317. no rate limiting. The rate is actually defined by dividing Average
  1318. by Period. So for a rate below 1req/s, one needs to define a
  1319. Period larger than a second.
  1320. format: int64
  1321. type: integer
  1322. burst:
  1323. description: Burst is the maximum number of requests allowed to
  1324. arrive in the same arbitrarily small period of time. It defaults
  1325. to 1.
  1326. format: int64
  1327. type: integer
  1328. period:
  1329. anyOf:
  1330. - type: integer
  1331. - type: string
  1332. description: 'Period, in combination with Average, defines the
  1333. actual maximum rate, such as: r = Average / Period. It defaults
  1334. to a second.'
  1335. x-kubernetes-int-or-string: true
  1336. sourceCriterion:
  1337. description: SourceCriterion defines what criterion is used to
  1338. group requests as originating from a common source. If several
  1339. strategies are defined at the same time, an error will be raised.
  1340. If none are set, the default is to use the request's remote
  1341. address field (as an ipStrategy).
  1342. properties:
  1343. ipStrategy:
  1344. description: 'IPStrategy holds the IP strategy configuration
  1345. used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
  1346. properties:
  1347. depth:
  1348. description: Depth tells Traefik to use the X-Forwarded-For
  1349. header and take the IP located at the depth position
  1350. (starting from the right).
  1351. type: integer
  1352. excludedIPs:
  1353. description: ExcludedIPs configures Traefik to scan the
  1354. X-Forwarded-For header and select the first IP not in
  1355. the list.
  1356. items:
  1357. type: string
  1358. type: array
  1359. type: object
  1360. requestHeaderName:
  1361. description: RequestHeaderName defines the name of the header
  1362. used to group incoming requests.
  1363. type: string
  1364. requestHost:
  1365. description: RequestHost defines whether to consider the request
  1366. Host as the source.
  1367. type: boolean
  1368. type: object
  1369. type: object
  1370. redirectRegex:
  1371. description: 'RedirectRegex holds the redirect regex middleware configuration.
  1372. This middleware redirects a request using regex matching and replacement.
  1373. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectregex/#regex'
  1374. properties:
  1375. permanent:
  1376. description: Permanent defines whether the redirection is permanent
  1377. (301).
  1378. type: boolean
  1379. regex:
  1380. description: Regex defines the regex used to match and capture
  1381. elements from the request URL.
  1382. type: string
  1383. replacement:
  1384. description: Replacement defines how to modify the URL to have
  1385. the new target URL.
  1386. type: string
  1387. type: object
  1388. redirectScheme:
  1389. description: 'RedirectScheme holds the redirect scheme middleware
  1390. configuration. This middleware redirects requests from a scheme/port
  1391. to another. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectscheme/'
  1392. properties:
  1393. permanent:
  1394. description: Permanent defines whether the redirection is permanent
  1395. (301).
  1396. type: boolean
  1397. port:
  1398. description: Port defines the port of the new URL.
  1399. type: string
  1400. scheme:
  1401. description: Scheme defines the scheme of the new URL.
  1402. type: string
  1403. type: object
  1404. replacePath:
  1405. description: 'ReplacePath holds the replace path middleware configuration.
  1406. This middleware replaces the path of the request URL and store the
  1407. original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepath/'
  1408. properties:
  1409. path:
  1410. description: Path defines the path to use as replacement in the
  1411. request URL.
  1412. type: string
  1413. type: object
  1414. replacePathRegex:
  1415. description: 'ReplacePathRegex holds the replace path regex middleware
  1416. configuration. This middleware replaces the path of a URL using
  1417. regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepathregex/'
  1418. properties:
  1419. regex:
  1420. description: Regex defines the regular expression used to match
  1421. and capture the path from the request URL.
  1422. type: string
  1423. replacement:
  1424. description: Replacement defines the replacement path format,
  1425. which can include captured variables.
  1426. type: string
  1427. type: object
  1428. retry:
  1429. description: 'Retry holds the retry middleware configuration. This
  1430. middleware reissues requests a given number of times to a backend
  1431. server if that server does not reply. As soon as the server answers,
  1432. the middleware stops retrying, regardless of the response status.
  1433. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/retry/'
  1434. properties:
  1435. attempts:
  1436. description: Attempts defines how many times the request should
  1437. be retried.
  1438. type: integer
  1439. initialInterval:
  1440. anyOf:
  1441. - type: integer
  1442. - type: string
  1443. description: InitialInterval defines the first wait time in the
  1444. exponential backoff series. The maximum interval is calculated
  1445. as twice the initialInterval. If unspecified, requests will
  1446. be retried immediately. The value of initialInterval should
  1447. be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
  1448. x-kubernetes-int-or-string: true
  1449. type: object
  1450. stripPrefix:
  1451. description: 'StripPrefix holds the strip prefix middleware configuration.
  1452. This middleware removes the specified prefixes from the URL path.
  1453. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
  1454. properties:
  1455. forceSlash:
  1456. description: 'ForceSlash ensures that the resulting stripped path
  1457. is not the empty string, by replacing it with / when necessary.
  1458. Default: true.'
  1459. type: boolean
  1460. prefixes:
  1461. description: Prefixes defines the prefixes to strip from the request
  1462. URL.
  1463. items:
  1464. type: string
  1465. type: array
  1466. type: object
  1467. stripPrefixRegex:
  1468. description: 'StripPrefixRegex holds the strip prefix regex middleware
  1469. configuration. This middleware removes the matching prefixes from
  1470. the URL path. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefixregex/'
  1471. properties:
  1472. regex:
  1473. description: Regex defines the regular expression to match the
  1474. path prefix from the request URL.
  1475. items:
  1476. type: string
  1477. type: array
  1478. type: object
  1479. type: object
  1480. required:
  1481. - metadata
  1482. - spec
  1483. type: object
  1484. served: true
  1485. storage: true
  1486. status:
  1487. acceptedNames:
  1488. kind: ""
  1489. plural: ""
  1490. conditions: []
  1491. storedVersions: []
  1492. ---
  1493. apiVersion: apiextensions.k8s.io/v1
  1494. kind: CustomResourceDefinition
  1495. metadata:
  1496. annotations:
  1497. controller-gen.kubebuilder.io/version: v0.6.2
  1498. creationTimestamp: null
  1499. name: middlewaretcps.traefik.containo.us
  1500. spec:
  1501. group: traefik.containo.us
  1502. names:
  1503. kind: MiddlewareTCP
  1504. listKind: MiddlewareTCPList
  1505. plural: middlewaretcps
  1506. singular: middlewaretcp
  1507. scope: Namespaced
  1508. versions:
  1509. - name: v1alpha1
  1510. schema:
  1511. openAPIV3Schema:
  1512. description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
  1513. More info: https://doc.traefik.io/traefik/v2.9/middlewares/overview/'
  1514. properties:
  1515. apiVersion:
  1516. description: 'APIVersion defines the versioned schema of this representation
  1517. of an object. Servers should convert recognized schemas to the latest
  1518. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1519. type: string
  1520. kind:
  1521. description: 'Kind is a string value representing the REST resource this
  1522. object represents. Servers may infer this from the endpoint the client
  1523. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1524. type: string
  1525. metadata:
  1526. type: object
  1527. spec:
  1528. description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
  1529. properties:
  1530. inFlightConn:
  1531. description: InFlightConn defines the InFlightConn middleware configuration.
  1532. properties:
  1533. amount:
  1534. description: Amount defines the maximum amount of allowed simultaneous
  1535. connections. The middleware closes the connection if there are
  1536. already amount connections opened.
  1537. format: int64
  1538. type: integer
  1539. type: object
  1540. ipWhiteList:
  1541. description: IPWhiteList defines the IPWhiteList middleware configuration.
  1542. properties:
  1543. sourceRange:
  1544. description: SourceRange defines the allowed IPs (or ranges of
  1545. allowed IPs by using CIDR notation).
  1546. items:
  1547. type: string
  1548. type: array
  1549. type: object
  1550. type: object
  1551. required:
  1552. - metadata
  1553. - spec
  1554. type: object
  1555. served: true
  1556. storage: true
  1557. status:
  1558. acceptedNames:
  1559. kind: ""
  1560. plural: ""
  1561. conditions: []
  1562. storedVersions: []
  1563. ---
  1564. apiVersion: apiextensions.k8s.io/v1
  1565. kind: CustomResourceDefinition
  1566. metadata:
  1567. annotations:
  1568. controller-gen.kubebuilder.io/version: v0.6.2
  1569. creationTimestamp: null
  1570. name: serverstransports.traefik.containo.us
  1571. spec:
  1572. group: traefik.containo.us
  1573. names:
  1574. kind: ServersTransport
  1575. listKind: ServersTransportList
  1576. plural: serverstransports
  1577. singular: serverstransport
  1578. scope: Namespaced
  1579. versions:
  1580. - name: v1alpha1
  1581. schema:
  1582. openAPIV3Schema:
  1583. description: 'ServersTransport is the CRD implementation of a ServersTransport.
  1584. If no serversTransport is specified, the [email protected] will be used.
  1585. The [email protected] serversTransport is created from the static configuration.
  1586. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#serverstransport_1'
  1587. properties:
  1588. apiVersion:
  1589. description: 'APIVersion defines the versioned schema of this representation
  1590. of an object. Servers should convert recognized schemas to the latest
  1591. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1592. type: string
  1593. kind:
  1594. description: 'Kind is a string value representing the REST resource this
  1595. object represents. Servers may infer this from the endpoint the client
  1596. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1597. type: string
  1598. metadata:
  1599. type: object
  1600. spec:
  1601. description: ServersTransportSpec defines the desired state of a ServersTransport.
  1602. properties:
  1603. certificatesSecrets:
  1604. description: CertificatesSecrets defines a list of secret storing
  1605. client certificates for mTLS.
  1606. items:
  1607. type: string
  1608. type: array
  1609. disableHTTP2:
  1610. description: DisableHTTP2 disables HTTP/2 for connections with backend
  1611. servers.
  1612. type: boolean
  1613. forwardingTimeouts:
  1614. description: ForwardingTimeouts defines the timeouts for requests
  1615. forwarded to the backend servers.
  1616. properties:
  1617. dialTimeout:
  1618. anyOf:
  1619. - type: integer
  1620. - type: string
  1621. description: DialTimeout is the amount of time to wait until a
  1622. connection to a backend server can be established.
  1623. x-kubernetes-int-or-string: true
  1624. idleConnTimeout:
  1625. anyOf:
  1626. - type: integer
  1627. - type: string
  1628. description: IdleConnTimeout is the maximum period for which an
  1629. idle HTTP keep-alive connection will remain open before closing
  1630. itself.
  1631. x-kubernetes-int-or-string: true
  1632. pingTimeout:
  1633. anyOf:
  1634. - type: integer
  1635. - type: string
  1636. description: PingTimeout is the timeout after which the HTTP/2
  1637. connection will be closed if a response to ping is not received.
  1638. x-kubernetes-int-or-string: true
  1639. readIdleTimeout:
  1640. anyOf:
  1641. - type: integer
  1642. - type: string
  1643. description: ReadIdleTimeout is the timeout after which a health
  1644. check using ping frame will be carried out if no frame is received
  1645. on the HTTP/2 connection.
  1646. x-kubernetes-int-or-string: true
  1647. responseHeaderTimeout:
  1648. anyOf:
  1649. - type: integer
  1650. - type: string
  1651. description: ResponseHeaderTimeout is the amount of time to wait
  1652. for a server's response headers after fully writing the request
  1653. (including its body, if any).
  1654. x-kubernetes-int-or-string: true
  1655. type: object
  1656. insecureSkipVerify:
  1657. description: InsecureSkipVerify disables SSL certificate verification.
  1658. type: boolean
  1659. maxIdleConnsPerHost:
  1660. description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
  1661. to keep per-host.
  1662. type: integer
  1663. peerCertURI:
  1664. description: PeerCertURI defines the peer cert URI used to match against
  1665. SAN URI during the peer certificate verification.
  1666. type: string
  1667. rootCAsSecrets:
  1668. description: RootCAsSecrets defines a list of CA secret used to validate
  1669. self-signed certificate.
  1670. items:
  1671. type: string
  1672. type: array
  1673. serverName:
  1674. description: ServerName defines the server name used to contact the
  1675. server.
  1676. type: string
  1677. type: object
  1678. required:
  1679. - metadata
  1680. - spec
  1681. type: object
  1682. served: true
  1683. storage: true
  1684. status:
  1685. acceptedNames:
  1686. kind: ""
  1687. plural: ""
  1688. conditions: []
  1689. storedVersions: []
  1690. ---
  1691. apiVersion: apiextensions.k8s.io/v1
  1692. kind: CustomResourceDefinition
  1693. metadata:
  1694. annotations:
  1695. controller-gen.kubebuilder.io/version: v0.6.2
  1696. creationTimestamp: null
  1697. name: tlsoptions.traefik.containo.us
  1698. spec:
  1699. group: traefik.containo.us
  1700. names:
  1701. kind: TLSOption
  1702. listKind: TLSOptionList
  1703. plural: tlsoptions
  1704. singular: tlsoption
  1705. scope: Namespaced
  1706. versions:
  1707. - name: v1alpha1
  1708. schema:
  1709. openAPIV3Schema:
  1710. description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
  1711. allowing to configure some parameters of the TLS connection. More info:
  1712. https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
  1713. properties:
  1714. apiVersion:
  1715. description: 'APIVersion defines the versioned schema of this representation
  1716. of an object. Servers should convert recognized schemas to the latest
  1717. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1718. type: string
  1719. kind:
  1720. description: 'Kind is a string value representing the REST resource this
  1721. object represents. Servers may infer this from the endpoint the client
  1722. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1723. type: string
  1724. metadata:
  1725. type: object
  1726. spec:
  1727. description: TLSOptionSpec defines the desired state of a TLSOption.
  1728. properties:
  1729. alpnProtocols:
  1730. description: 'ALPNProtocols defines the list of supported application
  1731. level protocols for the TLS handshake, in order of preference. More
  1732. info: https://doc.traefik.io/traefik/v2.9/https/tls/#alpn-protocols'
  1733. items:
  1734. type: string
  1735. type: array
  1736. cipherSuites:
  1737. description: 'CipherSuites defines the list of supported cipher suites
  1738. for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#cipher-suites'
  1739. items:
  1740. type: string
  1741. type: array
  1742. clientAuth:
  1743. description: ClientAuth defines the server's policy for TLS Client
  1744. Authentication.
  1745. properties:
  1746. clientAuthType:
  1747. description: ClientAuthType defines the client authentication
  1748. type to apply.
  1749. enum:
  1750. - NoClientCert
  1751. - RequestClientCert
  1752. - RequireAnyClientCert
  1753. - VerifyClientCertIfGiven
  1754. - RequireAndVerifyClientCert
  1755. type: string
  1756. secretNames:
  1757. description: SecretNames defines the names of the referenced Kubernetes
  1758. Secret storing certificate details.
  1759. items:
  1760. type: string
  1761. type: array
  1762. type: object
  1763. curvePreferences:
  1764. description: 'CurvePreferences defines the preferred elliptic curves
  1765. in a specific order. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#curve-preferences'
  1766. items:
  1767. type: string
  1768. type: array
  1769. maxVersion:
  1770. description: 'MaxVersion defines the maximum TLS version that Traefik
  1771. will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
  1772. VersionTLS13. Default: None.'
  1773. type: string
  1774. minVersion:
  1775. description: 'MinVersion defines the minimum TLS version that Traefik
  1776. will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
  1777. VersionTLS13. Default: VersionTLS10.'
  1778. type: string
  1779. preferServerCipherSuites:
  1780. description: 'PreferServerCipherSuites defines whether the server
  1781. chooses a cipher suite among his own instead of among the client''s.
  1782. It is enabled automatically when minVersion or maxVersion is set.
  1783. Deprecated: https://github.com/golang/go/issues/45430'
  1784. type: boolean
  1785. sniStrict:
  1786. description: SniStrict defines whether Traefik allows connections
  1787. from clients connections that do not specify a server_name extension.
  1788. type: boolean
  1789. type: object
  1790. required:
  1791. - metadata
  1792. - spec
  1793. type: object
  1794. served: true
  1795. storage: true
  1796. status:
  1797. acceptedNames:
  1798. kind: ""
  1799. plural: ""
  1800. conditions: []
  1801. storedVersions: []
  1802. ---
  1803. apiVersion: apiextensions.k8s.io/v1
  1804. kind: CustomResourceDefinition
  1805. metadata:
  1806. annotations:
  1807. controller-gen.kubebuilder.io/version: v0.6.2
  1808. creationTimestamp: null
  1809. name: tlsstores.traefik.containo.us
  1810. spec:
  1811. group: traefik.containo.us
  1812. names:
  1813. kind: TLSStore
  1814. listKind: TLSStoreList
  1815. plural: tlsstores
  1816. singular: tlsstore
  1817. scope: Namespaced
  1818. versions:
  1819. - name: v1alpha1
  1820. schema:
  1821. openAPIV3Schema:
  1822. description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
  1823. the time being, only the TLSStore named default is supported. This means
  1824. that you cannot have two stores that are named default in different Kubernetes
  1825. namespaces. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#certificates-stores'
  1826. properties:
  1827. apiVersion:
  1828. description: 'APIVersion defines the versioned schema of this representation
  1829. of an object. Servers should convert recognized schemas to the latest
  1830. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1831. type: string
  1832. kind:
  1833. description: 'Kind is a string value representing the REST resource this
  1834. object represents. Servers may infer this from the endpoint the client
  1835. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1836. type: string
  1837. metadata:
  1838. type: object
  1839. spec:
  1840. description: TLSStoreSpec defines the desired state of a TLSStore.
  1841. properties:
  1842. certificates:
  1843. description: Certificates is a list of secret names, each secret holding
  1844. a key/certificate pair to add to the store.
  1845. items:
  1846. description: Certificate holds a secret name for the TLSStore resource.
  1847. properties:
  1848. secretName:
  1849. description: SecretName is the name of the referenced Kubernetes
  1850. Secret to specify the certificate details.
  1851. type: string
  1852. required:
  1853. - secretName
  1854. type: object
  1855. type: array
  1856. defaultCertificate:
  1857. description: DefaultCertificate defines the default certificate configuration.
  1858. properties:
  1859. secretName:
  1860. description: SecretName is the name of the referenced Kubernetes
  1861. Secret to specify the certificate details.
  1862. type: string
  1863. required:
  1864. - secretName
  1865. type: object
  1866. defaultGeneratedCert:
  1867. description: DefaultGeneratedCert defines the default generated certificate
  1868. configuration.
  1869. properties:
  1870. domain:
  1871. description: Domain is the domain definition for the DefaultCertificate.
  1872. properties:
  1873. main:
  1874. description: Main defines the main domain name.
  1875. type: string
  1876. sans:
  1877. description: SANs defines the subject alternative domain names.
  1878. items:
  1879. type: string
  1880. type: array
  1881. type: object
  1882. resolver:
  1883. description: Resolver is the name of the resolver that will be
  1884. used to issue the DefaultCertificate.
  1885. type: string
  1886. type: object
  1887. type: object
  1888. required:
  1889. - metadata
  1890. - spec
  1891. type: object
  1892. served: true
  1893. storage: true
  1894. status:
  1895. acceptedNames:
  1896. kind: ""
  1897. plural: ""
  1898. conditions: []
  1899. storedVersions: []
  1900. ---
  1901. apiVersion: apiextensions.k8s.io/v1
  1902. kind: CustomResourceDefinition
  1903. metadata:
  1904. annotations:
  1905. controller-gen.kubebuilder.io/version: v0.6.2
  1906. creationTimestamp: null
  1907. name: traefikservices.traefik.containo.us
  1908. spec:
  1909. group: traefik.containo.us
  1910. names:
  1911. kind: TraefikService
  1912. listKind: TraefikServiceList
  1913. plural: traefikservices
  1914. singular: traefikservice
  1915. scope: Namespaced
  1916. versions:
  1917. - name: v1alpha1
  1918. schema:
  1919. openAPIV3Schema:
  1920. description: 'TraefikService is the CRD implementation of a Traefik Service.
  1921. TraefikService object allows to: - Apply weight to Services on load-balancing
  1922. - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-traefikservice'
  1923. properties:
  1924. apiVersion:
  1925. description: 'APIVersion defines the versioned schema of this representation
  1926. of an object. Servers should convert recognized schemas to the latest
  1927. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1928. type: string
  1929. kind:
  1930. description: 'Kind is a string value representing the REST resource this
  1931. object represents. Servers may infer this from the endpoint the client
  1932. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1933. type: string
  1934. metadata:
  1935. type: object
  1936. spec:
  1937. description: TraefikServiceSpec defines the desired state of a TraefikService.
  1938. properties:
  1939. mirroring:
  1940. description: Mirroring defines the Mirroring service configuration.
  1941. properties:
  1942. kind:
  1943. description: Kind defines the kind of the Service.
  1944. enum:
  1945. - Service
  1946. - TraefikService
  1947. type: string
  1948. maxBodySize:
  1949. description: MaxBodySize defines the maximum size allowed for
  1950. the body of the request. If the body is larger, the request
  1951. is not mirrored. Default value is -1, which means unlimited
  1952. size.
  1953. format: int64
  1954. type: integer
  1955. mirrors:
  1956. description: Mirrors defines the list of mirrors where Traefik
  1957. will duplicate the traffic.
  1958. items:
  1959. description: MirrorService holds the mirror configuration.
  1960. properties:
  1961. kind:
  1962. description: Kind defines the kind of the Service.
  1963. enum:
  1964. - Service
  1965. - TraefikService
  1966. type: string
  1967. name:
  1968. description: Name defines the name of the referenced Kubernetes
  1969. Service or TraefikService. The differentiation between
  1970. the two is specified in the Kind field.
  1971. type: string
  1972. namespace:
  1973. description: Namespace defines the namespace of the referenced
  1974. Kubernetes Service or TraefikService.
  1975. type: string
  1976. passHostHeader:
  1977. description: PassHostHeader defines whether the client Host
  1978. header is forwarded to the upstream Kubernetes Service.
  1979. By default, passHostHeader is true.
  1980. type: boolean
  1981. percent:
  1982. description: 'Percent defines the part of the traffic to
  1983. mirror. Supported values: 0 to 100.'
  1984. type: integer
  1985. port:
  1986. anyOf:
  1987. - type: integer
  1988. - type: string
  1989. description: Port defines the port of a Kubernetes Service.
  1990. This can be a reference to a named port.
  1991. x-kubernetes-int-or-string: true
  1992. responseForwarding:
  1993. description: ResponseForwarding defines how Traefik forwards
  1994. the response from the upstream Kubernetes Service to the
  1995. client.
  1996. properties:
  1997. flushInterval:
  1998. description: 'FlushInterval defines the interval, in
  1999. milliseconds, in between flushes to the client while
  2000. copying the response body. A negative value means
  2001. to flush immediately after each write to the client.
  2002. This configuration is ignored when ReverseProxy recognizes
  2003. a response as a streaming response; for such responses,
  2004. writes are flushed to the client immediately. Default:
  2005. 100ms'
  2006. type: string
  2007. type: object
  2008. scheme:
  2009. description: Scheme defines the scheme to use for the request
  2010. to the upstream Kubernetes Service. It defaults to https
  2011. when Kubernetes Service port is 443, http otherwise.
  2012. type: string
  2013. serversTransport:
  2014. description: ServersTransport defines the name of ServersTransport
  2015. resource to use. It allows to configure the transport
  2016. between Traefik and your servers. Can only be used on
  2017. a Kubernetes Service.
  2018. type: string
  2019. sticky:
  2020. description: 'Sticky defines the sticky sessions configuration.
  2021. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
  2022. properties:
  2023. cookie:
  2024. description: Cookie defines the sticky cookie configuration.
  2025. properties:
  2026. httpOnly:
  2027. description: HTTPOnly defines whether the cookie
  2028. can be accessed by client-side APIs, such as JavaScript.
  2029. type: boolean
  2030. name:
  2031. description: Name defines the Cookie name.
  2032. type: string
  2033. sameSite:
  2034. description: 'SameSite defines the same site policy.
  2035. More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
  2036. type: string
  2037. secure:
  2038. description: Secure defines whether the cookie can
  2039. only be transmitted over an encrypted connection
  2040. (i.e. HTTPS).
  2041. type: boolean
  2042. type: object
  2043. type: object
  2044. strategy:
  2045. description: Strategy defines the load balancing strategy
  2046. between the servers. RoundRobin is the only supported
  2047. value at the moment.
  2048. type: string
  2049. weight:
  2050. description: Weight defines the weight and should only be
  2051. specified when Name references a TraefikService object
  2052. (and to be precise, one that embeds a Weighted Round Robin).
  2053. type: integer
  2054. required:
  2055. - name
  2056. type: object
  2057. type: array
  2058. name:
  2059. description: Name defines the name of the referenced Kubernetes
  2060. Service or TraefikService. The differentiation between the two
  2061. is specified in the Kind field.
  2062. type: string
  2063. namespace:
  2064. description: Namespace defines the namespace of the referenced
  2065. Kubernetes Service or TraefikService.
  2066. type: string
  2067. passHostHeader:
  2068. description: PassHostHeader defines whether the client Host header
  2069. is forwarded to the upstream Kubernetes Service. By default,
  2070. passHostHeader is true.
  2071. type: boolean
  2072. port:
  2073. anyOf:
  2074. - type: integer
  2075. - type: string
  2076. description: Port defines the port of a Kubernetes Service. This
  2077. can be a reference to a named port.
  2078. x-kubernetes-int-or-string: true
  2079. responseForwarding:
  2080. description: ResponseForwarding defines how Traefik forwards the
  2081. response from the upstream Kubernetes Service to the client.
  2082. properties:
  2083. flushInterval:
  2084. description: 'FlushInterval defines the interval, in milliseconds,
  2085. in between flushes to the client while copying the response
  2086. body. A negative value means to flush immediately after
  2087. each write to the client. This configuration is ignored
  2088. when ReverseProxy recognizes a response as a streaming response;
  2089. for such responses, writes are flushed to the client immediately.
  2090. Default: 100ms'
  2091. type: string
  2092. type: object
  2093. scheme:
  2094. description: Scheme defines the scheme to use for the request
  2095. to the upstream Kubernetes Service. It defaults to https when
  2096. Kubernetes Service port is 443, http otherwise.
  2097. type: string
  2098. serversTransport:
  2099. description: ServersTransport defines the name of ServersTransport
  2100. resource to use. It allows to configure the transport between
  2101. Traefik and your servers. Can only be used on a Kubernetes Service.
  2102. type: string
  2103. sticky:
  2104. description: 'Sticky defines the sticky sessions configuration.
  2105. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
  2106. properties:
  2107. cookie:
  2108. description: Cookie defines the sticky cookie configuration.
  2109. properties:
  2110. httpOnly:
  2111. description: HTTPOnly defines whether the cookie can be
  2112. accessed by client-side APIs, such as JavaScript.
  2113. type: boolean
  2114. name:
  2115. description: Name defines the Cookie name.
  2116. type: string
  2117. sameSite:
  2118. description: 'SameSite defines the same site policy. More
  2119. info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
  2120. type: string
  2121. secure:
  2122. description: Secure defines whether the cookie can only
  2123. be transmitted over an encrypted connection (i.e. HTTPS).
  2124. type: boolean
  2125. type: object
  2126. type: object
  2127. strategy:
  2128. description: Strategy defines the load balancing strategy between
  2129. the servers. RoundRobin is the only supported value at the moment.
  2130. type: string
  2131. weight:
  2132. description: Weight defines the weight and should only be specified
  2133. when Name references a TraefikService object (and to be precise,
  2134. one that embeds a Weighted Round Robin).
  2135. type: integer
  2136. required:
  2137. - name
  2138. type: object
  2139. weighted:
  2140. description: Weighted defines the Weighted Round Robin configuration.
  2141. properties:
  2142. services:
  2143. description: Services defines the list of Kubernetes Service and/or
  2144. TraefikService to load-balance, with weight.
  2145. items:
  2146. description: Service defines an upstream HTTP service to proxy
  2147. traffic to.
  2148. properties:
  2149. kind:
  2150. description: Kind defines the kind of the Service.
  2151. enum:
  2152. - Service
  2153. - TraefikService
  2154. type: string
  2155. name:
  2156. description: Name defines the name of the referenced Kubernetes
  2157. Service or TraefikService. The differentiation between
  2158. the two is specified in the Kind field.
  2159. type: string
  2160. namespace:
  2161. description: Namespace defines the namespace of the referenced
  2162. Kubernetes Service or TraefikService.
  2163. type: string
  2164. passHostHeader:
  2165. description: PassHostHeader defines whether the client Host
  2166. header is forwarded to the upstream Kubernetes Service.
  2167. By default, passHostHeader is true.
  2168. type: boolean
  2169. port:
  2170. anyOf:
  2171. - type: integer
  2172. - type: string
  2173. description: Port defines the port of a Kubernetes Service.
  2174. This can be a reference to a named port.
  2175. x-kubernetes-int-or-string: true
  2176. responseForwarding:
  2177. description: ResponseForwarding defines how Traefik forwards
  2178. the response from the upstream Kubernetes Service to the
  2179. client.
  2180. properties:
  2181. flushInterval:
  2182. description: 'FlushInterval defines the interval, in
  2183. milliseconds, in between flushes to the client while
  2184. copying the response body. A negative value means
  2185. to flush immediately after each write to the client.
  2186. This configuration is ignored when ReverseProxy recognizes
  2187. a response as a streaming response; for such responses,
  2188. writes are flushed to the client immediately. Default:
  2189. 100ms'
  2190. type: string
  2191. type: object
  2192. scheme:
  2193. description: Scheme defines the scheme to use for the request
  2194. to the upstream Kubernetes Service. It defaults to https
  2195. when Kubernetes Service port is 443, http otherwise.
  2196. type: string
  2197. serversTransport:
  2198. description: ServersTransport defines the name of ServersTransport
  2199. resource to use. It allows to configure the transport
  2200. between Traefik and your servers. Can only be used on
  2201. a Kubernetes Service.
  2202. type: string
  2203. sticky:
  2204. description: 'Sticky defines the sticky sessions configuration.
  2205. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
  2206. properties:
  2207. cookie:
  2208. description: Cookie defines the sticky cookie configuration.
  2209. properties:
  2210. httpOnly:
  2211. description: HTTPOnly defines whether the cookie
  2212. can be accessed by client-side APIs, such as JavaScript.
  2213. type: boolean
  2214. name:
  2215. description: Name defines the Cookie name.
  2216. type: string
  2217. sameSite:
  2218. description: 'SameSite defines the same site policy.
  2219. More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
  2220. type: string
  2221. secure:
  2222. description: Secure defines whether the cookie can
  2223. only be transmitted over an encrypted connection
  2224. (i.e. HTTPS).
  2225. type: boolean
  2226. type: object
  2227. type: object
  2228. strategy:
  2229. description: Strategy defines the load balancing strategy
  2230. between the servers. RoundRobin is the only supported
  2231. value at the moment.
  2232. type: string
  2233. weight:
  2234. description: Weight defines the weight and should only be
  2235. specified when Name references a TraefikService object
  2236. (and to be precise, one that embeds a Weighted Round Robin).
  2237. type: integer
  2238. required:
  2239. - name
  2240. type: object
  2241. type: array
  2242. sticky:
  2243. description: 'Sticky defines whether sticky sessions are enabled.
  2244. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
  2245. properties:
  2246. cookie:
  2247. description: Cookie defines the sticky cookie configuration.
  2248. properties:
  2249. httpOnly:
  2250. description: HTTPOnly defines whether the cookie can be
  2251. accessed by client-side APIs, such as JavaScript.
  2252. type: boolean
  2253. name:
  2254. description: Name defines the Cookie name.
  2255. type: string
  2256. sameSite:
  2257. description: 'SameSite defines the same site policy. More
  2258. info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
  2259. type: string
  2260. secure:
  2261. description: Secure defines whether the cookie can only
  2262. be transmitted over an encrypted connection (i.e. HTTPS).
  2263. type: boolean
  2264. type: object
  2265. type: object
  2266. type: object
  2267. type: object
  2268. required:
  2269. - metadata
  2270. - spec
  2271. type: object
  2272. served: true
  2273. storage: true
  2274. status:
  2275. acceptedNames:
  2276. kind: ""
  2277. plural: ""
  2278. conditions: []
  2279. storedVersions: []

RBAC

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: ClusterRole
  3. metadata:
  4. name: traefik-ingress-controller
  5. rules:
  6. - apiGroups:
  7. - ""
  8. resources:
  9. - services
  10. - endpoints
  11. - secrets
  12. verbs:
  13. - get
  14. - list
  15. - watch
  16. - apiGroups:
  17. - extensions
  18. - networking.k8s.io
  19. resources:
  20. - ingresses
  21. - ingressclasses
  22. verbs:
  23. - get
  24. - list
  25. - watch
  26. - apiGroups:
  27. - extensions
  28. - networking.k8s.io
  29. resources:
  30. - ingresses/status
  31. verbs:
  32. - update
  33. - apiGroups:
  34. - traefik.containo.us
  35. resources:
  36. - middlewares
  37. - middlewaretcps
  38. - ingressroutes
  39. - traefikservices
  40. - ingressroutetcps
  41. - ingressrouteudps
  42. - tlsoptions
  43. - tlsstores
  44. - serverstransports
  45. verbs:
  46. - get
  47. - list
  48. - watch
  49. ---
  50. apiVersion: rbac.authorization.k8s.io/v1
  51. kind: ClusterRoleBinding
  52. metadata:
  53. name: traefik-ingress-controller
  54. roleRef:
  55. apiGroup: rbac.authorization.k8s.io
  56. kind: ClusterRole
  57. name: traefik-ingress-controller
  58. subjects:
  59. - kind: ServiceAccount
  60. name: traefik-ingress-controller
  61. namespace: default

Traefik

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4. name: traefik-ingress-controller
  5. ---
  6. kind: Deployment
  7. apiVersion: apps/v1
  8. metadata:
  9. name: traefik
  10. labels:
  11. app: traefik
  12. spec:
  13. replicas: 1
  14. selector:
  15. matchLabels:
  16. app: traefik
  17. template:
  18. metadata:
  19. labels:
  20. app: traefik
  21. spec:
  22. serviceAccountName: traefik-ingress-controller
  23. containers:
  24. - name: traefik
  25. image: traefik:v2.9
  26. args:
  27. - --log.level=DEBUG
  28. - --api
  29. - --api.insecure
  30. - --entrypoints.web.address=:80
  31. - --entrypoints.tcpep.address=:8000
  32. - --entrypoints.udpep.address=:9000/udp
  33. - --providers.kubernetescrd
  34. ports:
  35. - name: web
  36. containerPort: 80
  37. - name: admin
  38. containerPort: 8080
  39. - name: tcpep
  40. containerPort: 8000
  41. - name: udpep
  42. containerPort: 9000
  43. ---
  44. apiVersion: v1
  45. kind: Service
  46. metadata:
  47. name: traefik
  48. spec:
  49. type: LoadBalancer
  50. selector:
  51. app: traefik
  52. ports:
  53. - protocol: TCP
  54. port: 80
  55. name: web
  56. targetPort: 80
  57. - protocol: TCP
  58. port: 8080
  59. name: admin
  60. targetPort: 8080
  61. - protocol: TCP
  62. port: 8000
  63. name: tcpep
  64. targetPort: 8000
  65. ---
  66. apiVersion: v1
  67. kind: Service
  68. metadata:
  69. name: traefikudp
  70. spec:
  71. type: LoadBalancer
  72. selector:
  73. app: traefik
  74. ports:
  75. - protocol: UDP
  76. port: 9000
  77. name: udpep
  78. targetPort: 9000

IngressRoute

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4. name: myingressroute
  5. namespace: default
  6. spec:
  7. entryPoints:
  8. - web
  9. routes:
  10. - match: Host(`foo`) && PathPrefix(`/bar`)
  11. kind: Rule
  12. services:
  13. - name: whoami
  14. port: 80
  15. ---
  16. apiVersion: traefik.containo.us/v1alpha1
  17. kind: IngressRouteTCP
  18. metadata:
  19. name: ingressroute.tcp
  20. namespace: default
  21. spec:
  22. entryPoints:
  23. - tcpep
  24. routes:
  25. - match: HostSNI(`bar`)
  26. services:
  27. - name: whoamitcp
  28. port: 8080
  29. ---
  30. apiVersion: traefik.containo.us/v1alpha1
  31. kind: IngressRouteUDP
  32. metadata:
  33. name: ingressroute.udp
  34. namespace: default
  35. spec:
  36. entryPoints:
  37. - udpep
  38. routes:
  39. - services:
  40. - name: whoamiudp
  41. port: 8080

Whoami

  1. kind: Deployment
  2. apiVersion: apps/v1
  3. metadata:
  4. name: whoami
  5. namespace: default
  6. labels:
  7. app: traefiklabs
  8. name: whoami
  9. spec:
  10. replicas: 2
  11. selector:
  12. matchLabels:
  13. app: traefiklabs
  14. task: whoami
  15. template:
  16. metadata:
  17. labels:
  18. app: traefiklabs
  19. task: whoami
  20. spec:
  21. containers:
  22. - name: whoami
  23. image: traefik/whoami
  24. ports:
  25. - containerPort: 80
  26. ---
  27. apiVersion: v1
  28. kind: Service
  29. metadata:
  30. name: whoami
  31. namespace: default
  32. spec:
  33. ports:
  34. - name: http
  35. port: 80
  36. selector:
  37. app: traefiklabs
  38. task: whoami
  39. ---
  40. kind: Deployment
  41. apiVersion: apps/v1
  42. metadata:
  43. name: whoamitcp
  44. namespace: default
  45. labels:
  46. app: traefiklabs
  47. name: whoamitcp
  48. spec:
  49. replicas: 2
  50. selector:
  51. matchLabels:
  52. app: traefiklabs
  53. task: whoamitcp
  54. template:
  55. metadata:
  56. labels:
  57. app: traefiklabs
  58. task: whoamitcp
  59. spec:
  60. containers:
  61. - name: whoamitcp
  62. image: traefik/whoamitcp
  63. ports:
  64. - containerPort: 8080
  65. ---
  66. apiVersion: v1
  67. kind: Service
  68. metadata:
  69. name: whoamitcp
  70. namespace: default
  71. spec:
  72. ports:
  73. - protocol: TCP
  74. port: 8080
  75. selector:
  76. app: traefiklabs
  77. task: whoamitcp
  78. ---
  79. kind: Deployment
  80. apiVersion: apps/v1
  81. metadata:
  82. name: whoamiudp
  83. namespace: default
  84. labels:
  85. app: traefiklabs
  86. name: whoamiudp
  87. spec:
  88. replicas: 2
  89. selector:
  90. matchLabels:
  91. app: traefiklabs
  92. task: whoamiudp
  93. template:
  94. metadata:
  95. labels:
  96. app: traefiklabs
  97. task: whoamiudp
  98. spec:
  99. containers:
  100. - name: whoamiudp
  101. image: traefik/whoamiudp:latest
  102. ports:
  103. - containerPort: 8080
  104. ---
  105. apiVersion: v1
  106. kind: Service
  107. metadata:
  108. name: whoamiudp
  109. namespace: default
  110. spec:
  111. ports:
  112. - port: 8080
  113. selector:
  114. app: traefiklabs
  115. task: whoamiudp

Routing Configuration

Custom Resource Definition (CRD)

  • You can find an exhaustive list, generated from Traefik’s source code, of the custom resources and their attributes in the reference page.
  • Validate that the prerequisites are fulfilled before using the Traefik custom resources.
  • Traefik CRDs are building blocks that you can assemble according to your needs.

You can find an excerpt of the available custom resources in the table below:

KindPurposeConcept Behind
IngressRouteHTTP RoutingHTTP router
MiddlewareTweaks the HTTP requests before they are sent to your serviceHTTP Middlewares
TraefikServiceAbstraction for HTTP loadbalancing/mirroringHTTP service
IngressRouteTCPTCP RoutingTCP router
MiddlewareTCPTweaks the TCP requests before they are sent to your serviceTCP Middlewares
IngressRouteUDPUDP RoutingUDP router
TLSOptionsAllows to configure some parameters of the TLS connectionTLSOptions
TLSStoresAllows to configure the default TLS storeTLSStores
ServersTransportAllows to configure the transport between Traefik and the backendsServersTransport

Kind: IngressRoute

IngressRoute is the CRD implementation of a Traefik HTTP router.

Register the IngressRoute kind in the Kubernetes cluster before creating IngressRoute objects.

IngressRoute Attributes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4. name: foo
  5. namespace: bar
  6. spec:
  7. entryPoints: # [1]
  8. - foo
  9. routes: # [2]
  10. - kind: Rule
  11. match: Host(`test.example.com`) # [3]
  12. priority: 10 # [4]
  13. middlewares: # [5]
  14. - name: middleware1 # [6]
  15. namespace: default # [7]
  16. services: # [8]
  17. - kind: Service
  18. name: foo
  19. namespace: default
  20. passHostHeader: true
  21. port: 80 # [9]
  22. responseForwarding:
  23. flushInterval: 1ms
  24. scheme: https
  25. serversTransport: transport # [10]
  26. sticky:
  27. cookie:
  28. httpOnly: true
  29. name: cookie
  30. secure: true
  31. sameSite: none
  32. strategy: RoundRobin
  33. weight: 10
  34. tls: # [11]
  35. secretName: supersecret # [12]
  36. options: # [13]
  37. name: opt # [14]
  38. namespace: default # [15]
  39. certResolver: foo # [16]
  40. domains: # [17]
  41. - main: example.net # [18]
  42. sans: # [19]
  43. - a.example.net
  44. - b.example.net
RefAttributePurpose
[1]entryPointsList of entry points names
[2]routesList of routes
[3]routes[n].matchDefines the rule corresponding to an underlying router.
[4]routes[n].priorityDefines the priority to disambiguate rules of the same length, for route matching
[5]routes[n].middlewaresList of reference to Middleware
[6]middlewares[n].nameDefines the Middleware name
[7]middlewares[n].namespaceDefines the Middleware namespace
[8]routes[n].servicesList of any combination of TraefikService and reference to a Kubernetes service (See below for ExternalName Service setup)
[9]services[n].portDefines the port of a Kubernetes service. This can be a reference to a named port.
[10]services[n].serversTransportDefines the reference to a ServersTransport. The ServersTransport namespace is assumed to be the Kubernetes service namespace (see ServersTransport reference).
[11]tlsDefines TLS certificate configuration
[12]tls.secretNameDefines the secret name used to store the certificate (in the IngressRoute namespace)
[13]tls.optionsDefines the reference to a TLSOption
[14]options.nameDefines the TLSOption name
[15]options.namespaceDefines the TLSOption namespace
[16]tls.certResolverDefines the reference to a CertResolver
[17]tls.domainsList of domains
[18]domains[n].mainDefines the main domain name
[19]domains[n].sansList of SANs (alternative domains)

Declaring an IngressRoute

IngressRoute

  1. # All resources definition must be declared
  2. apiVersion: traefik.containo.us/v1alpha1
  3. kind: IngressRoute
  4. metadata:
  5. name: test-name
  6. namespace: default
  7. spec:
  8. entryPoints:
  9. - web
  10. routes:
  11. - kind: Rule
  12. match: Host(`test.example.com`)
  13. middlewares:
  14. - name: middleware1
  15. namespace: default
  16. priority: 10
  17. services:
  18. - kind: Service
  19. name: foo
  20. namespace: default
  21. passHostHeader: true
  22. port: 80
  23. responseForwarding:
  24. flushInterval: 1ms
  25. scheme: https
  26. sticky:
  27. cookie:
  28. httpOnly: true
  29. name: cookie
  30. secure: true
  31. strategy: RoundRobin
  32. weight: 10
  33. tls:
  34. certResolver: foo
  35. domains:
  36. - main: example.net
  37. sans:
  38. - a.example.net
  39. - b.example.net
  40. options:
  41. name: opt
  42. namespace: default
  43. secretName: supersecret

Middlewares

  1. # All resources definition must be declared
  2. # Prefixing with /foo
  3. apiVersion: traefik.containo.us/v1alpha1
  4. kind: Middleware
  5. metadata:
  6. name: middleware1
  7. namespace: default
  8. spec:
  9. addPrefix:
  10. prefix: /foo

TLSOption

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: TLSOption
  3. metadata:
  4. name: opt
  5. namespace: default
  6. spec:
  7. minVersion: VersionTLS12

Secret

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: supersecret
  5. data:
  6. tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  7. tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Configuring Backend Protocol

There are 3 ways to configure the backend protocol for communication between Traefik and your pods:

  • Setting the scheme explicitly (http/https/h2c)
  • Configuring the name of the kubernetes service port to start with https (https)
  • Setting the kubernetes service port to use port 443 (https)

If you do not configure the above, Traefik will assume an http connection.

Using Kubernetes ExternalName Service

Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRoute service
  • on both sides, you’ll be warned if the ports don’t match, and the IngressRoute service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

Examples

IngressRoute

  1. ---
  2. apiVersion: traefik.containo.us/v1alpha1
  3. kind: IngressRoute
  4. metadata:
  5. name: test.route
  6. namespace: default
  7. spec:
  8. entryPoints:
  9. - foo
  10. routes:
  11. - match: Host(`example.net`)
  12. kind: Rule
  13. services:
  14. - name: external-svc
  15. port: 80
  16. ---
  17. apiVersion: v1
  18. kind: Service
  19. metadata:
  20. name: external-svc
  21. namespace: default
  22. spec:
  23. externalName: external.domain
  24. type: ExternalName

ExternalName Service

  1. ---
  2. apiVersion: traefik.containo.us/v1alpha1
  3. kind: IngressRoute
  4. metadata:
  5. name: test.route
  6. namespace: default
  7. spec:
  8. entryPoints:
  9. - foo
  10. routes:
  11. - match: Host(`example.net`)
  12. kind: Rule
  13. services:
  14. - name: external-svc
  15. ---
  16. apiVersion: v1
  17. kind: Service
  18. metadata:
  19. name: external-svc
  20. namespace: default
  21. spec:
  22. externalName: external.domain
  23. type: ExternalName
  24. ports:
  25. - port: 80

Both sides

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Load Balancing

More information in the dedicated server load balancing section.

Declaring and using Kubernetes Service Load Balancing

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: svc1
      namespace: default
    - name: svc2
      namespace: default

K8s Service

apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app2

Kind: Middleware

Middleware is the CRD implementation of a Traefik middleware.

Register the Middleware kind in the Kubernetes cluster before creating Middleware objects or referencing middlewares in the IngressRoute objects.

Declaring and Referencing a Middleware

Middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: stripprefix
  namespace: foo

spec:
  stripPrefix:
    prefixes:
      - /stripit

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: stripprefix
      namespace: foo

Cross-provider namespace

As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a Middleware from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.

More information about available middlewares in the dedicated middlewares section.

Kind: TraefikService

TraefikService is the CRD implementation of a “Traefik Service”.

Register the TraefikService kind in the Kubernetes cluster before creating TraefikService objects, referencing services in the IngressRoute objects, or recursively in others TraefikService objects.

Disambiguate Traefik and Kubernetes Services

As the field name can reference different types of objects, use the field kind to avoid any ambiguity.

The field kind allows the following values:

TraefikService object allows to use any (valid) combinations of:

Weighted Round Robin

More information in the dedicated Weighted Round Robin service load balancing section.

Declaring and Using Weighted Round Robin

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: wrr1
      namespace: default
      kind: TraefikService

Weighted Round Robin

apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: default

spec:
  weighted:
    services:
      - name: svc1
        port: 80
        weight: 1
      - name: wrr2
        kind: TraefikService
        weight: 1
      - name: mirror1
        kind: TraefikService
        weight: 1

---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr2
  namespace: default

spec:
  weighted:
    services:
      - name: svc2
        port: 80
        weight: 1
      - name: svc3
        port: 80
        weight: 1

K8s Service

apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app2
---
apiVersion: v1
kind: Service
metadata:
  name: svc3
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app3

Mirroring

More information in the dedicated mirroring service section.

Declaring and Using Mirroring

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: mirror1
      namespace: default
      kind: TraefikService

Mirroring k8s Service

# Mirroring from a k8s Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: svc1
    port: 80
    mirrors:
      - name: svc2
        port: 80
        percent: 20
      - name: svc3
        kind: TraefikService
        percent: 20

Mirroring Traefik Service

# Mirroring from a Traefik Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: wrr1
    kind: TraefikService
     mirrors:
       - name: svc2
         port: 80
         percent: 20
       - name: svc3
         kind: TraefikService
         percent: 20

K8s Service

apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app2

References and namespaces

If the optional namespace attribute is not set, the configuration will be applied with the namespace of the current resource.

Additionally, when the definition of the TraefikService is from another provider, the cross-provider syntax ([[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection)) should be used to refer to the TraefikService, just as in the middleware case.

Specifying a namespace attribute in this case would not make any sense, and will be ignored (except if the provider is kubernetescrd).

Stickiness and load-balancing

As explained in the section about Sticky sessions, for stickiness to work all the way, it must be specified at each load-balancing level.

For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.

Stickiness on two load-balancing levels

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: wrr1
      namespace: default
      kind: TraefikService

Weighted Round Robin

apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: default

spec:
  weighted:
    services:
      - name: whoami1
        kind: Service
        port: 80
        weight: 1
        sticky:
          cookie:
            name: lvl2
      - name: whoami2
        kind: Service
        weight: 1
        port: 80
        sticky:
          cookie:
            name: lvl2
    sticky:
      cookie:
        name: lvl1

K8s Service

apiVersion: v1
kind: Service
metadata:
  name: whoami1

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami1

---
apiVersion: v1
kind: Service
metadata:
  name: whoami2

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami2

Deployment (to illustrate replicas)

kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami1
  labels:
    app: whoami1

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami1
  template:
    metadata:
      labels:
        app: whoami1
    spec:
      containers:
        - name: whoami1
          image: traefik/whoami
          ports:
            - name: web
              containerPort: 80

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami2
  labels:
    app: whoami2

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami2
  template:
    metadata:
      labels:
        app: whoami2
    spec:
      containers:
        - name: whoami2
          image: traefik/whoami
          ports:
            - name: web
              containerPort: 80

To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:

curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo

assuming 10.42.0.6 is the IP address of one of the replicas (a pod then) of the whoami1 service.

Kind: IngressRouteTCP

IngressRouteTCP is the CRD implementation of a Traefik TCP router.

Register the IngressRouteTCP kind in the Kubernetes cluster before creating IngressRouteTCP objects.

IngressRouteTCP Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo

spec:
  entryPoints:                  # [1]
    - footcp
  routes:                       # [2]
  - match: HostSNI(`*`)         # [3]
    priority: 10                # [4]
    middlewares:
    - name: middleware1         # [5]
      namespace: default        # [6]
    services:                   # [7]
    - name: foo                 # [8]
      port: 8080                # [9]
      weight: 10                # [10]
      terminationDelay: 400     # [11]
      proxyProtocol:            # [12]
        version: 1              # [13]
  tls:                          # [14]
    secretName: supersecret     # [15]
    options:                    # [16]
      name: opt                 # [17]
      namespace: default        # [18]
    certResolver: foo           # [19]
    domains:                    # [20]
    - main: example.net         # [21]
      sans:                     # [22]
      - a.example.net
      - b.example.net
    passthrough: false          # [23]
RefAttributePurpose
[1]entryPointsList of entrypoints names
[2]routesList of routes
[3]routes[n].matchDefines the rule of the underlying router
[4]routes[n].priorityDefines the priority to disambiguate rules of the same length, for route matching
[5]middlewares[n].nameDefines the MiddlewareTCP name
[6]middlewares[n].namespaceDefines the MiddlewareTCP namespace
[7]routes[n].servicesList of Kubernetes service definitions (See below for ExternalName Service setup)
[8]services[n].nameDefines the name of a Kubernetes service
[9]services[n].portDefines the port of a Kubernetes service. This can be a reference to a named port.
[10]services[n].weightDefines the weight to apply to the server load balancing
[11]services[n].terminationDelaycorresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed).
[12]proxyProtocolDefines the PROXY protocol configuration
[13]versionDefines the PROXY protocol version
[14]tlsDefines TLS certificate configuration
[15]tls.secretNameDefines the secret name used to store the certificate (in the IngressRoute namespace)
[16]tls.optionsDefines the reference to a TLSOption
[17]options.nameDefines the TLSOption name
[18]options.namespaceDefines the TLSOption namespace
[19]tls.certResolverDefines the reference to a CertResolver
[20]tls.domainsList of domains
[21]domains[n].mainDefines the main domain name
[22]domains[n].sansList of SANs (alternative domains)
[23]tls.passthroughIf true, delegates the TLS termination to the backend

Declaring an IngressRouteTCP

IngressRouteTCP

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo

spec:
  entryPoints:
    - footcp
  routes:
  # Match is the rule corresponding to an underlying router.
  - match: HostSNI(`*`)
    priority: 10
    services:
    - name: foo
      port: 8080
      terminationDelay: 400
      weight: 10
    - name: bar
      port: 8081
      terminationDelay: 500
      weight: 10
  tls:
    certResolver: foo
    domains:
    - main: example.net
      sans:
      - a.example.net
      - b.example.net
    options:
      name: opt
      namespace: default
    secretName: supersecret
    passthrough: false

TLSOption

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: opt
  namespace: default

spec:
  minVersion: VersionTLS12

Secret

apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Using Kubernetes ExternalName Service

Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRouteTCP service
  • on both sides, you’ll be warned if the ports don’t match, and the IngressRouteTCP service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

Examples

Only on IngressRouteTCP

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: HostSNI(`*`)
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName

On both sides

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: HostSNI(`*`)
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Kind: MiddlewareTCP

MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.

Register the MiddlewareTCP kind in the Kubernetes cluster before creating MiddlewareTCP objects or referencing TCP middlewares in the IngressRouteTCP objects.

Declaring and Referencing a MiddlewareTCP

Middleware

apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
  name: ipwhitelist
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/whitelist`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: ipwhitelist
      namespace: foo

Cross-provider namespace

As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the TCP middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a MiddlewareTCP from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.

More information about available TCP middlewares in the dedicated middlewares section.

Kind: IngressRouteUDP

IngressRouteUDP is the CRD implementation of a Traefik UDP router.

Register the IngressRouteUDP kind in the Kubernetes cluster before creating IngressRouteUDP objects.

IngressRouteUDP Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressrouteudpfoo

spec:
  entryPoints:                  # [1]
    - fooudp
  routes:                       # [2]
  - services:                   # [3]
    - name: foo                 # [4]
      port: 8080                # [5]
      weight: 10                # [6]
RefAttributePurpose
[1]entryPointsList of entrypoints names
[2]routesList of routes
[3]routes[n].servicesList of Kubernetes service definitions (See below for ExternalName Service setup)
[4]services[n].nameDefines the name of a Kubernetes service
[6]services[n].portDefines the port of a Kubernetes service. This can be a reference to a named port.
[7]services[n].weightDefines the weight to apply to the server load balancing

Declaring an IngressRouteUDP

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressrouteudpfoo

spec:
  entryPoints:
    - fooudp
  routes:
  - services:
    - name: foo
      port: 8080
      weight: 10
    - name: bar
      port: 8081
      weight: 10

Using Kubernetes ExternalName Service

Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRouteUDP service
  • on both sides, you’ll be warned if the ports don’t match, and the IngressRouteUDP service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

Examples

IngressRouteUDP

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName

ExternalName Service

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - services:
    - name: external-svc

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Both sides

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Kind: TLSOption

TLSOption is the CRD implementation of a Traefik “TLS Option”.

Register the TLSOption kind in the Kubernetes cluster before creating TLSOption objects or referencing TLS options in the IngressRoute / IngressRouteTCP objects.

TLSOption Attributes

TLSOption

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption                             # [1]
  namespace: default

spec:
  minVersion: VersionTLS12                      # [2]
  maxVersion: VersionTLS13                      # [3]
  curvePreferences:                             # [4]
    - CurveP521
    - CurveP384
  cipherSuites:                                 # [5]
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
  clientAuth:                                   # [6]
    secretNames:                                # [7]
      - secret-ca1
      - secret-ca2
    clientAuthType: VerifyClientCertIfGiven     # [8]
  sniStrict: true                               # [9]
  alpnProtocols:                                # [10]
    - foobar
RefAttributePurpose
[1]nameDefines the name of the TLSOption resource. One can use default as name to redefine the default TLSOption.
[2]minVersionDefines the minimum TLS version that is acceptable.
[3]maxVersionDefines the maximum TLS version that is acceptable.
[4]cipherSuiteslist of supported cipher suites for TLS versions up to TLS 1.2.
[5]curvePreferencesList of the elliptic curves references that will be used in an ECDHE handshake, in preference order.
[6]clientAuthdetermines the server’s policy for TLS Client Authentication.
[7]clientAuth.secretNameslist of names of the referenced Kubernetes Secrets (in TLSOption namespace). The secret must contain a certificate under either a tls.ca or a ca.crt key.
[8]clientAuth.clientAuthTypedefines the client authentication type to apply. The available values are: NoClientCert, RequestClientCert, VerifyClientCertIfGiven and RequireAndVerifyClientCert.
[9]sniStrictif true, Traefik won’t allow connections from clients connections that do not specify a server_name extension.
[10]alpnProtocolsList of supported application level protocols for the TLS handshake, in order of preference.

CA Secret

The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.

Declaring and referencing a TLSOption

TLSOption

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption
  namespace: default

spec:
  minVersion: VersionTLS12
  sniStrict: true
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
  clientAuth:
    secretNames:
      - secret-ca1
      - secret-ca2
    clientAuthType: VerifyClientCertIfGiven

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    options: 
      name: mytlsoption
      namespace: default

Secrets

apiVersion: v1
kind: Secret
metadata:
  name: secret-ca1
  namespace: default

data:
  # Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

---
apiVersion: v1
kind: Secret
metadata:
  name: secret-ca2
  namespace: default

data:
  # Must contain a certificate under either a `tls.ca` or a `ca.crt` key. 
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

References and namespaces

If the optional namespace attribute is not set, the configuration will be applied with the namespace of the IngressRoute.

Additionally, when the definition of the TLS option is from another provider, the cross-provider syntax ([[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection)) should be used to refer to the TLS option. Specifying a namespace attribute in this case would not make any sense, and will be ignored.

Kind: TLSStore

TLSStore is the CRD implementation of a Traefik “TLS Store”.

Register the TLSStore kind in the Kubernetes cluster before creating TLSStore objects or referencing TLS stores in the IngressRoute / IngressRouteTCP objects.

Default TLS Store

Traefik currently only uses the TLS Store named “default”. This means that you cannot have two stores that are named default in different Kubernetes namespaces. For the time being, please only configure one TLSStore named default.

TLSStore Attributes

TLSStore

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: default
spec:
  certificates:                            # [1]
    - secretName: foo                      
    - secretName: bar
  defaultCertificate:                      # [2]
    secretName: secret
RefAttributePurpose
[1]certificatesList of Kubernetes Secrets, each of them holding a key/certificate pair to add to the store.
[2]defaultCertificateName of a Kubernetes Secret that holds the default key/certificate pair for the store.

Declaring and referencing a TLSStore

TLSStore

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: default

spec:
  defaultCertificate:
    secretName:  supersecret

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    store: 
      name: default

Secret

apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Kind: ServersTransport

ServersTransport is the CRD implementation of a ServersTransport.

Default serversTransport

If no serversTransport is specified, the [[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection) will be used. The [[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection) serversTransport is created from the static configuration.

ServersTransport Attributes

ServersTransport

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: default

spec:
  serverName: foobar               # [1]
  insecureSkipVerify: true         # [2]
  rootCAsSecrets:                  # [3]
    - foobar
    - foobar
  certificatesSecrets:             # [4]
    - foobar
    - foobar
  maxIdleConnsPerHost: 1           # [5]
  forwardingTimeouts:              # [6]
    dialTimeout: 42s               # [7]
    responseHeaderTimeout: 42s     # [8]
    idleConnTimeout: 42s           # [9]
  peerCertURI: foobar              # [10]
  disableHTTP2: true               # [11]
RefAttributePurpose
[1]serverNameServerName used to contact the server.
[2]insecureSkipVerifyControls whether the server’s certificate chain and host name is verified.
[3]rootCAsSecretsDefines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key.
[4]certificatesSecretsCertificates to present to the server for mTLS.
[5]maxIdleConnsPerHostControls the maximum idle (keep-alive) connections to keep per-host. If zero, defaultMaxIdleConnsPerHost is used.
[6]forwardingTimeoutsTimeouts for requests forwarded to the servers.
[7]dialTimeoutThe amount of time to wait until a connection to a server can be established. If zero, no timeout exists.
[8]responseHeaderTimeoutThe amount of time to wait for a server’s response headers after fully writing the request (including its body, if any). If zero, no timeout exists.
[9]idleConnTimeoutThe maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists.
[10]peerCertURIURI used to match against SAN URIs during the server’s certificate verification.
[11]disableHTTP2Disables HTTP/2 for connections with servers.

CA Secret

The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.

Declaring and referencing a ServersTransport

ServersTransport

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: default

spec:
  serverName: example.org
  insecureSkipVerify: true

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: testroute
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`)
    kind: Rule
    services:
    - name: whoami
      port: 80
      serversTransport: mytransport

ServersTransport reference

By default, the referenced ServersTransport CRD must be defined in the same Kubernetes service namespace.

To reference a ServersTransport CRD from another namespace, the value must be of form [[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection), and the cross-namespace option must be enabled.

If the ServersTransport CRD is defined in another provider the cross-provider format [[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection) should be used.

Further

Also see the full example with Let’s Encrypt.


Using Traefik for Business Applications?

If you are using Traefik for commercial applications, consider the Enterprise Edition. You can use it as your:

Traefik Enterprise enables centralized access management, distributed Let’s Encrypt, and other advanced capabilities. Learn more in this 15-minute technical walkthrough.