我的书签
添加书签
移除书签Kubernetes Configuration Reference
Dynamic configuration with Kubernetes Custom Resource
Definitions
apiextensions.k8s.io/v1 (Kubernetes v1.16+)
---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: ingressroutes.traefik.iospec:group: traefik.ionames:kind: IngressRoutelistKind: IngressRouteListplural: ingressroutessingular: ingressroutescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRoute is the CRD implementation of a Traefik HTTP Router.properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: IngressRouteSpec defines the desired state of IngressRoute.properties:entryPoints:description: |-EntryPoints defines the list of entry point names to bind to.Entry points have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/Default: all.items:type: stringtype: arrayroutes:description: Routes defines the list of routes.items:description: Route holds the HTTP route configuration.properties:kind:description: |-Kind defines the kind of the route.Rule is the only supported kind.enum:- Ruletype: stringmatch:description: |-Match defines the router's rule.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#ruletype: stringmiddlewares:description: |-Middlewares defines the list of references to Middleware resources.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middlewareitems:description: MiddlewareRef is a reference to a Middlewareresource.properties:name:description: Name defines the name of the referenced Middlewareresource.type: stringnamespace:description: Namespace defines the namespace of the referencedMiddleware resource.type: stringrequired:- nametype: objecttype: arraypriority:description: |-Priority defines the router's priority.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#prioritytype: integerservices:description: |-Services defines the list of Service.It can contain any combination of TraefikService and/or reference to a Kubernetes Service.items:description: Service defines an upstream HTTP service to proxytraffic to.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to besent to the health check endpoint.type: objecthostname:description: Hostname defines the value of hostnamein the Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path forthe health check endpoint.type: stringport:description: Port defines the server URL port forthe health check endpoint.type: integerscheme:description: Scheme replaces the server URL schemefor the health check endpoint.type: stringstatus:description: Status defines the expected HTTP statuscode of the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service tothe client.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookiecan be accessed by client-side APIs, such asJavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookiecan only be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arraysyntax:description: |-Syntax defines the router's rule syntax.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntaxtype: stringrequired:- kind- matchtype: objecttype: arraytls:description: |-TLS defines the TLS configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tlsproperties:certResolver:description: |-CertResolver defines the name of the certificate resolver to use.Cert resolvers have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolverstype: stringdomains:description: |-Domains defines the list of domains that will be used to issue certificates.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domainsitems:description: Domain holds a domain name with SANs.properties:main:description: Main defines the main domain name.type: stringsans:description: SANs defines the subject alternative domainnames.items:type: stringtype: arraytype: objecttype: arrayoptions:description: |-Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.If not defined, the `default` TLSOption is used.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-optionsproperties:name:description: |-Name defines the name of the referenced TLSOption.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoptiontype: stringnamespace:description: |-Namespace defines the namespace of the referenced TLSOption.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoptiontype: stringrequired:- nametype: objectsecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: |-Store defines the reference to the TLSStore, that will be used to store certificates.Please note that only `default` TLSStore can be used.properties:name:description: |-Name defines the name of the referenced TLSStore.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstoretype: stringnamespace:description: |-Namespace defines the namespace of the referenced TLSStore.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstoretype: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: ingressroutetcps.traefik.iospec:group: traefik.ionames:kind: IngressRouteTCPlistKind: IngressRouteTCPListplural: ingressroutetcpssingular: ingressroutetcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.properties:entryPoints:description: |-EntryPoints defines the list of entry point names to bind to.Entry points have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/Default: all.items:type: stringtype: arrayroutes:description: Routes defines the list of routes.items:description: RouteTCP holds the TCP route configuration.properties:match:description: |-Match defines the router's rule.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1type: stringmiddlewares:description: Middlewares defines the list of references to MiddlewareTCPresources.items:description: ObjectReference is a generic reference to a Traefikresource.properties:name:description: Name defines the name of the referenced Traefikresource.type: stringnamespace:description: Namespace defines the namespace of the referencedTraefik resource.type: stringrequired:- nametype: objecttype: arraypriority:description: |-Priority defines the router's priority.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1type: integerservices:description: Services defines the list of TCP services.items:description: ServiceTCP defines an upstream TCP service toproxy traffic to.properties:name:description: Name defines the name of the referenced KubernetesService.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueproxyProtocol:description: |-ProxyProtocol defines the PROXY protocol configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocolproperties:version:description: Version defines the PROXY Protocol versionto use.type: integertype: objectserversTransport:description: |-ServersTransport defines the name of ServersTransportTCP resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringterminationDelay:description: |-TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicatesit has closed the writing capability of its connection, to close the reading capability as well,hence fully terminating the connection.It is a duration in milliseconds, defaulting to 100.A negative value means an infinite deadline (i.e. the reading capability is never closed).Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.type: integertls:description: TLS determines whether to use TLS when dialingwith the backend.type: booleanweight:description: Weight defines the weight used when balancingrequests between multiple Kubernetes Service.type: integerrequired:- name- porttype: objecttype: arraysyntax:description: |-Syntax defines the router's rule syntax.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1type: stringrequired:- matchtype: objecttype: arraytls:description: |-TLS defines the TLS configuration on a layer 4 / TCP Route.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1properties:certResolver:description: |-CertResolver defines the name of the certificate resolver to use.Cert resolvers have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolverstype: stringdomains:description: |-Domains defines the list of domains that will be used to issue certificates.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domainsitems:description: Domain holds a domain name with SANs.properties:main:description: Main defines the main domain name.type: stringsans:description: SANs defines the subject alternative domainnames.items:type: stringtype: arraytype: objecttype: arrayoptions:description: |-Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.If not defined, the `default` TLSOption is used.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-optionsproperties:name:description: Name defines the name of the referenced Traefikresource.type: stringnamespace:description: Namespace defines the namespace of the referencedTraefik resource.type: stringrequired:- nametype: objectpassthrough:description: Passthrough defines whether a TLS router will terminatethe TLS connection.type: booleansecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: |-Store defines the reference to the TLSStore, that will be used to store certificates.Please note that only `default` TLSStore can be used.properties:name:description: Name defines the name of the referenced Traefikresource.type: stringnamespace:description: Namespace defines the namespace of the referencedTraefik resource.type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: ingressrouteudps.traefik.iospec:group: traefik.ionames:kind: IngressRouteUDPlistKind: IngressRouteUDPListplural: ingressrouteudpssingular: ingressrouteudpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.properties:entryPoints:description: |-EntryPoints defines the list of entry point names to bind to.Entry points have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/Default: all.items:type: stringtype: arrayroutes:description: Routes defines the list of routes.items:description: RouteUDP holds the UDP route configuration.properties:services:description: Services defines the list of UDP services.items:description: ServiceUDP defines an upstream UDP service toproxy traffic to.properties:name:description: Name defines the name of the referenced KubernetesService.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueweight:description: Weight defines the weight used when balancingrequests between multiple Kubernetes Service.type: integerrequired:- name- porttype: objecttype: arraytype: objecttype: arrayrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: middlewares.traefik.iospec:group: traefik.ionames:kind: MiddlewarelistKind: MiddlewareListplural: middlewaressingular: middlewarescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-Middleware is the CRD implementation of a Traefik Middleware.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: MiddlewareSpec defines the desired state of a Middleware.properties:addPrefix:description: |-AddPrefix holds the add prefix middleware configuration.This middleware updates the path of a request before forwarding it.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/properties:prefix:description: |-Prefix is the string to add before the current path in the requested URL.It should include a leading slash (/).type: stringtype: objectbasicAuth:description: |-BasicAuth holds the basic auth middleware configuration.This middleware restricts access to your services to known users.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/properties:headerField:description: |-HeaderField defines a header field to store the authenticated user.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfieldtype: stringrealm:description: |-Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.Default: traefik.type: stringremoveHeader:description: |-RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.Default: false.type: booleansecret:description: Secret is the name of the referenced Kubernetes Secretcontaining user credentials.type: stringtype: objectbuffering:description: |-Buffering holds the buffering middleware configuration.This middleware retries or limits the size of requests that can be forwarded to backends.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytesproperties:maxRequestBodyBytes:description: |-MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.Default: 0 (no maximum).format: int64type: integermaxResponseBodyBytes:description: |-MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.Default: 0 (no maximum).format: int64type: integermemRequestBodyBytes:description: |-MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.Default: 1048576 (1Mi).format: int64type: integermemResponseBodyBytes:description: |-MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.Default: 1048576 (1Mi).format: int64type: integerretryExpression:description: |-RetryExpression defines the retry conditions.It is a logical combination of functions with operators AND (&&) and OR (||).More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpressiontype: stringtype: objectchain:description: |-Chain holds the configuration of the chain middleware.This middleware enables to define reusable combinations of other pieces of middleware.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/properties:middlewares:description: Middlewares is the list of MiddlewareRef which composesthe chain.items:description: MiddlewareRef is a reference to a Middleware resource.properties:name:description: Name defines the name of the referenced Middlewareresource.type: stringnamespace:description: Namespace defines the namespace of the referencedMiddleware resource.type: stringrequired:- nametype: objecttype: arraytype: objectcircuitBreaker:description: CircuitBreaker holds the circuit breaker configuration.properties:checkPeriod:anyOf:- type: integer- type: stringdescription: CheckPeriod is the interval between successive checksof the circuit breaker condition (when in standby state).x-kubernetes-int-or-string: trueexpression:description: Expression is the condition that triggers the trippedstate.type: stringfallbackDuration:anyOf:- type: integer- type: stringdescription: FallbackDuration is the duration for which the circuitbreaker will wait before trying to recover (from a tripped state).x-kubernetes-int-or-string: truerecoveryDuration:anyOf:- type: integer- type: stringdescription: RecoveryDuration is the duration for which the circuitbreaker will try to recover (as soon as it is in recoveringstate).x-kubernetes-int-or-string: trueresponseCode:description: ResponseCode is the status code that the circuitbreaker will return while it is in the open state.type: integertype: objectcompress:description: |-Compress holds the compress middleware configuration.This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/properties:defaultEncoding:description: DefaultEncoding specifies the default encoding ifthe `Accept-Encoding` header is not in the request or containsa wildcard (`*`).type: stringencodings:description: Encodings defines the list of supported compressionalgorithms.items:type: stringtype: arrayexcludedContentTypes:description: |-ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.`application/grpc` is always excluded.items:type: stringtype: arrayincludedContentTypes:description: IncludedContentTypes defines the list of contenttypes to compare the Content-Type header of the responses beforecompressing.items:type: stringtype: arrayminResponseBodyBytes:description: |-MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.Default: 1024.type: integertype: objectcontentType:description: |-ContentType holds the content-type middleware configuration.This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.properties:autoDetect:description: |-AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,be automatically set to a value derived from the contents of the response.Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.type: booleantype: objectdigestAuth:description: |-DigestAuth holds the digest auth middleware configuration.This middleware restricts access to your services to known users.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/properties:headerField:description: |-HeaderField defines a header field to store the authenticated user.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfieldtype: stringrealm:description: |-Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.Default: traefik.type: stringremoveHeader:description: RemoveHeader defines whether to remove the authorizationheader before forwarding the request to the backend.type: booleansecret:description: Secret is the name of the referenced Kubernetes Secretcontaining user credentials.type: stringtype: objecterrors:description: |-ErrorPage holds the custom error middleware configuration.This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/properties:query:description: |-Query defines the URL for the error page (hosted by service).The {status} variable can be used in order to insert the status code in the URL.type: stringservice:description: |-Service defines the reference to a Kubernetes Service that will serve the error page.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#serviceproperties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sentto the health check endpoint.type: objecthostname:description: Hostname defines the value of hostname inthe Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for thehealth check endpoint.type: stringport:description: Port defines the server URL port for thehealth check endpoint.type: integerscheme:description: Scheme replaces the server URL scheme forthe health check endpoint.type: stringstatus:description: Status defines the expected HTTP status codeof the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service to theclient.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookie canbe accessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie canonly be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objectstatus:description: |-Status defines which status or range of statuses should result in an error page.It can be either a status code as a number (500),as multiple comma-separated numbers (500,502),as ranges by separating two codes with a dash (500-599),or a combination of the two (404,418,500-599).items:type: stringtype: arraytype: objectforwardAuth:description: |-ForwardAuth holds the forward auth middleware configuration.This middleware delegates the request authentication to a Service.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/properties:addAuthCookiesToResponse:description: AddAuthCookiesToResponse defines the list of cookiesto copy from the authentication server response to the response.items:type: stringtype: arrayaddress:description: Address defines the authentication server address.type: stringauthRequestHeaders:description: |-AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.If not set or empty then all request headers are passed.items:type: stringtype: arrayauthResponseHeaders:description: AuthResponseHeaders defines the list of headers tocopy from the authentication server response and set on forwardedrequest, replacing any existing conflicting headers.items:type: stringtype: arrayauthResponseHeadersRegex:description: |-AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregextype: stringtls:description: TLS defines the configuration used to secure theconnection to the authentication server.properties:caOptional:description: 'Deprecated: TLS client authentication is a serverside option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).'type: booleancaSecret:description: |-CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.The CA certificate is extracted from key `tls.ca` or `ca.crt`.type: stringcertSecret:description: |-CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.The client certificate is extracted from the keys `tls.crt` and `tls.key`.type: stringinsecureSkipVerify:description: InsecureSkipVerify defines whether the servercertificates should be validated.type: booleantype: objecttrustForwardHeader:description: 'TrustForwardHeader defines whether to trust (ie:forward) all X-Forwarded-* headers.'type: booleantype: objectgrpcWeb:description: |-GrpcWeb holds the gRPC web middleware configuration.This middleware converts a gRPC web request to an HTTP/2 gRPC request.properties:allowOrigins:description: |-AllowOrigins is a list of allowable origins.Can also be a wildcard origin "*".items:type: stringtype: arraytype: objectheaders:description: |-Headers holds the headers middleware configuration.This middleware manages the requests and responses headers.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheadersproperties:accessControlAllowCredentials:description: AccessControlAllowCredentials defines whether therequest can include user credentials.type: booleanaccessControlAllowHeaders:description: AccessControlAllowHeaders defines the Access-Control-Request-Headersvalues sent in preflight response.items:type: stringtype: arrayaccessControlAllowMethods:description: AccessControlAllowMethods defines the Access-Control-Request-Methodvalues sent in preflight response.items:type: stringtype: arrayaccessControlAllowOriginList:description: AccessControlAllowOriginList is a list of allowableorigins. Can also be a wildcard origin "*".items:type: stringtype: arrayaccessControlAllowOriginListRegex:description: AccessControlAllowOriginListRegex is a list of allowableorigins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).items:type: stringtype: arrayaccessControlExposeHeaders:description: AccessControlExposeHeaders defines the Access-Control-Expose-Headersvalues sent in preflight response.items:type: stringtype: arrayaccessControlMaxAge:description: AccessControlMaxAge defines the time that a preflightrequest may be cached.format: int64type: integeraddVaryHeader:description: AddVaryHeader defines whether the Vary header isautomatically added/updated when the AccessControlAllowOriginListis set.type: booleanallowedHosts:description: AllowedHosts defines the fully qualified list ofallowed domain names.items:type: stringtype: arraybrowserXssFilter:description: BrowserXSSFilter defines whether to add the X-XSS-Protectionheader with the value 1; mode=block.type: booleancontentSecurityPolicy:description: ContentSecurityPolicy defines the Content-Security-Policyheader value.type: stringcontentSecurityPolicyReportOnly:description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Onlyheader value.type: stringcontentTypeNosniff:description: ContentTypeNosniff defines whether to add the X-Content-Type-Optionsheader with the nosniff value.type: booleancustomBrowserXSSValue:description: |-CustomBrowserXSSValue defines the X-XSS-Protection header value.This overrides the BrowserXssFilter option.type: stringcustomFrameOptionsValue:description: |-CustomFrameOptionsValue defines the X-Frame-Options header value.This overrides the FrameDeny option.type: stringcustomRequestHeaders:additionalProperties:type: stringdescription: CustomRequestHeaders defines the header names andvalues to apply to the request.type: objectcustomResponseHeaders:additionalProperties:type: stringdescription: CustomResponseHeaders defines the header names andvalues to apply to the response.type: objectfeaturePolicy:description: 'Deprecated: FeaturePolicy option is deprecated,please use PermissionsPolicy instead.'type: stringforceSTSHeader:description: ForceSTSHeader defines whether to add the STS headereven when the connection is HTTP.type: booleanframeDeny:description: FrameDeny defines whether to add the X-Frame-Optionsheader with the DENY value.type: booleanhostsProxyHeaders:description: HostsProxyHeaders defines the header keys that mayhold a proxied hostname value for the request.items:type: stringtype: arrayisDevelopment:description: |-IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing.Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain.If you would like your development environment to mimic production with complete Host blocking, SSL redirects,and STS headers, leave this as false.type: booleanpermissionsPolicy:description: |-PermissionsPolicy defines the Permissions-Policy header value.This allows sites to control browser features.type: stringpublicKey:description: PublicKey is the public key that implements HPKPto prevent MITM attacks with forged certificates.type: stringreferrerPolicy:description: |-ReferrerPolicy defines the Referrer-Policy header value.This allows sites to control whether browsers forward the Referer header to other sites.type: stringsslForceHost:description: 'Deprecated: SSLForceHost option is deprecated, pleaseuse RedirectRegex instead.'type: booleansslHost:description: 'Deprecated: SSLHost option is deprecated, pleaseuse RedirectRegex instead.'type: stringsslProxyHeaders:additionalProperties:type: stringdescription: |-SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").type: objectsslRedirect:description: 'Deprecated: SSLRedirect option is deprecated, pleaseuse EntryPoint redirection or RedirectScheme instead.'type: booleansslTemporaryRedirect:description: 'Deprecated: SSLTemporaryRedirect option is deprecated,please use EntryPoint redirection or RedirectScheme instead.'type: booleanstsIncludeSubdomains:description: STSIncludeSubdomains defines whether the includeSubDomainsdirective is appended to the Strict-Transport-Security header.type: booleanstsPreload:description: STSPreload defines whether the preload flag is appendedto the Strict-Transport-Security header.type: booleanstsSeconds:description: |-STSSeconds defines the max-age of the Strict-Transport-Security header.If set to 0, the header is not set.format: int64type: integertype: objectinFlightReq:description: |-InFlightReq holds the in-flight request middleware configuration.This middleware limits the number of requests being processed and served concurrently.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/properties:amount:description: |-Amount defines the maximum amount of allowed simultaneous in-flight request.The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).format: int64type: integersourceCriterion:description: |-SourceCriterion defines what criterion is used to group requests as originating from a common source.If several strategies are defined at the same time, an error will be raised.If none are set, the default is to use the requestHost.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterionproperties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position(starting from the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan theX-Forwarded-For header and select the first IP not inthe list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to considerall IPv6 addresses from the defined subnet as originatingfrom the same IP. Applies to RemoteAddrStrategy andDepthStrategy.type: integertype: objectrequestHeaderName:description: RequestHeaderName defines the name of the headerused to group incoming requests.type: stringrequestHost:description: RequestHost defines whether to consider the requestHost as the source.type: booleantype: objecttype: objectipAllowList:description: |-IPAllowList holds the IP allowlist middleware configuration.This middleware limits allowed requests based on the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/properties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position (startingfrom the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan the X-Forwarded-Forheader and select the first IP not in the list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to consider allIPv6 addresses from the defined subnet as originating fromthe same IP. Applies to RemoteAddrStrategy and DepthStrategy.type: integertype: objectrejectStatusCode:description: |-RejectStatusCode defines the HTTP status code used for refused requests.If not set, the default is 403 (Forbidden).type: integersourceRange:description: SourceRange defines the set of allowed IPs (or rangesof allowed IPs by using CIDR notation).items:type: stringtype: arraytype: objectipWhiteList:description: 'Deprecated: please use IPAllowList instead.'properties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position (startingfrom the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan the X-Forwarded-Forheader and select the first IP not in the list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to consider allIPv6 addresses from the defined subnet as originating fromthe same IP. Applies to RemoteAddrStrategy and DepthStrategy.type: integertype: objectsourceRange:description: SourceRange defines the set of allowed IPs (or rangesof allowed IPs by using CIDR notation). Required.items:type: stringtype: arraytype: objectpassTLSClientCert:description: |-PassTLSClientCert holds the pass TLS client cert middleware configuration.This middleware adds the selected data from the passed client TLS certificate to a header.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/properties:info:description: Info selects the specific client certificate detailsyou want to add to the X-Forwarded-Tls-Client-Cert-Info header.properties:issuer:description: Issuer defines the client certificate issuerdetails to add to the X-Forwarded-Tls-Client-Cert-Info header.properties:commonName:description: CommonName defines whether to add the organizationalUnitinformation into the issuer.type: booleancountry:description: Country defines whether to add the countryinformation into the issuer.type: booleandomainComponent:description: DomainComponent defines whether to add thedomainComponent information into the issuer.type: booleanlocality:description: Locality defines whether to add the localityinformation into the issuer.type: booleanorganization:description: Organization defines whether to add the organizationinformation into the issuer.type: booleanprovince:description: Province defines whether to add the provinceinformation into the issuer.type: booleanserialNumber:description: SerialNumber defines whether to add the serialNumberinformation into the issuer.type: booleantype: objectnotAfter:description: NotAfter defines whether to add the Not Afterinformation from the Validity part.type: booleannotBefore:description: NotBefore defines whether to add the Not Beforeinformation from the Validity part.type: booleansans:description: Sans defines whether to add the Subject AlternativeName information from the Subject Alternative Name part.type: booleanserialNumber:description: SerialNumber defines whether to add the clientserialNumber information.type: booleansubject:description: Subject defines the client certificate subjectdetails to add to the X-Forwarded-Tls-Client-Cert-Info header.properties:commonName:description: CommonName defines whether to add the organizationalUnitinformation into the subject.type: booleancountry:description: Country defines whether to add the countryinformation into the subject.type: booleandomainComponent:description: DomainComponent defines whether to add thedomainComponent information into the subject.type: booleanlocality:description: Locality defines whether to add the localityinformation into the subject.type: booleanorganization:description: Organization defines whether to add the organizationinformation into the subject.type: booleanorganizationalUnit:description: OrganizationalUnit defines whether to addthe organizationalUnit information into the subject.type: booleanprovince:description: Province defines whether to add the provinceinformation into the subject.type: booleanserialNumber:description: SerialNumber defines whether to add the serialNumberinformation into the subject.type: booleantype: objecttype: objectpem:description: PEM sets the X-Forwarded-Tls-Client-Cert header withthe certificate.type: booleantype: objectplugin:additionalProperties:x-kubernetes-preserve-unknown-fields: truedescription: |-Plugin defines the middleware plugin configuration.More info: https://doc.traefik.io/traefik/plugins/type: objectrateLimit:description: |-RateLimit holds the rate limit configuration.This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/properties:average:description: |-Average is the maximum rate, by default in requests/s, allowed for the given source.It defaults to 0, which means no rate limiting.The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,one needs to define a Period larger than a second.format: int64type: integerburst:description: |-Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.It defaults to 1.format: int64type: integerperiod:anyOf:- type: integer- type: stringdescription: |-Period, in combination with Average, defines the actual maximum rate, such as:r = Average / Period. It defaults to a second.x-kubernetes-int-or-string: truesourceCriterion:description: |-SourceCriterion defines what criterion is used to group requests as originating from a common source.If several strategies are defined at the same time, an error will be raised.If none are set, the default is to use the request's remote address field (as an ipStrategy).properties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position(starting from the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan theX-Forwarded-For header and select the first IP not inthe list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to considerall IPv6 addresses from the defined subnet as originatingfrom the same IP. Applies to RemoteAddrStrategy andDepthStrategy.type: integertype: objectrequestHeaderName:description: RequestHeaderName defines the name of the headerused to group incoming requests.type: stringrequestHost:description: RequestHost defines whether to consider the requestHost as the source.type: booleantype: objecttype: objectredirectRegex:description: |-RedirectRegex holds the redirect regex middleware configuration.This middleware redirects a request using regex matching and replacement.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regexproperties:permanent:description: Permanent defines whether the redirection is permanent(301).type: booleanregex:description: Regex defines the regex used to match and captureelements from the request URL.type: stringreplacement:description: Replacement defines how to modify the URL to havethe new target URL.type: stringtype: objectredirectScheme:description: |-RedirectScheme holds the redirect scheme middleware configuration.This middleware redirects requests from a scheme/port to another.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/properties:permanent:description: Permanent defines whether the redirection is permanent(301).type: booleanport:description: Port defines the port of the new URL.type: stringscheme:description: Scheme defines the scheme of the new URL.type: stringtype: objectreplacePath:description: |-ReplacePath holds the replace path middleware configuration.This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/properties:path:description: Path defines the path to use as replacement in therequest URL.type: stringtype: objectreplacePathRegex:description: |-ReplacePathRegex holds the replace path regex middleware configuration.This middleware replaces the path of a URL using regex matching and replacement.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/properties:regex:description: Regex defines the regular expression used to matchand capture the path from the request URL.type: stringreplacement:description: Replacement defines the replacement path format,which can include captured variables.type: stringtype: objectretry:description: |-Retry holds the retry middleware configuration.This middleware reissues requests a given number of times to a backend server if that server does not reply.As soon as the server answers, the middleware stops retrying, regardless of the response status.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/properties:attempts:description: Attempts defines how many times the request shouldbe retried.type: integerinitialInterval:anyOf:- type: integer- type: stringdescription: |-InitialInterval defines the first wait time in the exponential backoff series.The maximum interval is calculated as twice the initialInterval.If unspecified, requests will be retried immediately.The value of initialInterval should be provided in seconds or as a valid duration format,see https://pkg.go.dev/time#ParseDuration.x-kubernetes-int-or-string: truetype: objectstripPrefix:description: |-StripPrefix holds the strip prefix middleware configuration.This middleware removes the specified prefixes from the URL path.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/properties:forceSlash:description: |-Deprecated: ForceSlash option is deprecated, please remove any usage of this option.ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.Default: true.type: booleanprefixes:description: Prefixes defines the prefixes to strip from the requestURL.items:type: stringtype: arraytype: objectstripPrefixRegex:description: |-StripPrefixRegex holds the strip prefix regex middleware configuration.This middleware removes the matching prefixes from the URL path.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/properties:regex:description: Regex defines the regular expression to match thepath prefix from the request URL.items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: middlewaretcps.traefik.iospec:group: traefik.ionames:kind: MiddlewareTCPlistKind: MiddlewareTCPListplural: middlewaretcpssingular: middlewaretcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.properties:inFlightConn:description: InFlightConn defines the InFlightConn middleware configuration.properties:amount:description: |-Amount defines the maximum amount of allowed simultaneous connections.The middleware closes the connection if there are already amount connections opened.format: int64type: integertype: objectipAllowList:description: |-IPAllowList defines the IPAllowList middleware configuration.This middleware accepts/refuses connections based on the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/properties:sourceRange:description: SourceRange defines the allowed IPs (or ranges ofallowed IPs by using CIDR notation).items:type: stringtype: arraytype: objectipWhiteList:description: |-IPWhiteList defines the IPWhiteList middleware configuration.This middleware accepts/refuses connections based on the client IP.Deprecated: please use IPAllowList instead.More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/properties:sourceRange:description: SourceRange defines the allowed IPs (or ranges ofallowed IPs by using CIDR notation).items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: serverstransports.traefik.iospec:group: traefik.ionames:kind: ServersTransportlistKind: ServersTransportListplural: serverstransportssingular: serverstransportscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-ServersTransport is the CRD implementation of a ServersTransport.If no serversTransport is specified, the default@internal will be used.The default@internal serversTransport is created from the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: ServersTransportSpec defines the desired state of a ServersTransport.properties:certificatesSecrets:description: CertificatesSecrets defines a list of secret storingclient certificates for mTLS.items:type: stringtype: arraydisableHTTP2:description: DisableHTTP2 disables HTTP/2 for connections with backendservers.type: booleanforwardingTimeouts:description: ForwardingTimeouts defines the timeouts for requestsforwarded to the backend servers.properties:dialTimeout:anyOf:- type: integer- type: stringdescription: DialTimeout is the amount of time to wait until aconnection to a backend server can be established.x-kubernetes-int-or-string: trueidleConnTimeout:anyOf:- type: integer- type: stringdescription: IdleConnTimeout is the maximum period for which anidle HTTP keep-alive connection will remain open before closingitself.x-kubernetes-int-or-string: truepingTimeout:anyOf:- type: integer- type: stringdescription: PingTimeout is the timeout after which the HTTP/2connection will be closed if a response to ping is not received.x-kubernetes-int-or-string: truereadIdleTimeout:anyOf:- type: integer- type: stringdescription: ReadIdleTimeout is the timeout after which a healthcheck using ping frame will be carried out if no frame is receivedon the HTTP/2 connection.x-kubernetes-int-or-string: trueresponseHeaderTimeout:anyOf:- type: integer- type: stringdescription: ResponseHeaderTimeout is the amount of time to waitfor a server's response headers after fully writing the request(including its body, if any).x-kubernetes-int-or-string: truetype: objectinsecureSkipVerify:description: InsecureSkipVerify disables SSL certificate verification.type: booleanmaxIdleConnsPerHost:description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)to keep per-host.type: integerpeerCertURI:description: PeerCertURI defines the peer cert URI used to match againstSAN URI during the peer certificate verification.type: stringrootCAsSecrets:description: RootCAsSecrets defines a list of CA secret used to validateself-signed certificate.items:type: stringtype: arrayserverName:description: ServerName defines the server name used to contact theserver.type: stringspiffe:description: Spiffe defines the SPIFFE configuration.properties:ids:description: IDs defines the allowed SPIFFE IDs (takes precedenceover the SPIFFE TrustDomain).items:type: stringtype: arraytrustDomain:description: TrustDomain defines the allowed SPIFFE trust domain.type: stringtype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: serverstransporttcps.traefik.iospec:group: traefik.ionames:kind: ServersTransportTCPlistKind: ServersTransportTCPListplural: serverstransporttcpssingular: serverstransporttcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-ServersTransportTCP is the CRD implementation of a TCPServersTransport.If no tcpServersTransport is specified, a default one named default@internal will be used.The default@internal tcpServersTransport can be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.properties:dialKeepAlive:anyOf:- type: integer- type: stringdescription: DialKeepAlive is the interval between keep-alive probesfor an active network connection. If zero, keep-alive probes aresent with a default value (currently 15 seconds), if supported bythe protocol and operating system. Network protocols or operatingsystems that do not support keep-alives ignore this field. If negative,keep-alive probes are disabled.x-kubernetes-int-or-string: truedialTimeout:anyOf:- type: integer- type: stringdescription: DialTimeout is the amount of time to wait until a connectionto a backend server can be established.x-kubernetes-int-or-string: trueterminationDelay:anyOf:- type: integer- type: stringdescription: TerminationDelay defines the delay to wait before fullyterminating the connection, after one connected peer has closedits writing capability.x-kubernetes-int-or-string: truetls:description: TLS defines the TLS configurationproperties:certificatesSecrets:description: CertificatesSecrets defines a list of secret storingclient certificates for mTLS.items:type: stringtype: arrayinsecureSkipVerify:description: InsecureSkipVerify disables TLS certificate verification.type: booleanpeerCertURI:description: |-MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.type: stringrootCAsSecrets:description: RootCAsSecrets defines a list of CA secret used tovalidate self-signed certificates.items:type: stringtype: arrayserverName:description: ServerName defines the server name used to contactthe server.type: stringspiffe:description: Spiffe defines the SPIFFE configuration.properties:ids:description: IDs defines the allowed SPIFFE IDs (takes precedenceover the SPIFFE TrustDomain).items:type: stringtype: arraytrustDomain:description: TrustDomain defines the allowed SPIFFE trustdomain.type: stringtype: objecttype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: tlsoptions.traefik.iospec:group: traefik.ionames:kind: TLSOptionlistKind: TLSOptionListplural: tlsoptionssingular: tlsoptionscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-optionsproperties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: TLSOptionSpec defines the desired state of a TLSOption.properties:alpnProtocols:description: |-ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocolsitems:type: stringtype: arraycipherSuites:description: |-CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suitesitems:type: stringtype: arrayclientAuth:description: ClientAuth defines the server's policy for TLS ClientAuthentication.properties:clientAuthType:description: ClientAuthType defines the client authenticationtype to apply.enum:- NoClientCert- RequestClientCert- RequireAnyClientCert- VerifyClientCertIfGiven- RequireAndVerifyClientCerttype: stringsecretNames:description: SecretNames defines the names of the referenced KubernetesSecret storing certificate details.items:type: stringtype: arraytype: objectcurvePreferences:description: |-CurvePreferences defines the preferred elliptic curves in a specific order.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferencesitems:type: stringtype: arraymaxVersion:description: |-MaxVersion defines the maximum TLS version that Traefik will accept.Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.Default: None.type: stringminVersion:description: |-MinVersion defines the minimum TLS version that Traefik will accept.Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.Default: VersionTLS10.type: stringpreferServerCipherSuites:description: |-PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.It is enabled automatically when minVersion or maxVersion is set.Deprecated: https://github.com/golang/go/issues/45430type: booleansniStrict:description: SniStrict defines whether Traefik allows connectionsfrom clients connections that do not specify a server_name extension.type: booleantype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: tlsstores.traefik.iospec:group: traefik.ionames:kind: TLSStorelistKind: TLSStoreListplural: tlsstoressingular: tlsstorescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-TLSStore is the CRD implementation of a Traefik TLS Store.For the time being, only the TLSStore named default is supported.This means that you cannot have two stores that are named default in different Kubernetes namespaces.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-storesproperties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: TLSStoreSpec defines the desired state of a TLSStore.properties:certificates:description: Certificates is a list of secret names, each secret holdinga key/certificate pair to add to the store.items:description: Certificate holds a secret name for the TLSStore resource.properties:secretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringrequired:- secretNametype: objecttype: arraydefaultCertificate:description: DefaultCertificate defines the default certificate configuration.properties:secretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringrequired:- secretNametype: objectdefaultGeneratedCert:description: DefaultGeneratedCert defines the default generated certificateconfiguration.properties:domain:description: Domain is the domain definition for the DefaultCertificate.properties:main:description: Main defines the main domain name.type: stringsans:description: SANs defines the subject alternative domain names.items:type: stringtype: arraytype: objectresolver:description: Resolver is the name of the resolver that will beused to issue the DefaultCertificate.type: stringtype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: traefikservices.traefik.iospec:group: traefik.ionames:kind: TraefikServicelistKind: TraefikServiceListplural: traefikservicessingular: traefikservicescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-TraefikService is the CRD implementation of a Traefik Service.TraefikService object allows to:- Apply weight to Services on load-balancing- Mirror traffic on servicesMore info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikserviceproperties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: TraefikServiceSpec defines the desired state of a TraefikService.properties:mirroring:description: Mirroring defines the Mirroring service configuration.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sent tothe health check endpoint.type: objecthostname:description: Hostname defines the value of hostname in theHost header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for the healthcheck endpoint.type: stringport:description: Port defines the server URL port for the healthcheck endpoint.type: integerscheme:description: Scheme replaces the server URL scheme for thehealth check endpoint.type: stringstatus:description: Status defines the expected HTTP status codeof the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringmaxBodySize:description: |-MaxBodySize defines the maximum size allowed for the body of the request.If the body is larger, the request is not mirrored.Default value is -1, which means unlimited size.format: int64type: integermirrorBody:description: |-MirrorBody defines whether the body of the request should be mirrored.Default value is true.type: booleanmirrors:description: Mirrors defines the list of mirrors where Traefikwill duplicate the traffic.items:description: MirrorService holds the mirror configuration.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sentto the health check endpoint.type: objecthostname:description: Hostname defines the value of hostnamein the Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for thehealth check endpoint.type: stringport:description: Port defines the server URL port for thehealth check endpoint.type: integerscheme:description: Scheme replaces the server URL scheme forthe health check endpoint.type: stringstatus:description: Status defines the expected HTTP statuscode of the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanpercent:description: |-Percent defines the part of the traffic to mirror.Supported values: 0 to 100.type: integerport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service to theclient.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookiecan be accessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie canonly be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwards theresponse from the upstream Kubernetes Service to the client.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookie can beaccessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie can onlybe transmitted over an encrypted connection (i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objectweighted:description: Weighted defines the Weighted Round Robin configuration.properties:services:description: Services defines the list of Kubernetes Service and/orTraefikService to load-balance, with weight.items:description: Service defines an upstream HTTP service to proxytraffic to.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sentto the health check endpoint.type: objecthostname:description: Hostname defines the value of hostnamein the Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for thehealth check endpoint.type: stringport:description: Port defines the server URL port for thehealth check endpoint.type: integerscheme:description: Scheme replaces the server URL scheme forthe health check endpoint.type: stringstatus:description: Status defines the expected HTTP statuscode of the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service to theclient.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookiecan be accessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie canonly be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arraysticky:description: |-Sticky defines whether sticky sessions are enabled.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancingproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookie can beaccessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie can onlybe transmitted over an encrypted connection (i.e. HTTPS).type: booleantype: objecttype: objecttype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true
Resources
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: wrr2
namespace: default
spec:
weighted:
services:
- name: s1
weight: 1
port: 80
# Optional, as it is the default value
kind: Service
- name: s3
weight: 1
port: 80
---
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: wrr1
namespace: default
spec:
weighted:
services:
- name: wrr2
kind: TraefikService
weight: 1
- name: s3
weight: 1
port: 80
---
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: mirror1
namespace: default
spec:
mirroring:
name: s1
port: 80
mirrors:
- name: s3
percent: 20
port: 80
- name: mirror2
kind: TraefikService
percent: 20
---
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: mirror2
namespace: default
spec:
mirroring:
name: wrr2
kind: TraefikService
mirrorBody: true
# Optional
maxBodySize: 2000000000
mirrors:
- name: s2
# Optional, as it is the default value
kind: Service
percent: 20
port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`example.net`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
# defining several services is possible and allowed, but for now the servers of
# all the services (for a given route) get merged altogether under the same
# load-balancing strategy.
services:
- name: s1
port: 80
# strategy defines the load balancing strategy between the servers. It defaults
# to Round Robin, and for now only Round Robin is supported anyway.
strategy: RoundRobin
- name: s2
port: 433
serversTransport: mytransport
- match: PathPrefix(`/misc`)
kind: Rule
services:
- name: s3
port: 80
middlewares:
- name: stripprefix
- name: addprefix
- match: PathPrefix(`/misc`)
kind: Rule
services:
- name: s3
# Optional, as it is the default value
kind: Service
port: 8443
# scheme allow to override the scheme for the service. (ex: https or h2c)
scheme: https
- match: PathPrefix(`/lb`)
kind: Rule
services:
- name: wrr1
kind: TraefikService
- match: PathPrefix(`/mirrored`)
kind: Rule
services:
- name: mirror1
kind: TraefikService
# use an empty tls object for TLS with Let's Encrypt
tls:
secretName: supersecret
options:
name: my-tls-option
namespace: default
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcp.crd
namespace: default
spec:
entryPoints:
- footcp
routes:
- match: HostSNI(`example.com`)
services:
- name: whoamitcp
port: 8080
serversTransport: mytransporttcp
middlewares:
- name: ipallowlist
tls:
secretName: foosecret
passthrough: false
options:
name: my-tls-option
namespace: default
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: ingressrouteudp.crd
namespace: default
spec:
entryPoints:
- footcp
routes:
- services:
- name: whoamiudp
port: 8080
---
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: tlsoption
namespace: default
spec:
minVersion: foobar
maxVersion: foobar
cipherSuites:
- foobar
- foobar
curvePreferences:
- foobar
- foobar
clientAuth:
secretNames:
- foobar
- foobar
clientAuthType: RequireAndVerifyClientCert
sniStrict: true
alpnProtocols:
- foobar
- foobar
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: mytransport
namespace: default
spec:
serverName: foobar
insecureSkipVerify: true
rootCAsSecrets:
- foobar
- foobar
certificatesSecrets:
- foobar
- foobar
peerCertURI: foobar
maxIdleConnsPerHost: 1
forwardingTimeouts:
dialTimeout: 42s
responseHeaderTimeout: 42s
idleConnTimeout: 42s
disableHTTP2: true
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransporttcp
namespace: default
spec:
serverName: foobar
insecureSkipVerify: true
rootCAsSecrets:
- foobar
- foobar
certificatesSecrets:
- foobar
- foobar
peerCertURI: foobar
dialTimeout: 42s
dialKeepAlive: 42s
RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There’s no rip and replace and all configurations remain intact. See it in action via this short video.
